You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2017/08/31 10:48:54 UTC

[2/2] syncope git commit: SAML 2.0 SP: Checking Relay State expiration

SAML 2.0 SP: Checking Relay State expiration


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/b3db3b19
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/b3db3b19
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/b3db3b19

Branch: refs/heads/master
Commit: b3db3b19e7fccb6445a5b760543722f60e82d86f
Parents: 337a70b
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Aug 31 12:48:34 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Aug 31 12:48:43 2017 +0200

----------------------------------------------------------------------
 .../org/apache/syncope/core/logic/SAML2SPLogic.java     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/b3db3b19/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 80a3ce6..e07fc52 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -113,7 +113,7 @@ import org.springframework.util.ResourceUtils;
 @Component
 public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
 
-    private static final long JWT_RELAY_STATE_DURATION = 5L;
+    private static final long JWT_RELAY_STATE_DURATION = 60L;
 
     private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
 
@@ -364,6 +364,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
         if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
             throw new IllegalArgumentException("Invalid signature found in Relay State");
         }
+        Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+        if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+            throw new IllegalArgumentException("Relay State is expired");
+        }
+
         Boolean useDeflateEncoding = Boolean.valueOf(
                 relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
 
@@ -616,6 +621,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
             if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
                 throw new IllegalArgumentException("Invalid signature found in Relay State");
             }
+            Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+            if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+                throw new IllegalArgumentException("Relay State is expired");
+            }
+
             useDeflateEncoding = Boolean.valueOf(
                     relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
         }