On 11/08/2017 15:50, Colm O hEigeartaigh wrote:
I have a few minor queries relating to getMetadata in SAML2SPLogic:
a) You can't get the metadata for a service via the REST API using the
admin credentials due to the logic in SAML2SPLogic, e.g.
@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
Should this be changed? It seems a bit odd to get a 403 when just
downloading the metadata using the admin credentials.
Agree. Maybe it should just be changed to
@PreAuthorize("isAuthenticated()")
b) The urlContext not validated at all. For example, you can pass through
something like "../../root" which is added to the metadata, e.g. Location="
http://localhost:9080/syncope/../../root/assertion-consumer".
Should we implement some kind of validation rules on what is acceptable here?
What do you have in mind here? Just forbid '../'? What could be the
issue(s) with the current implementation?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/