I have a few minor queries relating to getMetadata in SAML2SPLogic:
a) You can't get the metadata for a service via the REST API using the
admin credentials due to the logic in SAML2SPLogic, e.g.
@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
Should this be changed? It seems a bit odd to get a 403 when just
downloading the metadata using the admin credentials.
b) The urlContext not validated at all. For example, you can pass through
something like "../../root" which is added to the metadata, e.g. Location="
http://localhost:9080/syncope/../../root/assertion-consumer";.
Should we implement some kind of validation rules on what is acceptable
here?
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
