syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Some queries on getMetadata in SAML2SPLogic
Date Fri, 11 Aug 2017 13:50:21 GMT
I have a few minor queries relating to getMetadata in SAML2SPLogic:

 a) You can't get the metadata for a service via the REST API using the
admin credentials due to the logic in SAML2SPLogic, e.g.
@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")

Should this be changed? It seems a bit odd to get a 403 when just
downloading the metadata using the admin credentials.

b) The urlContext not validated at all. For example, you can pass through
something like  "../../root" which is added to the metadata, e.g. Location="
http://localhost:9080/syncope/../../root/assertion-consumer".

Should we implement some kind of validation rules on what is acceptable
here?

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message