首页 发现 帮助
注册 登录
github
/
spring-security
镜像自地址 https://github.com/spring-projects/spring-security
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

We will not validate IP addresses as part of assertion validation

Fixes gh-7514

https://github.com/spring-projects/spring-security/issues/7514
Filip Hanik 5 年之前
父节点
ed02ef9773
当前提交
0f14844acf
共有 2 个文件被更改,包括 27 次插入0 次删除
分列视图 显示文件统计
  1. 10 0
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
  2. 17 0
      saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java

+ 10 - 0
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
查看文件 

@@ -45,6 +45,7 @@ import org.opensaml.saml.saml2.core.EncryptedID;
 
 import org.opensaml.saml.saml2.core.NameID;
 
 import org.opensaml.saml.saml2.core.Response;
 
 import org.opensaml.saml.saml2.core.Subject;
 
+import org.opensaml.saml.saml2.core.SubjectConfirmation;
 
 import org.opensaml.saml.saml2.encryption.Decrypter;
 
 import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
 
 import org.opensaml.security.credential.Credential;
 
@@ -327,6 +328,15 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 
 		//ensure that OpenSAML doesn't attempt signature validation, already performed
 
 		a.setSignature(null);
 
 
+		//ensure that we don't validate IP addresses as part of our validation gh-7514
 
+		if (a.getSubject() != null) {
 
+			for (SubjectConfirmation sc : a.getSubject().getSubjectConfirmations()) {
 
+				if (sc.getSubjectConfirmationData() != null) {
 
+					sc.getSubjectConfirmationData().setAddress(null);
 
+				}
 
+			}
 
+		}
 
+
 
 		//remainder of assertion validation
 
 		ValidationContext vctx = new ValidationContext(validationParams);
 
 		try {

+ 17 - 0
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java
查看文件 

@@ -215,6 +215,23 @@ public class OpenSamlAuthenticationProviderTests {
 
 		provider.authenticate(token);
 
 	}
 
 
+	@Test
 
+	public void authenticateWhenAssertionContainsValidationAddressThenItSucceeds() throws Exception {
 
+		Response response = response(recipientUri, idpEntityId);
 
+		Assertion assertion = defaultAssertion();
 
+		assertion.getSubject().getSubjectConfirmations().forEach(
 
+				sc -> sc.getSubjectConfirmationData().setAddress("10.10.10.10")
 
+		);
 
+		signXmlObject(
 
+				assertion,
 
+				assertingPartyCredentials(),
 
+				recipientEntityId
 
+		);
 
+		response.getAssertions().add(assertion);
 
+		token = responseXml(response, idpEntityId);
 
+		provider.authenticate(token);
 
+	}
 
+
 
 	@Test
 
 	public void authenticateWhenEncryptedAssertionWithoutSignatureThenItFails() throws Exception {
 
 		Response response = response(recipientUri, idpEntityId);