syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [1/2] syncope git commit: SAML 2.0 SP: Checking Relay State expiration
Date Thu, 31 Aug 2017 10:48:53 GMT
Repository: syncope
Updated Branches:
  refs/heads/2_0_X 8a4b83374 -> 55e09aa66
  refs/heads/master 337a70bf6 -> b3db3b19e


SAML 2.0 SP: Checking Relay State expiration


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/55e09aa6
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/55e09aa6
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/55e09aa6

Branch: refs/heads/2_0_X
Commit: 55e09aa665f07bd35236d3fb3340a8f2a4f333ab
Parents: 8a4b833
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Thu Aug 31 12:48:34 2017 +0200
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Thu Aug 31 12:48:34 2017 +0200

----------------------------------------------------------------------
 .../org/apache/syncope/core/logic/SAML2SPLogic.java     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/55e09aa6/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index dff5010..39d025c 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -114,7 +114,7 @@ import org.springframework.util.ResourceUtils;
 @Component
 public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
 
-    private static final long JWT_RELAY_STATE_DURATION = 5L;
+    private static final long JWT_RELAY_STATE_DURATION = 60L;
 
     private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
 
@@ -365,6 +365,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean>
{
         if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
             throw new IllegalArgumentException("Invalid signature found in Relay State");
         }
+        Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+        if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+            throw new IllegalArgumentException("Relay State is expired");
+        }
+
         Boolean useDeflateEncoding = Boolean.valueOf(
                 relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
 
@@ -629,6 +634,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean>
{
             if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
                 throw new IllegalArgumentException("Invalid signature found in Relay State");
             }
+            Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+            if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+                throw new IllegalArgumentException("Relay State is expired");
+            }
+
             useDeflateEncoding = Boolean.valueOf(
                     relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
         }


Mime
View raw message