Author: anil.saldhana(a)jboss.com
Date: 2009-01-16 16:37:00 -0500 (Fri, 16 Jan 2009)
New Revision: 224
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
Log:
add sig verification at SP end
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-01-16
21:04:55 UTC (rev 223)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectFormAuthenticator.java 2009-01-16
21:37:00 UTC (rev 224)
@@ -182,6 +182,11 @@
sb.append("&RelayState=").append(urlEncodedRelayState);
return sb.toString();
}
+
+ protected boolean validate(Request request) throws Exception
+ {
+ return request.getParameter("SAMLResponse") != null;
+ }
private Principal process(Request request, Response response) throws Exception
{
@@ -190,6 +195,8 @@
String samlResponse = request.getParameter("SAMLResponse");
if(samlResponse != null && samlResponse.length() > 0 )
{
+ this.validate(request);
+
//deal with SAML response from IDP
byte[] base64DecodedResponse = Base64.decode(samlResponse);
InputStream is = DeflateUtil.decode(base64DecodedResponse);
Modified:
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java
===================================================================
---
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-01-16
21:04:55 UTC (rev 223)
+++
identity-federation/trunk/identity-bindings/src/main/java/org/jboss/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.java 2009-01-16
21:37:00 UTC (rev 224)
@@ -29,8 +29,10 @@
import java.security.PrivateKey;
import java.security.PublicKey;
+import org.apache.catalina.connector.Request;
import org.jboss.identity.federation.bindings.util.RedirectBindingSignatureUtil;
import org.jboss.identity.federation.bindings.util.cert.KeyStoreUtil;
+import org.jboss.identity.federation.core.saml.v2.util.SignatureUtil;
/**
* Tomcat Authenticator for the HTTP/Redirect
@@ -64,7 +66,38 @@
{
this.alias = alias;
}
+
+ protected boolean validate(Request request) throws Exception
+ {
+ boolean result = super.validate(request);
+ if( result == false)
+ return result;
+
+ String queryString = request.getQueryString();
+ //Check if there is a signature
+ byte[] sigValue =
RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
+ if(sigValue == null)
+ return false;
+
+ //Construct the url again
+ String reqFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString,
"SAMLResponse");
+ String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString,
"RelayState");
+ String sigAlgFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString,
"SigAlg");
+ StringBuilder sb = new StringBuilder();
+ sb.append("SAMLResponse=").append(reqFromURL);
+
+ if(relayStateFromURL != null && relayStateFromURL.length() > 0)
+ {
+ sb.append("&RelayState=").append(relayStateFromURL);
+ }
+ sb.append("&SigAlg=").append(sigAlgFromURL);
+
+ PublicKey validatingKey = getValidatingKey();
+ boolean isValid = SignatureUtil.validate(sb.toString().getBytes("UTF-8"),
sigValue, validatingKey);
+ return isValid;
+ }
+
@Override
protected String getDestination(String urlEncodedRequest, String
urlEncodedRelayState)
{
Show replies by date