Repository: cxf Updated Branches: refs/heads/3.1.x-fixes e7a890acf -> 726e6190d
Make the client address optional for SAML SSO Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/726e6190 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/726e6190 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/726e6190 Branch: refs/heads/3.1.x-fixes Commit: 726e6190d54643d4bcd84f876f9d051a7376f398 Parents: e7a890a Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Aug 3 10:32:22 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Aug 3 10:32:45 2017 +0100 ---------------------------------------------------------------------- .../sso/AbstractRequestAssertionConsumerHandler.java | 15 +++++++++++++-- .../security/saml/sso/SAMLSSOResponseValidator.java | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/726e6190/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java index 9c13637..6039a1e 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java @@ -66,6 +66,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS private boolean enforceAssertionsSigned = true; private boolean enforceKnownIssuer = true; private boolean keyInfoMustBeAvailable = true; + private boolean checkClientAddress = true; private boolean enforceResponseSigned; private TokenReplayCache<String> replayCache; @@ -343,8 +344,10 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS } ssoResponseValidator.setAssertionConsumerURL(racsAddress); - ssoResponseValidator.setClientAddress( - messageContext.getHttpServletRequest().getRemoteAddr()); + if (checkClientAddress) { + ssoResponseValidator.setClientAddress( + messageContext.getHttpServletRequest().getRemoteAddr()); + } ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress()); ssoResponseValidator.setRequestId(requestState.getSamlRequestId()); @@ -416,4 +419,12 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS this.assertionConsumerServiceAddress = assertionConsumerServiceAddress; } + public boolean isCheckClientAddress() { + return checkClientAddress; + } + + public void setCheckClientAddress(boolean checkClientAddress) { + this.checkClientAddress = checkClientAddress; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/726e6190/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 25083c1..d060671 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -245,7 +245,7 @@ public class SAMLSSOResponseValidator { } // Check address - if (subjectConfData.getAddress() != null + if (subjectConfData.getAddress() != null && clientAddress != null && !subjectConfData.getAddress().equals(clientAddress)) { LOG.fine("Subject Conf Data address " + subjectConfData.getAddress() + " does match" + " client address " + clientAddress);
