Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-38

WebSSOProfileConsumerImpl fails if there is more than one AudienceRestriction

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Invalid
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None

      Description

      In WebSSOProfileConsumerImpl#verifyAssertionConditions, if the local entity is not in the first AudienceRestriction, an exception is thrown. The relevant code is:

      340 audience:
      341 for (AudienceRestriction rest : conditions.getAudienceRestrictions()) {
      342 if (rest.getAudiences().size() == 0)

      { 343 log.debug("No audit audience specified for the assertion"); 344 throw new SAMLException("SAML response is invalid"); 345 }

      346 for (Audience aud : rest.getAudiences()) {
      347 if (context.getLocalEntityId().equals(aud.getAudienceURI()))

      { 348 continue audience; ==> this should return rather than continue. 349 }

      350 }

      ==> If it's not in the first AR, we get here and throw an exception

      351 log.debug("Our entity is not the intended audience of the assertion");
      352 throw new SAMLException("SAML response is not intended for this entity");
      353 }

        Attachments

          Activity

            People

            • Assignee:
              vsch Vladimir Schäfer
              Reporter:
              philvarner Phil Varner
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: