You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/08/17 13:28:38 UTC
[cxf-fediz] branch master updated: Provide a way of disabling the client address check for SAML SSO

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/master by this push:
     new be93125  Provide a way of disabling the client address check for SAML SSO
be93125 is described below

commit be93125e0907383810791fba59283398531d22fd
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Aug 17 14:28:16 2018 +0100

    Provide a way of disabling the client address check for SAML SSO
---
 .../src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java | 4 ++++
 .../java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java  | 5 +++++
 .../org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java  | 4 ++--
 plugins/core/src/main/resources/schemas/FedizConfig.xsd              | 2 ++
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
index d0edea2..de4997e 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/SAMLProtocol.java
@@ -109,4 +109,8 @@ public class SAMLProtocol extends Protocol {
     public String getIssuerLogoutURL() {
         return getSAMLProtocol().getIssuerLogoutURL();
     }
+
+    public boolean isCheckClientAddress() {
+        return getSAMLProtocol().isCheckClientAddress();
+    }
 }
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 78c4c26..00cf00c 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -329,6 +329,11 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
             SAMLSSOResponseValidator ssoResponseValidator = new SAMLSSOResponseValidator();
             String requestURL = request.getRequestURL().toString();
             ssoResponseValidator.setAssertionConsumerURL(requestURL);
+            boolean checkClientAddress = ((SAMLProtocol)config.getProtocol()).isCheckClientAddress();
+            if (checkClientAddress) {
+                ssoResponseValidator.setClientAddress(request.getRemoteAddr());
+            }
+
             ssoResponseValidator.setClientAddress(request.getRemoteAddr());
 
             boolean doNotEnforceKnownIssuer =
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index 06bb70f..a027ffa 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -239,9 +239,9 @@ public class SAMLSSOResponseValidator {
         }
 
         // Check address
-        if (subjectConfData.getAddress() != null
+        if (subjectConfData.getAddress() != null && clientAddress != null
             && !subjectConfData.getAddress().equals(clientAddress)) {
-            LOG.debug("Subject Conf Data address " + subjectConfData.getAddress() + " does match"
+            LOG.debug("Subject Conf Data address " + subjectConfData.getAddress() + " does not match"
                      + " client address " + clientAddress);
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
         }
diff --git a/plugins/core/src/main/resources/schemas/FedizConfig.xsd b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
index f034c6c..7ffc4d0 100644
--- a/plugins/core/src/main/resources/schemas/FedizConfig.xsd
+++ b/plugins/core/src/main/resources/schemas/FedizConfig.xsd
@@ -169,6 +169,7 @@
                     <xs:element ref="signRequest" />
                     <xs:element ref="authnRequestBuilder" />
                     <xs:element ref="disableDeflateEncoding" />
+                    <xs:element ref="checkClientAddress" />
                     <xs:element ref="doNotEnforceKnownIssuer" />
                     <xs:element ref="issuerLogoutURL" />
                 </xs:sequence>
@@ -188,6 +189,7 @@
     <xs:element name="disableDeflateEncoding" type="xs:boolean" />
     <xs:element name="doNotEnforceKnownIssuer" type="xs:boolean" />
     <xs:element name="issuerLogoutURL" type="xs:string" />
+    <xs:element name="checkClientAddress" type="xs:boolean" default="true"/>
 
     <xs:complexType name="protocolType" abstract="true">
         <xs:sequence>