Bug #182
closedHost misses serverPort
100%
Description
Incoming HTTP GET calls miss the server port information within the HTTP HOST HEADER.
This leads to Verification Errors of the SAMLResponse, since the destination, recipient and audienceRestriction will not comply to the given host value.
Here two examples (tested with Tomcat)
=================================================
================== AUSWEIS APP =================
=================================================
Server Name: dev-selhomar01
Remote Host: 172.20.109.172
Query String: SAMLResponse=[...]
Request URL: https://dev-selhomar01:1443/bdr-demo-sp-1.0.0-SNAPSHOT/saml/Response
PathInfo: /Response
================
HEADER-LIST
================
user-agent:Java/1.7.0_09
host:dev-selhomar01:1443
accept:text/html, image/gif, image/jpeg, ; q=.2, */; q=.2
connection:keep-alive
=================================================
================ Open-eCard-App ================
=================================================
Server Name: dev-selhomar01
Remote Host: 172.20.109.172
Query String: SAMLResponse=[...]
Request URL: https://dev-selhomar01/bdr-demo-sp-1.0.0-SNAPSHOT/saml/Response
PathInfo: /Response
================
HEADER-LIST
================
connection:keep-alive
user-agent:Open-eCard-App/1.0.1-SNAPSHOT
host:dev-selhomar01
accept:text/xml, */*;q=0.8
accept-charset:utf-8, *;q=0.8
================
Updated by Detlef Hühnlein over 11 years ago
- Assignee set to Tobias Wich
- Target version set to 1.0.1
Updated by Tobias Wich over 11 years ago
- Status changed from New to Review
- % Done changed from 0 to 100
Patch is available in 04650df4