cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Make the client address optional for SAML SSO
Date Thu, 03 Aug 2017 09:32:35 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 819b5fc99 -> 294029c6f


Make the client address optional for SAML SSO


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/294029c6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/294029c6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/294029c6

Branch: refs/heads/master
Commit: 294029c6fb99d5eb1ede4701feee025ed4607879
Parents: 819b5fc
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Aug 3 10:32:22 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Aug 3 10:32:22 2017 +0100

----------------------------------------------------------------------
 .../sso/AbstractRequestAssertionConsumerHandler.java | 15 +++++++++++++--
 .../security/saml/sso/SAMLSSOResponseValidator.java  |  2 +-
 2 files changed, 14 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/294029c6/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
index fb452a1..dce003e 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
@@ -66,6 +66,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS
     private boolean enforceAssertionsSigned = true;
     private boolean enforceKnownIssuer = true;
     private boolean keyInfoMustBeAvailable = true;
+    private boolean checkClientAddress = true;
     private boolean enforceResponseSigned;
     private TokenReplayCache<String> replayCache;
 
@@ -341,8 +342,10 @@ public abstract class AbstractRequestAssertionConsumerHandler extends
AbstractSS
             }
             ssoResponseValidator.setAssertionConsumerURL(racsAddress);
 
-            ssoResponseValidator.setClientAddress(
-                 messageContext.getHttpServletRequest().getRemoteAddr());
+            if (checkClientAddress) {
+                ssoResponseValidator.setClientAddress(
+                    messageContext.getHttpServletRequest().getRemoteAddr());
+            }
 
             ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress());
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
@@ -414,4 +417,12 @@ public abstract class AbstractRequestAssertionConsumerHandler extends
AbstractSS
         this.assertionConsumerServiceAddress = assertionConsumerServiceAddress;
     }
 
+    public boolean isCheckClientAddress() {
+        return checkClientAddress;
+    }
+
+    public void setCheckClientAddress(boolean checkClientAddress) {
+        this.checkClientAddress = checkClientAddress;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/294029c6/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 19304d8..642eccc 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -249,7 +249,7 @@ public class SAMLSSOResponseValidator {
         }
 
         // Check address
-        if (subjectConfData.getAddress() != null
+        if (subjectConfData.getAddress() != null && clientAddress != null
             && !subjectConfData.getAddress().equals(clientAddress)) {
             LOG.fine("Subject Conf Data address " + subjectConfData.getAddress() + " does
match"
                      + " client address " + clientAddress);


Mime
View raw message