cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-7039) JAX-RS Security SAML web SSO consumer service can not validate SAML response behind reverse proxy
Date Tue, 06 Sep 2016 10:04:21 GMT

    [ https://issues.apache.org/jira/browse/CXF-7039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15467027#comment-15467027
] 

Colm O hEigeartaigh commented on CXF-7039:
------------------------------------------

I've added a "assertionConsumerServiceAddress" property that you can set on the RequestAssertionConsumerService
as per the AbstractServiceProviderFilter. If it isn't specified, it falls back to use "messageContext.getUriInfo().getAbsolutePath().toString()"
as the old code does. Does this suit your needs?

Colm.

> JAX-RS Security SAML web SSO consumer service can not validate SAML response behind reverse
proxy
> -------------------------------------------------------------------------------------------------
>
>                 Key: CXF-7039
>                 URL: https://issues.apache.org/jira/browse/CXF-7039
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.0.9
>         Environment: JRE 1.8.0_101-b13
>            Reporter: Michal Sabo
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.2.0, 3.1.8, 3.0.11
>
>
> During the SAML web SSO processing, the RequestAssertionConsumerService validates the
request with the org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator using a wrong
assertionConsumerURL.
> The SAML request (org.opensaml.saml2.core.AuthnRequest) is configured with the serviceURL
taken as the org.apache.cxf.rs.security.saml.sso.AbstractServiceProviderFilter.assertionConsumerServiceAddress
property, however the org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator is bootstrapped
with the following consumer URL:
> ssoResponseValidator.setAssertionConsumerURL(messageContext.getUriInfo().getAbsolutePath().toString());
> This particularly makes a problem when serving the application behind a reverse proxy
since the absolutePath taken from messageVontext's uriInfo is different than the configured
one.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message