Hi, Can you submit some evidence that shows that URIs should be normalized before comparison?
Colm. On Fri, Jun 5, 2020 at 6:33 PM Nimish Telang <[email protected]> wrote: > Hi, > > > > We have encountered an issue where https://example.com and > https://example.com:443 don’t match when included in SAML audience > restrictions. > > > > As far as I can tell this is because the code to validate matching is just > basic string comparison (And should probably use Sets rather than Lists): > https://github.com/apache/ws-wss4j/blob/74df6178e87edbf28b267845c7dcaa5203df5eca/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java#L902 > > > > Using java.net.URI to resolve this would be handy – also as the actual > type that should be parsed from the SAML, not String, since the type in the > xsd is anyURI… > > > > > > I don’t see a security issue here, and the specs for the saml core > recommend doing it for at least the authz stuff. > > > > Nimish >
