Add a sanity check against Subject NameQualifier in queries.
authorcantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Sat, 4 Oct 2003 19:30:49 +0000 (19:30 +0000)
committercantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Sat, 4 Oct 2003 19:30:49 +0000 (19:30 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@769 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/aa/AASaml.java
src/edu/internet2/middleware/shibboleth/aa/AAServlet.java

index ad7ed03..9439bf1 100755 (executable)
@@ -111,6 +111,10 @@ public class AASaml {
         aquery = (SAMLAttributeQuery)q;
     }
 
+    public String getNameQualifier(){
+        return aquery.getSubject().getNameQualifier();
+    }
+
     public String getHandle(){
         return aquery.getSubject().getName();
     }
index cf4b0e8..14abfde 100755 (executable)
@@ -168,6 +168,7 @@ public class AAServlet extends HttpServlet {
                        StringBuffer missingProperties = new StringBuffer();
                        String[] requiredProperties =
                                {
+                    "edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName",
                                        "edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName",
                                        "edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation",
                                        "edu.internet2.middleware.shibboleth.audiences" };
@@ -238,6 +239,11 @@ public class AAServlet extends HttpServlet {
                                                ","));
                        saml.receive(req);
 
+            if (!configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName").equals(saml.getNameQualifier())) {
+                log.error("The name qualifier on this handle (" + saml.getNameQualifier() + ") does not match this site name.");
+                throw new InvalidHandleException("The name qualifier on this handle (" + saml.getNameQualifier() + ") does not match this site name.");
+            }
+
                        log.info("Attribute Query Handle for this request: (" + saml.getHandle() + ").");
                        Principal principal = null;
                        if (saml.getHandle().equalsIgnoreCase("foo")) {