I have a few minor queries relating to getMetadata in SAML2SPLogic:

 a) You can't get the metadata for a service via the REST API using the
admin credentials due to the logic in SAML2SPLogic, e.g.
@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")

Should this be changed? It seems a bit odd to get a 403 when just
downloading the metadata using the admin credentials.

b) The urlContext not validated at all. For example, you can pass through
something like  "../../root" which is added to the metadata, e.g. Location="

Should we implement some kind of validation rules on what is acceptable


Colm O hEigeartaigh

Talend Community Coder

Reply via email to