Loading…
Tilbage
×

Info

Der findes en nyere version af resourcen her

oiosaml.java 2.0.8


OIOSAML for Java release 2.0.8 has been made available. This release contains the following changes

  • Security issue in the XML parser (specifically the DocumentBuilderFactory generation in SAMLUtil.java) has been fixed. The issue could potentially be used as an attack vector for DOS attacks and Server Side Request Forgery attacks

Everyone is highly recommended to upgrade to this version, as the security issue exists in all previous versions of OIOSAML.

A great thank you goes to Bob Rao from NTT Data Figtree Systems, for reporting on this security issue, and being very helpful in locating the exact cause and the required fix for this issue.

Code repository

The code is still available through Softwarebørsen SVN, and can be located here

https://svn.softwareborsen.dk/oiosaml.java/oiosaml2/

Maven repository

The binary artifacts are distributed as Maven dependencies, and can be located here

https://mvnrepository.com/artifact/dk.digst/oiosaml2.java

Profilbillede

Tomcats jsessionid driller OIOSAML

Peter Sone Koldkjær

Hvis man kommer direkte ind på en side hostet på en Tomcat server, så gør Tomcat det, at når det er den første side man besøger, så tilføjer den jsessionid til alle links - også SAML login link.

Den kommer derfor til at se således ud:

…./app/saml/login;jsessionid=EB423FE0F853E28130DCF6B213A1581E

 

Ved klik på den, så fejler OIOSAML lib. med fejlen:

java.lang.UnsupportedOperationException: login;jsessionid=EB423FE0F853E28130DCF6B213A1581E, allowed: [, metadata, SAMLAssertionConsumer, LogoutServiceHTTPPost, Logout, LogoutServiceHTTPRedirect, certificate, configure, login, LogoutServiceHTTPRedirectResponse, LogoutServiceSOAP]

 

Det kunne være smart hvis OIOSAML kunne tage hensyn til dette ?

Hej Peter.

Jeg skriver det på backloggen. Man kan dog konfigurere Tomcat til at undlade denne opførsel (som egentlig er lidt dårlig opførsel - man bør ikke ekspornere session cookies i URL'en), så det vil være en mulig workaround indtil OIOSAML håndterer dette på en bedre måde.

Jeg har ikke prøvet, men det ser ud til at være rimeligt nemt at slå fra - med mindre man selvfølgelig bruger denne feature aktivt til noget andet ;) Tilfældig link til internettet nedenfor.

https://fralef.me/tomcat-disable-jsessionid-in-url.html

Profilbillede

Code change - for backporting to older versions

Brian Graversen

In case someone is running an older version of OIOSAML, and for some reason cannot upgrade to the latest version, the following updated version of getDocumentBuilderFactor() in SAMLUtil.java can be applied to older versions of the code. To use this, grab the sourcecode for the version that you are using, apply the change, and recompile.

 

private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
DocumentBuilderFactory newFactory = DocumentBuilderFactory.newInstance();
newFactory.setNamespaceAware(true);

newFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
newFactory.setFeature("http://apache.org/xml/features/dom/defer-node-expansion", false);
newFactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
newFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
newFactory.setExpandEntityReferences(false);

return newFactory;
}