SES-17: Error in subject validation in WebSSOProfileConsumerImpl about spring-security-saml HOT 2 CLOSED

Vladimir Schäfer said:

Hi Mandus, it seems that when the bug was reported the revision 56 was already available and probably fixes the issue, but could you please verify that it really is so?

The check for binding is "service.getBinding().equals(context.getCommunicationProfileId()",
where service.getBinding() can never return null (in case metadata is correct), so it doesn't seem that this code could result in NullPointerException (rev. 56).

This check is not explicitly required by specification, but in this module messages sent using both HTTP-POST and HTTP-Redirect bindings are consumed at the same location. In case one of the bindings would be disabled in metadata, without this check messages sent using either of the binding would still be consumed.

The communicationProfileId is set during parsing of the SAML message from input in SAMLProcessorImpl, lines 131 and 134. Property inboundSAMLProtocol is used internally by OpenSAML for trust verifications and needs to be set to value "urn:oasis:names:tc:SAML:2.0:protocol".

from spring-security-saml.

Mandus Elfving said:

Sorry, my bad, we have actually extended the OpenSAML library to support Artifact binding (deconding) and for doing so we had to rewrite some parts of the code for this module. In doing so we forgot to update SAMLProcessorImpl (still setting inboundSAMLProtocol). This issue may therefore be closed.

By the way thanks for the great explanation!

from spring-security-saml.