Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-17

Error in subject validation in WebSSOProfileConsumerImpl

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Invalid
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None

      Description

      On line 269 in WebSSOProfileConsumerImpl the Recipient of the Subject element in the message is supposed to be checked. However as well as checking for a correct Recipient value the binding used is also checked to be correct. This check is wrong as it checks the communicationProfileId which is never set in the message context and therefore we get a NullPointerException.

      From what I can deduce from the code and the SAML standard this binding check has nothing to do with the Subject in question and it is not required to be done, there only needs to be a check that the Recipient is correct. If it however is to be done shouldn't it use the inboundSAMLProtocol field (information found in the message) instead of the communicationProfileId?

      Expected code from revision 54:

      if (context.getInboundSAMLProtocol().equals(service.getBinding()) && service.getLocation().equals(data.getRecipient())) {

        Attachments

          Activity

            People

            • Assignee:
              vsch Vladimir Schäfer
              Reporter:
              mel Mandus Elfving
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: