[GitHub] pedromfalves commented on a change in pull request #35: FEDIZ-232 added flag to disable RequestState verification

Thu, 17 Jan 2019 08:59:32 -0800 

pedromfalves commented on a change in pull request #35: FEDIZ-232 added flag to 
disable RequestState verification
URL: https://github.com/apache/cxf-fediz/pull/35#discussion_r248756739
 
 

 ##########
 File path: 
plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
 ##########
 @@ -132,20 +132,24 @@ private String getState(ServletRequest request) {
 
     private RequestState verifySavedState(HttpServletRequest request) {
         HttpSession session = request.getSession(false);
+        boolean enforceValidState =
+                federationConfig == null || 
federationConfig.getFedizContext().isRequestStateValidation();
 
-        if (session == null) {
-            logger.warn("The received state does not match the state saved in 
the context");
-            throw new BadCredentialsException("The received state does not 
match the state saved in the context");
-        }
-
-        RequestState savedRequestState = (RequestState) 
session.getAttribute(SAVED_CONTEXT);
-        String state = getState(request);
-        if (savedRequestState == null || 
!savedRequestState.getState().equals(state)) {
+        if (session == null && enforceValidState) {
             logger.warn("The received state does not match the state saved in 
the context");
             throw new BadCredentialsException("The received state does not 
match the state saved in the context");
+        } else if (session != null) {
+            RequestState savedRequestState = (RequestState) 
session.getAttribute(SAVED_CONTEXT);
+            session.removeAttribute(SAVED_CONTEXT);
+            String state = getState(request);
+
+            if (enforceValidState && (savedRequestState == null || 
!savedRequestState.getState().equals(state))) {
 
 Review comment:
   The problem is that the savedRequestState may be non-null in case the user 
has a session in the RP. An example of this would be in case a login attempt is 
initiated by the RP but not completed, and later the user attempts an 
authentication with IdP-initiated flow (if he has the IdP login page 
bookmarked, for example). We do sometimes have this scenario and would 
therefore prefer that the validation is not enforced at all when this flag is 
set.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to