You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2017/08/31 10:48:54 UTC
[2/2] syncope git commit: SAML 2.0 SP: Checking Relay State expiration
SAML 2.0 SP: Checking Relay State expiration
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/b3db3b19
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/b3db3b19
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/b3db3b19
Branch: refs/heads/master
Commit: b3db3b19e7fccb6445a5b760543722f60e82d86f
Parents: 337a70b
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Aug 31 12:48:34 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Aug 31 12:48:43 2017 +0200
----------------------------------------------------------------------
.../org/apache/syncope/core/logic/SAML2SPLogic.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/b3db3b19/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 80a3ce6..e07fc52 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -113,7 +113,7 @@ import org.springframework.util.ResourceUtils;
@Component
public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
- private static final long JWT_RELAY_STATE_DURATION = 5L;
+ private static final long JWT_RELAY_STATE_DURATION = 60L;
private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
@@ -364,6 +364,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
+ Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+ if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+ throw new IllegalArgumentException("Relay State is expired");
+ }
+
Boolean useDeflateEncoding = Boolean.valueOf(
relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
@@ -616,6 +621,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
+ Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+ if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+ throw new IllegalArgumentException("Relay State is expired");
+ }
+
useDeflateEncoding = Boolean.valueOf(
relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
}