Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -169,8 +169,8 @@ private void validateIssuer(org.opensaml.saml.saml2.core.Issuer issuer) throws W
return;
}

// Issuer value must match (be contained in) Issuer IDP
if (enforceKnownIssuer && (issuer.getValue() == null || !issuerIDP.startsWith(issuer.getValue()))) {
// Issuer value must match the configured Issuer IDP
if (enforceKnownIssuer && !issuerIDP.equals(issuer.getValue())) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coheigea could you please take a look? I believe you have changed exact much to prefix here [1], thank you

[1] 9253b78

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's the commit, yes. As far as I can tell the reason for the prefix check is that validateIssuer compares the response Issuer against requestState.getIdpServiceAddress() (set in AbstractRequestAssertionConsumerHandler), which is the IdP's SSO endpoint URL rather than its entityID, and the entityID is often a prefix of that address. The trouble is that a bare startsWith accepts any prefix at all, down to a single character, so with enforceKnownIssuer on the issuer isn't really pinned to anything. If exact matching against the service address is too strict for existing deployments, a separate expected issuer property might be the safer route, but happy to rework it whichever way you and Colm prefer.

LOG.warning("Issuer value: " + issuer.getValue() + " does not match issuer IDP: "
+ issuerIDP);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,34 @@ public void testResponseInvalidIssuer() throws Exception {
}
}

@org.junit.Test
public void testResponseIssuerPrefixOfConfiguredIssuer() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo("12345");
subjectConfirmationData.setNotAfter(Instant.now().plus(Duration.ofMinutes(5)));
subjectConfirmationData.setRecipient("http://recipient.apache.org");

Response response = createResponse(subjectConfirmationData);
// A value that is merely a prefix of the configured issuer must not be accepted
response.setIssuer(SAML2PResponseComponentBuilder.createIssuer("http://cxf.apache.org"));

// Validate the Response
SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
validator.setEnforceAssertionsSigned(false);
validator.setIssuerIDP("http://cxf.apache.org/issuer");
validator.setAssertionConsumerURL("http://recipient.apache.org");
validator.setClientAddress("http://apache.org");
validator.setRequestId("12345");
validator.setSpIdentifier("http://service.apache.org");
try {
validator.validateSamlResponse(response, false);
fail("Expected failure on issuer that only matches a prefix of the configured issuer");
} catch (WSSecurityException ex) {
// expected
}
}

@org.junit.Test
public void testMissingAuthnStatement() throws Exception {
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
Expand Down