From b9d37bc6130a565cb3971d50d7b03afbfeb611f4 Mon Sep 17 00:00:00 2001 From: lajoie Date: Tue, 11 Jan 2011 10:37:51 +0000 Subject: [PATCH] prevent cast class exception if a user starts a SAML 1 flow, leaves in the middle, then starts a SAML 2 flow (or vice versa) - SIDP-438 git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2980 ab3bd59b-922f-494d-bb5f-6f0a3c29deca --- doc/RELEASE-NOTES.txt | 1 + .../idp/profile/saml1/ShibbolethSSOProfileHandler.java | 7 ++++--- .../shibboleth/idp/profile/saml2/SSOProfileHandler.java | 7 ++++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/doc/RELEASE-NOTES.txt b/doc/RELEASE-NOTES.txt index a3a77dd..485fc8f 100644 --- a/doc/RELEASE-NOTES.txt +++ b/doc/RELEASE-NOTES.txt @@ -12,6 +12,7 @@ Changes in Release 2.2.1 [SIDP-432] - Set explicit caching headers on redirects [SIDP-435] - Different principal used for index into session storage and transient ID [SIDP-436] - Null AuthnContextClassRef causes NPE +[SIDP-438] - Improve user experience when switching versions of SAML [SIDP-443] - Profile handlers override encoder nameQualifier setting [SIDP-447] - Fix for SIDP-417 missed RemoteUserLoginHandler [SIDP-450] - NPE with AttributeQueryProfile when there are errors resolving attributes diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java index 2cf60f9..7ceba20 100644 --- a/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java +++ b/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java @@ -59,6 +59,7 @@ import edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRe import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.ShibbolethSSOConfiguration; import edu.internet2.middleware.shibboleth.common.util.HttpHelper; import edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext; +import edu.internet2.middleware.shibboleth.idp.authn.LoginContext; import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper; /** Shibboleth SSO request profile handler. */ @@ -117,16 +118,16 @@ public class ShibbolethSSOProfileHandler extends AbstractSAML1ProfileHandler { HttpServletResponse httpResponse = ((HttpServletResponseAdapter) outTransport).getWrappedResponse(); ServletContext servletContext = httpRequest.getSession().getServletContext(); - ShibbolethSSOLoginContext loginContext = (ShibbolethSSOLoginContext) HttpServletHelper.getLoginContext( + LoginContext loginContext = HttpServletHelper.getLoginContext( getStorageService(), servletContext, httpRequest); - if (loginContext == null) { + if (loginContext == null || !(loginContext instanceof ShibbolethSSOLoginContext)) { log.debug("Incoming request does not contain a login context, processing as first leg of request"); performAuthentication(inTransport, outTransport); } else if (loginContext.isPrincipalAuthenticated() || loginContext.getAuthenticationFailure() != null) { log.debug("Incoming request contains a login context, processing as second leg of request"); HttpServletHelper.unbindLoginContext(getStorageService(), servletContext, httpRequest, httpResponse); - completeAuthenticationRequest(loginContext, inTransport, outTransport); + completeAuthenticationRequest((ShibbolethSSOLoginContext)loginContext, inTransport, outTransport); } else { log.debug("Incoming request contained a login context but principal was not authenticated, processing as first leg of request"); performAuthentication(inTransport, outTransport); diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java index ab4482f..d656df6 100644 --- a/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java +++ b/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java @@ -76,6 +76,7 @@ import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.SS import edu.internet2.middleware.shibboleth.common.util.HttpHelper; import edu.internet2.middleware.shibboleth.idp.authn.PassiveAuthenticationException; import edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext; +import edu.internet2.middleware.shibboleth.idp.authn.LoginContext; import edu.internet2.middleware.shibboleth.idp.session.Session; import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper; @@ -149,15 +150,15 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler { HttpServletResponse httpResponse = ((HttpServletResponseAdapter) outTransport).getWrappedResponse(); ServletContext servletContext = httpRequest.getSession().getServletContext(); - Saml2LoginContext loginContext = (Saml2LoginContext) HttpServletHelper.getLoginContext(getStorageService(), + LoginContext loginContext = HttpServletHelper.getLoginContext(getStorageService(), servletContext, httpRequest); - if (loginContext == null) { + if (loginContext == null || !(loginContext instanceof Saml2LoginContext)) { log.debug("Incoming request does not contain a login context, processing as first leg of request"); performAuthentication(inTransport, outTransport); } else if (loginContext.isPrincipalAuthenticated() || loginContext.getAuthenticationFailure() != null) { log.debug("Incoming request contains a login context, processing as second leg of request"); HttpServletHelper.unbindLoginContext(getStorageService(), servletContext, httpRequest, httpResponse); - completeAuthenticationRequest(loginContext, inTransport, outTransport); + completeAuthenticationRequest((Saml2LoginContext)loginContext, inTransport, outTransport); } else { log.debug("Incoming request contained a login context but principal was not authenticated, processing as first leg of request"); performAuthentication(inTransport, outTransport); -- 1.7.10.4