Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

We will not validate IP addresses as part of assertion validation 

Fixes gh-7514

https://github.com/spring-projects/spring-security/issues/7514
This commit is contained in:
Filip Hanik 2019-10-28 14:38:04 -07:00
parent ed02ef9773
commit 0f14844acf
2 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
View File

@ -45,6 +45,7 @@ import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.Credential;
@ -327,6 +328,15 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
//ensure that OpenSAML doesn't attempt signature validation, already performed
a.setSignature(null);
//ensure that we don't validate IP addresses as part of our validation gh-7514
if (a.getSubject() != null) {
for (SubjectConfirmation sc : a.getSubject().getSubjectConfirmations()) {
if (sc.getSubjectConfirmationData() != null) {
sc.getSubjectConfirmationData().setAddress(null);
}
}
}
//remainder of assertion validation
ValidationContext vctx = new ValidationContext(validationParams);
try {

17
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java
View File

@ -215,6 +215,23 @@ public class OpenSamlAuthenticationProviderTests {
provider.authenticate(token);
}
@Test
public void authenticateWhenAssertionContainsValidationAddressThenItSucceeds() throws Exception {
Response response = response(recipientUri, idpEntityId);
Assertion assertion = defaultAssertion();
assertion.getSubject().getSubjectConfirmations().forEach(
sc -> sc.getSubjectConfirmationData().setAddress("10.10.10.10")
);
signXmlObject(
assertion,
assertingPartyCredentials(),
recipientEntityId
);
response.getAssertions().add(assertion);
token = responseXml(response, idpEntityId);
provider.authenticate(token);
}
@Test
public void authenticateWhenEncryptedAssertionWithoutSignatureThenItFails() throws Exception {
Response response = response(recipientUri, idpEntityId);