No reason, other than it seems odd that you can download the metadata via
REST using the anonymous creds but not the admin creds.
Colm.
On Wed, Aug 16, 2017 at 12:32 PM, Francesco Chicchiriccò <
ilgro...@apache.org> wrote:
> On 16/08/2017 13:06, Colm O hEigeartaigh wrote:
>
>> Maybe we could revert but also explicitly allow the admin role?
>>
>
> Why? The idea is that metadata should be downloaded via the URL managed by
> the agent (e.g. /syncope-console/saml2sp/metadata), not via REST.
>
> Regards.
>
> On Wed, Aug 16, 2017 at 8:26 AM, Francesco Chicchiriccò <
>> ilgro...@apache.org> wrote:
>>
>>> Hi,
>>> FYI I have now remembered why we used to have
>>>
>>> @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
>>>
>>> on SAML2SPLogic#getMetadata: the reason was that metadata were supposed
>>> to
>>> be get through the SAML2SPAgent, which acts as HTTP interface for all
>>> SAML
>>> 2.0 operations - this is also the reason why downloading metadata via
>>> Admin
>>> Console used to work even with the entitlement set as above.
>>>
>>> I wonder if we should revert such change...
>>>
>>> Regards.
>>>
>>> On 2017-08-14 18:13, Colm O hEigeartaigh <cohei...@apache.org> wrote:
>>>
>>>> Excellent, thanks!
>>>>
>>>> On Mon, Aug 14, 2017 at 4:13 PM, Francesco Chicchiriccò <
>>>>
>>> ilgro...@apache.org
>>>
>>>> wrote:
>>>>> Hi,
>>>>> I have committed the changes discussed below as
>>>>>
>>>>> https://github.com/apache/syncope/commit/e99766a441260bb47db
>>>>> ac13efe069682dd4a442d
>>>>> https://github.com/apache/syncope/commit/f912d90c2aa23c055cf
>>>>> b2e143e865f02025154bd
>>>>>
>>>>> Regards.
>>>>>
>>>>> On 11/08/2017 18:02, Colm O hEigeartaigh wrote:
>>>>>
>>>>> On Fri, Aug 11, 2017 at 2:59 PM, Francesco Chicchiriccò <
>>>>>> ilgro...@apache.org> wrote:
>>>>>>
>>>>>> Agree. Maybe it should just be changed to
>>>>>>
>>>>>>> @PreAuthorize("isAuthenticated()")
>>>>>>>
>>>>>>> +1.
>>>>>>
>>>>>>
>>>>>> b) The urlContext not validated at all. For example, you can pass
>>>>>>
>>>>> through
>>>
>>>> something like "../../root" which is added to the metadata, e.g.
>>>>>>>> Location="
>>>>>>>> http://localhost:9080/syncope/../../root/assertion-consumer";.
>>>>>>>>
>>>>>>>> Should we implement some kind of validation rules on what is
>>>>>>>> acceptable here?
>>>>>>>>
>>>>>>>> What do you have in mind here? Just forbid '../'? What could be the
>>>>>>>> issue(s) with the current implementation?
>>>>>>>>
>>>>>>>> Well it makes me a bit uneasy that a user can essentially insert
>>>>>> arbitrary
>>>>>> URLs into a metadata document issued by Syncope. I have three
>>>>>> suggestions:
>>>>>> a) Restrict the acceptable values. Do we need to allow arbitrary
>>>>>> contexts here...?
>>>>>> b) Disallow ".." in the values
>>>>>> c) Use Commons UrlValidator to make sure that the generated assertion
>>>>>> consumer URL is a valid URL.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
