You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@syncope.apache.org by il...@apache.org on 2017/08/31 10:48:53 UTC

[1/2] syncope git commit: SAML 2.0 SP: Checking Relay State expiration

Repository: syncope
Updated Branches:
  refs/heads/2_0_X 8a4b83374 -> 55e09aa66
  refs/heads/master 337a70bf6 -> b3db3b19e


SAML 2.0 SP: Checking Relay State expiration


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/55e09aa6
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/55e09aa6
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/55e09aa6

Branch: refs/heads/2_0_X
Commit: 55e09aa665f07bd35236d3fb3340a8f2a4f333ab
Parents: 8a4b833
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Aug 31 12:48:34 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Aug 31 12:48:34 2017 +0200

----------------------------------------------------------------------
 .../org/apache/syncope/core/logic/SAML2SPLogic.java     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/55e09aa6/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index dff5010..39d025c 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -114,7 +114,7 @@ import org.springframework.util.ResourceUtils;
 @Component
 public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
 
-    private static final long JWT_RELAY_STATE_DURATION = 5L;
+    private static final long JWT_RELAY_STATE_DURATION = 60L;
 
     private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
 
@@ -365,6 +365,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
         if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
             throw new IllegalArgumentException("Invalid signature found in Relay State");
         }
+        Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+        if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+            throw new IllegalArgumentException("Relay State is expired");
+        }
+
         Boolean useDeflateEncoding = Boolean.valueOf(
                 relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
 
@@ -629,6 +634,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
             if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
                 throw new IllegalArgumentException("Invalid signature found in Relay State");
             }
+            Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+            if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+                throw new IllegalArgumentException("Relay State is expired");
+            }
+
             useDeflateEncoding = Boolean.valueOf(
                     relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
         }

[2/2] syncope git commit: SAML 2.0 SP: Checking Relay State expiration

Posted by il...@apache.org.

SAML 2.0 SP: Checking Relay State expiration


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/b3db3b19
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/b3db3b19
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/b3db3b19

Branch: refs/heads/master
Commit: b3db3b19e7fccb6445a5b760543722f60e82d86f
Parents: 337a70b
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Aug 31 12:48:34 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Aug 31 12:48:43 2017 +0200

----------------------------------------------------------------------
 .../org/apache/syncope/core/logic/SAML2SPLogic.java     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/b3db3b19/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 80a3ce6..e07fc52 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -113,7 +113,7 @@ import org.springframework.util.ResourceUtils;
 @Component
 public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
 
-    private static final long JWT_RELAY_STATE_DURATION = 5L;
+    private static final long JWT_RELAY_STATE_DURATION = 60L;
 
     private static final String JWT_CLAIM_IDP_DEFLATE = "IDP_DEFLATE";
 
@@ -364,6 +364,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
         if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
             throw new IllegalArgumentException("Invalid signature found in Relay State");
         }
+        Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+        if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+            throw new IllegalArgumentException("Relay State is expired");
+        }
+
         Boolean useDeflateEncoding = Boolean.valueOf(
                 relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
 
@@ -616,6 +621,11 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
             if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
                 throw new IllegalArgumentException("Invalid signature found in Relay State");
             }
+            Long expiryTime = relayState.getJwtClaims().getExpiryTime();
+            if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
+                throw new IllegalArgumentException("Relay State is expired");
+            }
+
             useDeflateEncoding = Boolean.valueOf(
                     relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
         }