You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/08/17 13:28:38 UTC
[cxf-fediz] branch master updated: Provide a way of disabling the
client address check for SAML SSO
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push:
new be93125 Provide a way of disabling the client address check for SAML SSO
be93125 is described below
commit be93125e0907383810791fba59283398531d22fd
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Aug 17 14:28:16 2018 +0100
Provide a way of disabling the client address check for SAML SSO
---
.../src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java | 4 ++++
.../java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java | 5 +++++
.../org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java | 4 ++--
plugins/core/src/main/resources/schemas/FedizConfig.xsd | 2 ++
4 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index d0edea2..de4997e 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -109,4 +109,8 @@ public class SAMLProtocol extends Protocol {
public String getIssuerLogoutURL() {
return getSAMLProtocol().getIssuerLogoutURL();
}
+
+ public boolean isCheckClientAddress() {
+ return getSAMLProtocol().isCheckClientAddress();
+ }
}
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 78c4c26..00cf00c 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -329,6 +329,11 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
String requestURL = request.getRequestURL().toString();
ssoResponseValidator.setAssertionConsumerURL(requestURL);
+ boolean checkClientAddress = ((SAMLProtocol)config.getProtocol()).isCheckClientAddress();
+ if (checkClientAddress) {
+ ssoResponseValidator.setClientAddress(request.getRemoteAddr());
+ }
+
ssoResponseValidator.setClientAddress(request.getRemoteAddr());
boolean doNotEnforceKnownIssuer =
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 06bb70f..a027ffa 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -239,9 +239,9 @@ public class SAMLSSOResponseValidator {
}
// Check address
- if (subjectConfData.getAddress() != null
+ if (subjectConfData.getAddress() != null && clientAddress != null
&& !subjectConfData.getAddress().equals(clientAddress)) {
- LOG.debug("Subject Conf Data address " + subjectConfData.getAddress() + " does match"
+ LOG.debug("Subject Conf Data address " + subjectConfData.getAddress() + " does not match"
+ " client address " + clientAddress);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index f034c6c..7ffc4d0 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -169,6 +169,7 @@
<xs:element ref="signRequest" />
<xs:element ref="authnRequestBuilder" />
<xs:element ref="disableDeflateEncoding" />
+ <xs:element ref="checkClientAddress" />
<xs:element ref="doNotEnforceKnownIssuer" />
<xs:element ref="issuerLogoutURL" />
</xs:sequence>
@@ -188,6 +189,7 @@
<xs:element name="disableDeflateEncoding" type="xs:boolean" />
<xs:element name="doNotEnforceKnownIssuer" type="xs:boolean" />
<xs:element name="issuerLogoutURL" type="xs:string" />
+ <xs:element name="checkClientAddress" type="xs:boolean" default="true"/>
<xs:complexType name="protocolType" abstract="true">
<xs:sequence>