diff --git a/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java b/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java index e578f85bbe..80a71099ff 100755 --- a/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java +++ b/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java @@ -83,6 +83,7 @@ public class UndertowSessionTokenStore implements AdapterTokenStore { } else { log.debug("Account was not active, returning false"); session.removeAttribute(KeycloakUndertowAccount.class.getName()); + session.removeAttribute(KeycloakSecurityContext.class.getName()); session.invalidate(exchange); return false; } diff --git a/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java b/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java index c8026fd524..9f560f2e25 100755 --- a/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java +++ b/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java @@ -27,6 +27,7 @@ import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; +import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBElement; import javax.xml.bind.util.JAXBSource; @@ -108,6 +109,16 @@ public class TransformerUtil { SecurityActions.setTCCL(TransformerUtil.class.getClassLoader()); } transformerFactory = TransformerFactory.newInstance(); + try { + transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (TransformerConfigurationException e) { + throw new RuntimeException(e); + } + + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + } finally { if (tccl_jaxp) { SecurityActions.setTCCL(prevTCCL);