Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7039

JAX-RS Security SAML web SSO consumer service can not validate SAML response behind reverse proxy

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 3.0.9
          • Fix Version/s: 3.1.8, 3.0.11, 3.2.0
          • Component/s: JAX-RS Security
          • Labels:
            None
          • Environment:

            JRE 1.8.0_101-b13

          • Estimated Complexity:
            Unknown

            Description

            During the SAML web SSO processing, the RequestAssertionConsumerService validates the request with the org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator using a wrong assertionConsumerURL.

            The SAML request (org.opensaml.saml2.core.AuthnRequest) is configured with the serviceURL taken as the org.apache.cxf.rs.security.saml.sso.AbstractServiceProviderFilter.assertionConsumerServiceAddress property, however the org.apache.cxf.rs.security.saml.sso.SAMLSSOResponseValidator is bootstrapped with the following consumer URL:

            ssoResponseValidator.setAssertionConsumerURL(messageContext.getUriInfo().getAbsolutePath().toString());

            This particularly makes a problem when serving the application behind a reverse proxy since the absolutePath taken from messageVontext's uriInfo is different than the configured one.

              Attachments

                Activity

                  People

                  • Assignee:
                    coheigea Colm O hEigeartaigh
                    Reporter:
                    sabomichal Michal Sabo
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: