Repository: cxf Updated Branches: refs/heads/master 819b5fc99 -> 294029c6f
Make the client address optional for SAML SSO Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/294029c6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/294029c6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/294029c6 Branch: refs/heads/master Commit: 294029c6fb99d5eb1ede4701feee025ed4607879 Parents: 819b5fc Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Thu Aug 3 10:32:22 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Thu Aug 3 10:32:22 2017 +0100 ---------------------------------------------------------------------- .../sso/AbstractRequestAssertionConsumerHandler.java | 15 +++++++++++++-- .../security/saml/sso/SAMLSSOResponseValidator.java | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/294029c6/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java index fb452a1..dce003e 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java @@ -66,6 +66,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS private boolean enforceAssertionsSigned = true; private boolean enforceKnownIssuer = true; private boolean keyInfoMustBeAvailable = true; + private boolean checkClientAddress = true; private boolean enforceResponseSigned; private TokenReplayCache<String> replayCache; @@ -341,8 +342,10 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS } ssoResponseValidator.setAssertionConsumerURL(racsAddress); - ssoResponseValidator.setClientAddress( - messageContext.getHttpServletRequest().getRemoteAddr()); + if (checkClientAddress) { + ssoResponseValidator.setClientAddress( + messageContext.getHttpServletRequest().getRemoteAddr()); + } ssoResponseValidator.setIssuerIDP(requestState.getIdpServiceAddress()); ssoResponseValidator.setRequestId(requestState.getSamlRequestId()); @@ -414,4 +417,12 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS this.assertionConsumerServiceAddress = assertionConsumerServiceAddress; } + public boolean isCheckClientAddress() { + return checkClientAddress; + } + + public void setCheckClientAddress(boolean checkClientAddress) { + this.checkClientAddress = checkClientAddress; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/294029c6/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 19304d8..642eccc 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -249,7 +249,7 @@ public class SAMLSSOResponseValidator { } // Check address - if (subjectConfData.getAddress() != null + if (subjectConfData.getAddress() != null && clientAddress != null && !subjectConfData.getAddress().equals(clientAddress)) { LOG.fine("Subject Conf Data address " + subjectConfData.getAddress() + " does match" + " client address " + clientAddress);