Loading…
Tilbage
×

Info

Der findes en nyere version af resourcen her

oiosaml.java 2.0.8

27-06-2018 20:02:17
Version: 2.0.8

OIOSAML for Java release 2.0.8 has been made available. This release contains the following changes

  • Security issue in the XML parser (specifically the DocumentBuilderFactory generation in SAMLUtil.java) has been fixed. The issue could potentially be used as an attack vector for DOS attacks and Server Side Request Forgery attacks

Everyone is highly recommended to upgrade to this version, as the security issue exists in all previous versions of OIOSAML.

A great thank you goes to Bob Rao from NTT Data Figtree Systems, for reporting on this security issue, and being very helpful in locating the exact cause and the required fix for this issue.

Code repository

The code is still available through Softwarebørsen SVN, and can be located here

https://svn.softwareborsen.dk/oiosaml.java/oiosaml2/

Maven repository

The binary artifacts are distributed as Maven dependencies, and can be located here

https://mvnrepository.com/artifact/dk.digst/oiosaml2.java

Profilbillede

Can i add multiple keys in oiosaml keystore?

rdg g
08. april 2019, 9:25

I configure SAML in such way that the request signing certificate and response encryption certificate is different. Therefore I require both these certificates to be added in keystore.

If I use same certificate for both purposes, it works.

I checked the code that adds the key and certificate from keystore in configuration. It overrides the first one with second one. Therefore there is only one key and certificate available in the SP configuration. How do I solve this problem without or minimum code changes?

Profilbillede

Tomcats jsessionid driller OIOSAML

Peter Sone Koldkjær
28. juni 2018, 15:21

Hvis man kommer direkte ind på en side hostet på en Tomcat server, så gør Tomcat det, at når det er den første side man besøger, så tilføjer den jsessionid til alle links - også SAML login link.

Den kommer derfor til at se således ud:

…./app/saml/login;jsessionid=EB423FE0F853E28130DCF6B213A1581E

 

Ved klik på den, så fejler OIOSAML lib. med fejlen:

java.lang.UnsupportedOperationException: login;jsessionid=EB423FE0F853E28130DCF6B213A1581E, allowed: [, metadata, SAMLAssertionConsumer, LogoutServiceHTTPPost, Logout, LogoutServiceHTTPRedirect, certificate, configure, login, LogoutServiceHTTPRedirectResponse, LogoutServiceSOAP]

 

Det kunne være smart hvis OIOSAML kunne tage hensyn til dette ?

Profilbillede

Brian Graversen
09. juli 2018, 12:37

Hej Peter.

Jeg skriver det på backloggen. Man kan dog konfigurere Tomcat til at undlade denne opførsel (som egentlig er lidt dårlig opførsel - man bør ikke ekspornere session cookies i URL'en), så det vil være en mulig workaround indtil OIOSAML håndterer dette på en bedre måde.

Jeg har ikke prøvet, men det ser ud til at være rimeligt nemt at slå fra - med mindre man selvfølgelig bruger denne feature aktivt til noget andet ;) Tilfældig link til internettet nedenfor.

https://fralef.me/tomcat-disable-jsessionid-in-url.html

Profilbillede

Code change - for backporting to older versions

Brian Graversen
28. juni 2018, 7:54

In case someone is running an older version of OIOSAML, and for some reason cannot upgrade to the latest version, the following updated version of getDocumentBuilderFactor() in SAMLUtil.java can be applied to older versions of the code. To use this, grab the sourcecode for the version that you are using, apply the change, and recompile.

 

private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
DocumentBuilderFactory newFactory = DocumentBuilderFactory.newInstance();
newFactory.setNamespaceAware(true);

newFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
newFactory.setFeature("http://apache.org/xml/features/dom/defer-node-expansion", false);
newFactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
newFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
newFactory.setExpandEntityReferences(false);

return newFactory;
}