Make sure that requesters aren't sending bogus subject confirmation data.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 9 Apr 2004 17:49:52 +0000 (17:49 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 9 Apr 2004 17:49:52 +0000 (17:49 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@962 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/aa/AAServlet.java

index 0305fcc..4b9b02d 100755 (executable)
@@ -250,6 +250,19 @@ public class AAServlet extends TargetFederationComponent {
                                relyingParty = targetMapper.getRelyingParty(null);
                        }
 
+                       //Fail if we can't honor SAML Subject Confirmation
+                       if (!fromLegacyProvider(req)) {
+                               Iterator iterator = attributeQuery.getSubject().getConfirmationMethods();
+                               boolean hasConfirmationMethod = false;
+                               while (iterator.hasNext()) {
+                                       log.info("Request contains SAML Subject Confirmation method: (" + (String) iterator.next() + ").");
+                               }
+                               if (hasConfirmationMethod) {
+                                       throw new SAMLException(SAMLException.REQUESTER,
+                                                       "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method.");
+                               }
+                       }
+
                        //Map Subject to local principal
                        if (relyingParty.getIdentityProvider().getProviderId() != null
                                        && !relyingParty.getIdentityProvider().getProviderId().equals(