HttpServletResponse httpResponse) {
LOG.debug("Returning control to profile handler at: {}", loginContext.getProfileHandlerURL());
httpRequest.setAttribute(LoginContext.LOGIN_CONTEXT_KEY, loginContext);
-
+
// Cleanup this cookie
Cookie lcKeyCookie = new Cookie(LOGIN_CONTEXT_KEY_NAME, "");
lcKeyCookie.setMaxAge(0);
httpResponse.addCookie(lcKeyCookie);
-
+
forwardRequest(loginContext.getProfileHandlerURL(), httpRequest, httpResponse);
}
Session userSession) {
httpRequest.setAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE, userSession);
- String remoteAddress = httpRequest.getRemoteAddr();
- String sessionId = userSession.getSessionID();
-
+ byte[] remoteAddress = httpRequest.getRemoteAddr().getBytes();
+ byte[] sessionId = userSession.getSessionID().getBytes();
+
String signature = null;
SecretKey signingKey = userSession.getSessionSecretKey();
try {
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(signingKey);
- mac.update(remoteAddress.getBytes());
- mac.update(sessionId.getBytes());
+ mac.update(remoteAddress);
+ mac.update(sessionId);
signature = Base64.encodeBytes(mac.doFinal());
} catch (GeneralSecurityException e) {
LOG.error("Unable to compute signature over session cookie material", e);
}
LOG.debug("Adding IdP session cookie to HTTP response");
- Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, remoteAddress + "|" + sessionId + "|" + signature);
+ Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, Base64.encodeBytes(remoteAddress,
+ Base64.DONT_BREAK_LINES)
+ + "|" + Base64.encodeBytes(sessionId, Base64.DONT_BREAK_LINES) + "|" + signature);
String contextPath = httpRequest.getContextPath();
if (DatatypeHelper.isEmpty(contextPath)) {
import java.io.IOException;
import java.security.GeneralSecurityException;
+import java.util.Arrays;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
// index 1: session ID
// index 2: Base64(HMAC(index 0 + index 1))
String[] valueComponents = sessionCookie.getValue().split("\\|");
+ byte[] remoteAddressBytes = Base64.decode(valueComponents[0]);
+ byte[] sessionIdBytes = Base64.decode(valueComponents[1]);
+ byte[] signatureBytes = Base64.decode(valueComponents[2]);
if (consistentAddress) {
- if (!httpRequest.getRemoteAddr().equals(valueComponents[0])) {
+ String remoteAddress = new String(remoteAddressBytes);
+ if (!httpRequest.getRemoteAddr().equals(remoteAddress)) {
log.error("Client sent a cookie from addres {} but the cookie was issued to address {}", httpRequest
- .getRemoteAddr(), valueComponents[0]);
+ .getRemoteAddr(), remoteAddress);
return null;
}
}
- Session userSession = sessionManager.getSession(valueComponents[1]);
+ String sessionId = new String(sessionIdBytes);
+ Session userSession = sessionManager.getSession(sessionId);
if (userSession != null) {
SecretKey signingKey = userSession.getSessionSecretKey();
try {
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(signingKey);
- mac.update(valueComponents[0].getBytes());
- mac.update(valueComponents[1].getBytes());
+ mac.update(remoteAddressBytes);
+ mac.update(sessionIdBytes);
byte[] signature = mac.doFinal();
- if (!DatatypeHelper.safeEquals(valueComponents[2], Base64.encodeBytes(signature))) {
+ if (!Arrays.equals(signature, signatureBytes)) {
log.error("Session cookie signature did not match, the session cookie has been tampered with");
return null;
}