[SIDP-250] - AuthenticationEngine::returnToAuthenticationEngine() static method called before servlet init() when clustered.
[SIDP-251[ - NPE when SAML1 Attribute Query Handler hit with GET request
[SIDP-252] - IdPSessionFilter throws ArrayIndexOutOfBoundsException on validation of unexpected cookie
-[SIDP-257] - Prevous session is used if the user has an existing session but the SP requests an authentication method that is not currently active.
+[SIDP-257] - Previous session is used if the user has an existing session but the SP requests an authentication method that is not currently active.
+[SIDP-258] - Authentication Engine does not check to ensure returned authentication mechanism from Login Handler is acceptable to the SP
Changes in Release 2.1.0
=============================================
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
+import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Map.Entry;
Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
try {
- // Check to make sure the login handler did the right thing
- validateSuccessfulAuthentication(loginContext, httpRequest);
-
// We allow a login handler to override the authentication method in the
// event that it supports multiple methods
String actualAuthnMethod = DatatypeHelper.safeTrimOrNullString((String) httpRequest
.getAttemptedAuthnMethod(), actualAuthnMethod);
}
+ // Check to make sure the login handler did the right thing
+ validateSuccessfulAuthentication(loginContext, httpRequest, actualAuthnMethod);
+
// Get the Subject from the request. If force authentication was required then make sure the
// Subject identifies the same user that authenticated before
Subject subject = getLoginHandlerSubject(httpRequest);
*
* @param loginContext current login context
* @param httpRequest current HTTP request
+ * @param authenticationMethod the authentication method used to authenticate the user
*
* @throws AuthenticationException thrown if the authentication was not successful
*/
- protected void validateSuccessfulAuthentication(LoginContext loginContext, HttpServletRequest httpRequest)
- throws AuthenticationException {
+ protected void validateSuccessfulAuthentication(LoginContext loginContext, HttpServletRequest httpRequest,
+ String authenticationMethod) throws AuthenticationException {
LOG.debug("Validating authentication was performed successfully");
+ List<String> requestedAuthnMethods = loginContext.getRequestedAuthenticationMethods();
+ if (requestedAuthnMethods != null && !requestedAuthnMethods.isEmpty()) {
+ if (!requestedAuthnMethods.contains(authenticationMethod)) {
+ LOG.error("User was authenticated but the authentication method reported by the LoginHandler does not meet relying party requirements");
+ throw new AuthenticationException(
+ "No authentication method, requested by the service provider, is supported");
+ }
+ }
+
String errorMessage = DatatypeHelper.safeTrimOrNullString((String) httpRequest
.getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY));
if (errorMessage != null) {