You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2017/08/31 10:48:53 UTC
[1/2] syncope git commit: SAML 2.0 SP: Checking Relay State expiration
Repository: syncope
Updated Branches:
refs/heads/2_0_X 8a4b83374 -> 55e09aa66
refs/heads/master 337a70bf6 -> b3db3b19e
SAML 2.0 SP: Checking Relay State expiration
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/55e09aa6
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/55e09aa6
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/55e09aa6
Branch: refs/heads/2_0_X
Commit: 55e09aa665f07bd35236d3fb3340a8f2a4f333ab
Parents: 8a4b833
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Aug 31 12:48:34 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Aug 31 12:48:34 2017 +0200
----------------------------------------------------------------------
.../org/apache/syncope/core/logic/SAML2SPLogic.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/55e09aa6/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index dff5010..39d025c 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -114,7 +114,7 @@ import org.springframework.util.ResourceUtils;
@Component
public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
- private static final long JWT_RELAY_STATE_DURATION = 5L;
+ private static final long JWT_RELAY_STATE_DURATION = 60L;
private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
@@ -365,6 +365,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
+ Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+ if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+ throw new IllegalArgumentException("Relay State is expired");
+ }
+
Boolean useDeflateEncoding = Boolean.valueOf(
relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
@@ -629,6 +634,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
+ Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+ if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+ throw new IllegalArgumentException("Relay State is expired");
+ }
+
useDeflateEncoding = Boolean.valueOf(
relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
}
[2/2] syncope git commit: SAML 2.0 SP: Checking Relay State expiration
Posted by il...@apache.org.
SAML 2.0 SP: Checking Relay State expiration
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/b3db3b19
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/b3db3b19
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/b3db3b19
Branch: refs/heads/master
Commit: b3db3b19e7fccb6445a5b760543722f60e82d86f
Parents: 337a70b
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Aug 31 12:48:34 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Aug 31 12:48:43 2017 +0200
----------------------------------------------------------------------
.../org/apache/syncope/core/logic/SAML2SPLogic.java | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/b3db3b19/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 80a3ce6..e07fc52 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -113,7 +113,7 @@ import org.springframework.util.ResourceUtils;
@Component
public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
- private static final long JWT_RELAY_STATE_DURATION = 5L;
+ private static final long JWT_RELAY_STATE_DURATION = 60L;
private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
@@ -364,6 +364,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
+ Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+ if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+ throw new IllegalArgumentException("Relay State is expired");
+ }
+
Boolean useDeflateEncoding = Boolean.valueOf(
relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
@@ -616,6 +621,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
+ Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+ if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+ throw new IllegalArgumentException("Relay State is expired");
+ }
+
useDeflateEncoding = Boolean.valueOf(
relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
}