[4/4] cxf-fediz git commit: SAML SSO Address validation fix

Thu, 08 Dec 2016 09:05:54 -0800 

SAML SSO Address validation fix


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a4ba9889
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a4ba9889
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a4ba9889

Branch: refs/heads/master
Commit: a4ba98893738008adddce4061278cd48a82da756
Parents: 9d2805f
Author: Colm O hEigeartaigh <[email protected]>
Authored: Thu Dec 8 17:02:54 2016 +0000
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Thu Dec 8 17:02:54 2016 +0000

----------------------------------------------------------------------
 .../webapp/WEB-INF/flows/federation-signin-request.xml    |  8 ++++----
 .../src/main/webapp/WEB-INF/flows/saml-signin-request.xml | 10 +++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a4ba9889/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git 
a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml 
b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index 6051182..8c908c7 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -94,13 +94,13 @@
             
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, 
flowRequestContext) or
                         wfreshParser.authenticationRequired(flowScope.wfresh, 
flowScope.home_realm, flowRequestContext)" />
         <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="validateWReply" >
+        <transition on="no" to="validateReturnAddress" >
             <set name="flowScope.idpToken" 
value="externalContext.sessionMap[home_realm]" />
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
     </action-state>
     
-    <action-state id="validateWReply">
+    <action-state id="validateReturnAddress">
         <evaluate expression="commonsURLValidator.isValid(flowRequestContext, 
flowScope.wreply)
                               and 
passiveRequestorValidator.isValid(flowRequestContext, flowScope.wreply, 
flowScope.wtrealm)"/>
         <transition on="yes" to="requestRpToken" />
@@ -134,7 +134,7 @@
             
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, 
flowRequestContext) or
                         wfreshParser.authenticationRequired(flowScope.wfresh, 
flowScope.home_realm, flowRequestContext)" />
         <transition on="yes" to="redirectToLocalIDP" />
-        <transition on="no" to="validateWReply">
+        <transition on="no" to="validateReturnAddress">
             <set name="flowScope.idpToken" 
value="externalContext.sessionMap[home_realm]" />
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
@@ -151,7 +151,7 @@
     <action-state id="cacheSecurityToken">
         <secured attributes="IS_AUTHENTICATED_FULLY" />
         <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
-        <transition to="validateWReply">
+        <transition to="validateReturnAddress">
             <set name="flowScope.idpToken" 
value="externalContext.sessionMap[home_realm]" />
         </transition>
     </action-state>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a4ba9889/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml 
b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
index 59ea18b..f167198 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-signin-request.xml
@@ -91,14 +91,18 @@
             
expression="idpTokenExpiredAction.isTokenExpired(flowScope.home_realm, 
flowRequestContext)
                         or 
authnRequestParser.isForceAuthentication(flowRequestContext)" />
         <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="validateWReply" >
+        <transition on="no" to="validateReturnAddress" >
             <set name="flowScope.idpToken" 
value="externalContext.sessionMap[flowScope.home_realm]" />
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
     </action-state>
     
-    <action-state id="validateWReply">
-        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, 
flowScope.wreply)
+    <action-state id="validateReturnAddress">
+        <on-entry>
+            <evaluate 
expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" 
+                      result="flowScope.consumerURL"/>
+        </on-entry>
+        <evaluate expression="commonsURLValidator.isValid(flowRequestContext, 
flowScope.consumerURL)
                               and 
passiveRequestorValidator.isValid(flowRequestContext, flowScope.consumerURL, 
flowScope.realm)"/>
         <transition on="yes" to="requestRpToken" />
         <transition on="no" to="viewBadRequest" />

Reply via email to