GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

We will not validate IP addresses as part of assertion validation 

Fixes gh-7514

https://github.com/spring-projects/spring-security/issues/7514
pull/7579/head
Filip Hanik 6 years ago
parent
ed02ef9773
commit
0f14844acf
2 changed files with 27 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
  2. 17
      saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java

10
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
Unescape View File

@ -45,6 +45,7 @@ import org.opensaml.saml.saml2.core.EncryptedID; @@ -45,6 +45,7 @@ import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
@ -327,6 +328,15 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi @@ -327,6 +328,15 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
//ensure that OpenSAML doesn't attempt signature validation, already performed
a.setSignature(null);
//ensure that we don't validate IP addresses as part of our validation gh-7514
if (a.getSubject() != null) {
for (SubjectConfirmation sc : a.getSubject().getSubjectConfirmations()) {
if (sc.getSubjectConfirmationData() != null) {
sc.getSubjectConfirmationData().setAddress(null);
}
}
}
//remainder of assertion validation
ValidationContext vctx = new ValidationContext(validationParams);
try {

17
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java
Unescape View File

@ -215,6 +215,23 @@ public class OpenSamlAuthenticationProviderTests { @@ -215,6 +215,23 @@ public class OpenSamlAuthenticationProviderTests {
provider.authenticate(token);
}
@Test
public void authenticateWhenAssertionContainsValidationAddressThenItSucceeds() throws Exception {
Response response = response(recipientUri, idpEntityId);
Assertion assertion = defaultAssertion();
assertion.getSubject().getSubjectConfirmations().forEach(
sc -> sc.getSubjectConfirmationData().setAddress("10.10.10.10")
);
signXmlObject(
assertion,
assertingPartyCredentials(),
recipientEntityId
);
response.getAssertions().add(assertion);
token = responseXml(response, idpEntityId);
provider.authenticate(token);
}
@Test
public void authenticateWhenEncryptedAssertionWithoutSignatureThenItFails() throws Exception {
Response response = response(recipientUri, idpEntityId);

Write Preview
Loading…
Cancel
Save