[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: Re: SAML assertion validation doesn't normalize URIs
From: Colm O hEigeartaigh <coheigea () apache ! org>
Date: 2020-06-08 8:59:12
Message-ID: CAB8XdGBHCZWKq0GapVuV=kzm_h+LkmMaJ7UfpLMOHqE_LgaGNQ () mail ! gmail ! com
[Download RAW message or body]
Hi,
Can you submit some evidence that shows that URIs should be normalized
before comparison?
Colm.
On Fri, Jun 5, 2020 at 6:33 PM Nimish Telang <nimish@telang.net> wrote:
> Hi,
>
>
>
> We have encountered an issue where https://example.com and
> https://example.com:443 don't match when included in SAML audience
> restrictions.
>
>
>
> As far as I can tell this is because the code to validate matching is just
> basic string comparison (And should probably use Sets rather than Lists):
> https://github.com/apache/ws-wss4j/blob/74df6178e87edbf28b267845c7dcaa5203df5eca/ws- \
> security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java#L902
>
>
>
> Using java.net.URI to resolve this would be handy – also as the actual
> type that should be parsed from the SAML, not String, since the type in the
> xsd is anyURI…
>
>
>
>
>
> I don't see a security issue here, and the specs for the saml core
> recommend doing it for at least the authz stuff.
>
>
>
> Nimish
>
[Attachment #3 (text/html)]
<div dir="ltr"><div>Hi,</div><div><br></div><div>Can you submit some evidence that \
shows that URIs should be normalized before \
comparison?</div><div><br></div><div>Colm.<br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 5, 2020 at 6:33 PM \
Nimish Telang <<a href="mailto:nimish@telang.net">nimish@telang.net</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_7874405691993013721WordSection1">
<p class="MsoNormal"><span style="font-size:11pt">Hi,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">We have encountered an issue where \
<a href="https://example.com" target="_blank">https://example.com</a> and <a \
href="https://example.com:443" target="_blank">https://example.com:443</a> don't \
match when included in SAML audience restrictions. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">As far as I can tell this is \
because the code to validate matching is just basic string comparison (And should \
probably use Sets rather than Lists): <a \
href="https://github.com/apache/ws-wss4j/blob/74df6178e87edbf28b267845c7dcaa5203df5eca \
/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java#L902" \
target="_blank"> https://github.com/apache/ws-wss4j/blob/74df6178e87edbf28b267845c7dca \
a5203df5eca/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java#L902</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Using java.net.URI to resolve this \
would be handy – also as the actual type that should be parsed from the SAML, not \
String, since the type in the xsd is anyURI…<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span style="font-size:11pt">I don't see a security issue here, and \
the specs for the saml core recommend doing it for at least the authz \
stuff.<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11pt"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11pt">Nimish<u></u><u></u></span></p> </div>
</div>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic