html encoding fix

This commit is contained in:
Bill Burke 2015-06-08 12:38:16 -04:00
parent 07bc756785
commit 91283878ac
5 changed files with 509 additions and 476 deletions

12
core/src/main/java/org/keycloak/util/HtmlUtils.java Normal file → Executable file
View file

@ -34,7 +34,17 @@ public class HtmlUtils {
for (int i = 0; i < value.length(); i++) { for (int i = 0; i < value.length(); i++) {
char chr = value.charAt(i); char chr = value.charAt(i);
if (chr != '\'' && chr != '"' && chr != '<' && chr != '>' && chr != '/') { if (chr == '<') {
escaped.append("&lt;");
} else if (chr == '>') {
escaped.append("&gt;");
} else if (chr == '"') {
escaped.append("&quot;");
} else if (chr == '\'') {
escaped.append("&apos;");
} else if (chr == '&') {
escaped.append("&amp;");
} else {
escaped.append(chr); escaped.append(chr);
} }
} }

View file

@ -504,6 +504,7 @@ public class SamlService {
@QueryParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse, @QueryParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse,
@QueryParam(GeneralConstants.RELAY_STATE) String relayState) { @QueryParam(GeneralConstants.RELAY_STATE) String relayState) {
logger.debug("SAML GET"); logger.debug("SAML GET");
//String uri = uriInfo.getRequestUri().toString();
return new RedirectBindingProtocol().execute(samlRequest, samlResponse, relayState); return new RedirectBindingProtocol().execute(samlRequest, samlResponse, relayState);
} }

View file

@ -95,6 +95,8 @@ public class SamlBindingTest {
public static class SamlSPFacade extends HttpServlet { public static class SamlSPFacade extends HttpServlet {
public static String samlResponse; public static String samlResponse;
public static String RELAY_STATE = "http://test.com/foo/bar";
public static String sentRelayState;
@Override @Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
@ -111,11 +113,16 @@ public class SamlBindingTest {
if (req.getParameterMap().isEmpty()) { if (req.getParameterMap().isEmpty()) {
System.out.println("redirecting"); System.out.println("redirecting");
resp.setStatus(302); resp.setStatus(302);
resp.setHeader("Location", "http://localhost:8081/auth/realms/demo/protocol/saml?SAMLRequest=jVJbT8IwFP4rS99HuwluNIwEIUYSLwugD76Y2h2kSdfOng7l31uGRn0ATfrQ9HznfJfTEYpaN3zS%2Bo1ZwGsL6KP3WhvkXaEgrTPcClTIjagBuZd8Obm55mmP8cZZb6XV5NByGiwQwXllDYkmX9epNdjW4JbgtkrC%2FeK6IBvvG06ptlLojUXPc5YnFOpG2x0AJdEsaFRG7PuPoUWwQx0IXSOtoLb0SynduyLRpXUSOs8FWQuNQKL5rCDz2VO%2FymEgIY2zlJ3H%2FSx9jkU%2BzOK0ys8yNmSSsUEAYxnsqC18tyO2MDfohfEFSVkyiNlZzM5XacrDSbJePug%2Fkqj8FHKhTKXMy%2BnIng8g5FerVRmXd8sViR7AYec8AMh4tPfDO3L3Y2%2F%2F3cT4j7BH9Mf8A1nDb8PA%2Bay0WsldNNHavk1D1D5k4V0LXbi18MclJL2ke1FVvO6gvDXYgFRrBRWh4wPp7z85%2FgA%3D"); // Redirect
// UriBuilder builder = UriBuilder.fromUri("http://localhost:8081/auth/realms/demo/protocol/saml?SAMLRequest=jVLRTsIwFP2Vpe%2BjG4wxG0YyWYxL0BBAH3wx3XYnTbp29nYof%2B8YEvEBNOlD03vOveec2ynyWjYsae1WreC9BbTOZy0Vsr4Qk9YopjkKZIrXgMwWbJ08LNhw4LHGaKsLLcmRch3MEcFYoRVxktN1rhW2NZg1mJ0o4Gm1iMnW2oZRKnXB5VajZZEX%2BRTqRuo9ACVO2mkUih%2F4l9C8s0MNcFkjLaHW9KSUHlwR506bAnrPMam4RCBOlsYkS1%2BD3MvLcDJxAx9KN4jCkXszrG5cP%2BCVH4y8IM8PYFx2dsQOfuiILWQKLVc2JkPPH7te6HrRxh%2BzUdidwSSIXoiz%2FBZyK1Qp1Nv1yPIjCNn9ZrN0V1AKA4UlzjMY7N13IDKbHjyxXoA5291%2FtzH7I%2FApPet%2FHNawx65hli61FMXeSaTUH%2FMubtvlYU0LfcA1t5cl%2BAO%2FfxGlW%2FVQ1ipsoBCVgJLQ2XHo7385%2BwI%3D");
UriBuilder builder = UriBuilder.fromUri("http://localhost:8081/auth/realms/demo/protocol/saml?SAMLRequest=jVJbT8IwFP4rS99HuwluNIwEIUYSLwugD76Y2h2kSdfOng7l31uGRn0ATfrQ9HznfJfTEYpaN3zS%2Bo1ZwGsL6KP3WhvkXaEgrTPcClTIjagBuZd8Obm55mmP8cZZb6XV5NByGiwQwXllDYkmX9epNdjW4JbgtkrC%2FeK6IBvvG06ptlLojUXPc5YnFOpG2x0AJdEsaFRG7PuPoUWwQx0IXSOtoLb0SynduyLRpXUSOs8FWQuNQKL5rCDz2VO%2FymEgIY2zlJ3H%2FSx9jkU%2BzOK0ys8yNmSSsUEAYxnsqC18tyO2MDfohfEFSVkyiNlZzM5XacrDSbJePug%2Fkqj8FHKhTKXMy%2BnIng8g5FerVRmXd8sViR7AYec8AMh4tPfDO3L3Y2%2F%2F3cT4j7BH9Mf8A1nDb8PA%2Bay0WsldNNHavk1D1D5k4V0LXbi18MclJL2ke1FVvO6gvDXYgFRrBRWh4wPp7z85%2FgA%3D");
builder.queryParam("RelayState", RELAY_STATE);
resp.setHeader("Location", builder.build().toString());
return; return;
} }
System.out.println("received response"); System.out.println("received response");
samlResponse = req.getParameter("SAMLResponse"); samlResponse = req.getParameter("SAMLResponse");
sentRelayState = req.getParameter("RelayState");
} }
} }
@ -198,6 +205,21 @@ public class SamlBindingTest {
} }
@Test
public void testRelayStateEncoding() throws Exception {
// this test has a hardcoded SAMLRequest and we hack a SP face servlet to get the SAMLResponse so we can look
// at the relay state
SamlSPFacade.samlResponse = null;
driver.navigate().to("http://localhost:8081/employee/");
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml"));
System.out.println(driver.getCurrentUrl());
loginPage.login("bburke", "password");
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee/");
Assert.assertEquals(SamlSPFacade.sentRelayState, SamlSPFacade.RELAY_STATE);
Assert.assertNotNull(SamlSPFacade.samlResponse);
}
@Test @Test
public void testAttributes() throws Exception { public void testAttributes() throws Exception {

View file

@ -1,6 +1,6 @@
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="REDIRECT" SupportsSignatures="true"> ServerEnvironment="tomcat" BindingType="REDIRECT" SupportsSignatures="true" IDPUsesPostBinding="false">
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml} <IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
</IdentityURL> </IdentityURL>
<ServiceURL>${employee-sig.url::http://localhost:8081/employee-sig/} <ServiceURL>${employee-sig.url::http://localhost:8081/employee-sig/}

View file

@ -1,6 +1,6 @@
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1"> <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1" <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL"> ServerEnvironment="tomcat" BindingType="REDIRECT" IDPUsesPostBinding="false">
<IdentityURL>${idp.url::http://localhost:8081/auth/realms/demo/protocol/saml}</IdentityURL> <IdentityURL>${idp.url::http://localhost:8081/auth/realms/demo/protocol/saml}</IdentityURL>
<ServiceURL>${employee.url::http://localhost:8081/employee/} <ServiceURL>${employee.url::http://localhost:8081/employee/}
</ServiceURL> </ServiceURL>