You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by GitBox <gi...@apache.org> on 2019/01/17 16:59:06 UTC

[GitHub] pedromfalves commented on a change in pull request #35: FEDIZ-232 added flag to disable RequestState verification

pedromfalves commented on a change in pull request #35: FEDIZ-232 added flag to disable RequestState verification
URL: https://github.com/apache/cxf-fediz/pull/35#discussion_r248756739
 
 

 ##########
 File path: plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
 ##########
 @@ -132,20 +132,24 @@ private String getState(ServletRequest request) {
 
     private RequestState verifySavedState(HttpServletRequest request) {
         HttpSession session = request.getSession(false);
+        boolean enforceValidState =
+                federationConfig == null || federationConfig.getFedizContext().isRequestStateValidation();
 
-        if (session == null) {
-            logger.warn("The received state does not match the state saved in the context");
-            throw new BadCredentialsException("The received state does not match the state saved in the context");
-        }
-
-        RequestState savedRequestState = (RequestState) session.getAttribute(SAVED_CONTEXT);
-        String state = getState(request);
-        if (savedRequestState == null || !savedRequestState.getState().equals(state)) {
+        if (session == null && enforceValidState) {
             logger.warn("The received state does not match the state saved in the context");
             throw new BadCredentialsException("The received state does not match the state saved in the context");
+        } else if (session != null) {
+            RequestState savedRequestState = (RequestState) session.getAttribute(SAVED_CONTEXT);
+            session.removeAttribute(SAVED_CONTEXT);
+            String state = getState(request);
+
+            if (enforceValidState && (savedRequestState == null || !savedRequestState.getState().equals(state))) {
 
 Review comment:
   The problem is that the savedRequestState may be non-null in case the user has a session in the RP. An example of this would be in case a login attempt is initiated by the RP but not completed, and later the user attempts an authentication with IdP-initiated flow (if he has the IdP login page bookmarked, for example). We do sometimes have this scenario and would therefore prefer that the validation is not enforced at all when this flag is set.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services