libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-13181 Fix NPE in EAP 6 adapter

Browse source
This commit is contained in:
Hynek Mlnarik 2020-03-03 10:50:32 +01:00 committed by Hynek Mlnařík
parent c1bf183998
commit 0cf0955318
2 changed files with 23 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
View file

@ -148,6 +148,10 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
postBinding = true; postBinding = true;
holder = SAMLRequestParser.parseRequestPostBinding(samlRequest); holder = SAMLRequestParser.parseRequestPostBinding(samlRequest);
} }
if (holder == null) {
log.error("Error parsing SAML document");
return AuthOutcome.FAILED;
}
RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject(); RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
if (! destinationValidator.validate(requestUri, requestAbstractType.getDestination())) { if (! destinationValidator.validate(requestUri, requestAbstractType.getDestination())) {
log.error("expected destination '" + requestUri + "' got '" + requestAbstractType.getDestination() + "'"); log.error("expected destination '" + requestUri + "' got '" + requestAbstractType.getDestination() + "'");
@ -188,6 +192,24 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
postBinding = true; postBinding = true;
holder = extractPostBindingResponse(samlResponse); holder = extractPostBindingResponse(samlResponse);
} }
if (holder == null) {
log.error("Error parsing SAML document");
challenge = new AuthChallenge() {
@Override
public boolean challenge(HttpFacade exchange) {
SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE);
exchange.getRequest().setError(error);
exchange.getResponse().sendError(403);
return true;
}
@Override
public int getResponseCode() {
return 403;
}
};
return AuthOutcome.FAILED;
}
final StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject(); final StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
// validate destination // validate destination
if (! destinationValidator.validate(requestUri, statusResponse.getDestination())) { if (! destinationValidator.validate(requestUri, statusResponse.getDestination())) {

1
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.java
View file

@ -313,6 +313,7 @@ public class SamlSignatureTest extends AbstractAdapterTest {
assertThat(response, Matchers.bodyHC( assertThat(response, Matchers.bodyHC(
anyOf( anyOf(
containsString("INVALID_SIGNATURE"), containsString("INVALID_SIGNATURE"),
containsString("EXTRACTION_FAILURE"),
containsString("There was an error") containsString("There was an error")
) )
)); ));