You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2017/08/14 15:12:43 UTC
[2/2] syncope git commit: SAML2SP improvements: allow to get SP
metadata as authenticated user + validate URLs in SP metadata
SAML2SP improvements: allow to get SP metadata as authenticated user + validate URLs in SP metadata
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/f912d90c
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/f912d90c
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/f912d90c
Branch: refs/heads/master
Commit: f912d90c2aa23c055cfb2e143e865f02025154bd
Parents: fe826fc
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Mon Aug 14 17:12:20 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Mon Aug 14 17:12:34 2017 +0200
----------------------------------------------------------------------
common/lib/pom.xml | 9 ++++++
.../syncope/ext/saml2lsp/agent/Metadata.java | 14 ++++++---
ext/saml2sp/logic/pom.xml | 7 ++++-
.../apache/syncope/core/logic/SAML2SPLogic.java | 32 +++++++++++++++++---
pom.xml | 8 ++++-
5 files changed, 59 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/common/lib/pom.xml
----------------------------------------------------------------------
diff --git a/common/lib/pom.xml b/common/lib/pom.xml
index 810f45f..f21bf35 100644
--- a/common/lib/pom.xml
+++ b/common/lib/pom.xml
@@ -93,6 +93,15 @@ under the License.
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>2.3.2</version>
+ <configuration>
+ <source>1.7</source>
+ <target>1.7</target>
+ </configuration>
+ </plugin>
</plugins>
</build>
</project>
http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
index 73229f7..c1fbaa8 100644
--- a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
+++ b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
@@ -46,11 +46,15 @@ public class Metadata extends HttpServlet {
getAttribute(Constants.SYNCOPE_ANONYMOUS_CLIENT);
SAML2SPService service = anonymous.getService(SAML2SPService.class);
WebClient.client(service).accept(MediaType.APPLICATION_XML_TYPE).type(MediaType.APPLICATION_XML_TYPE);
- Response metadataResponse = service.getMetadata(
- StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp");
+ try {
+ Response metadataResponse = service.getMetadata(
+ StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp");
- response.setContentType(metadataResponse.getMediaType().toString());
- IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream());
- ((InputStream) metadataResponse.getEntity()).close();
+ response.setContentType(metadataResponse.getMediaType().toString());
+ IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream());
+ ((InputStream) metadataResponse.getEntity()).close();
+ } catch (Exception e) {
+ throw new ServletException(e.getMessage());
+ }
}
}
http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/ext/saml2sp/logic/pom.xml
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/pom.xml b/ext/saml2sp/logic/pom.xml
index 3c6d7eb..4aa7b86 100644
--- a/ext/saml2sp/logic/pom.xml
+++ b/ext/saml2sp/logic/pom.xml
@@ -43,7 +43,7 @@ under the License.
<artifactId>syncope-core-logic</artifactId>
<version>${project.version}</version>
</dependency>
-
+
<dependency>
<groupId>org.apache.syncope.ext.saml2sp</groupId>
<artifactId>syncope-ext-saml2sp-provisioning-java</artifactId>
@@ -59,6 +59,11 @@ under the License.
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId>
</dependency>
+
+ <dependency>
+ <groupId>commons-validator</groupId>
+ <artifactId>commons-validator</artifactId>
+ </dependency>
</dependencies>
<build>
http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 07e8e19..0809020 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -35,6 +35,7 @@ import javax.annotation.Resource;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.lang3.tuple.Triple;
+import org.apache.commons.validator.routines.UrlValidator;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
@@ -128,6 +129,8 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
private static final Encryptor ENCRYPTOR = Encryptor.getInstance();
+ private static final UrlValidator URL_VALIDATOR = new UrlValidator(new String[] { "http", "https" });
+
@Autowired
private AccessTokenDataBinder accessTokenDataBinder;
@@ -152,11 +155,29 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
@Resource(name = "syncopeJWTSSOProviderDelegate")
private JwsSignatureVerifier jwsSignatureVerifier;
+ private void validateUrl(final String url) {
+ boolean isValid = true;
+ if (url.contains("..")) {
+ isValid = false;
+ }
+ if (isValid) {
+ isValid = URL_VALIDATOR.isValid(url);
+ }
+
+ if (!isValid) {
+ SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+ sce.getElements().add("Invalid URL: " + url);
+ throw sce;
+ }
+ }
+
private String getAssertionConsumerURL(final String spEntityID, final String urlContext) {
- return spEntityID + urlContext + "/assertion-consumer";
+ String assertionConsumerUrl = spEntityID + urlContext + "/assertion-consumer";
+ validateUrl(assertionConsumerUrl);
+ return assertionConsumerUrl;
}
- @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
+ @PreAuthorize("isAuthenticated()")
public void getMetadata(final String spEntityID, final String urlContext, final OutputStream os) {
check();
@@ -193,10 +214,13 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+ String sloUrl = spEntityID + urlContext + "/logout";
+ validateUrl(sloUrl);
+
SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject();
singleLogoutService.setBinding(bindingType.getUri());
- singleLogoutService.setLocation(spEntityID + urlContext + "/logout");
- singleLogoutService.setResponseLocation(spEntityID + urlContext + "/logout");
+ singleLogoutService.setLocation(sloUrl);
+ singleLogoutService.setResponseLocation(sloUrl);
spSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
}
http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 1df04b5..74a71f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -402,6 +402,7 @@ under the License.
<commons-lang.version>3.6</commons-lang.version>
<commons-text.version>1.1</commons-text.version>
<commons-collection.version>4.1</commons-collection.version>
+ <commons-validator.version>1.6</commons-validator.version>
<commons-logging.version>1.1.3</commons-logging.version>
<joda.version>2.9.9</joda.version>
@@ -975,7 +976,12 @@ under the License.
<artifactId>commons-collections4</artifactId>
<version>${commons-collection.version}</version>
</dependency>
-
+ <dependency>
+ <groupId>commons-validator</groupId>
+ <artifactId>commons-validator</artifactId>
+ <version>${commons-validator.version}</version>
+ </dependency>
+
<dependency>
<groupId>net.tirasa.connid</groupId>
<artifactId>connector-framework</artifactId>