OPENAM-7362

Neil Madden · Neil Madden · commit 317ee9bc7d39 · 2016-01-08T17:22:41.000Z
diff --git a/openam-federation/OpenFM/src/main/java/com/iplanet/services/cdc/CDCServlet.java b/openam-federation/OpenFM/src/main/java/com/iplanet/services/cdc/CDCServlet.java
@@ -30,9 +30,9 @@
 package com.iplanet.services.cdc;
 
 import com.iplanet.dpro.session.SessionException;
-import com.iplanet.dpro.session.service.SessionService;
 import com.iplanet.dpro.session.TokenRestriction;
-
+import com.iplanet.dpro.session.service.SessionService;
+import com.iplanet.services.naming.WebtopNaming;
 import com.iplanet.sso.SSOException;
 import com.iplanet.sso.SSOToken;
 import com.iplanet.sso.SSOTokenManager;
@@ -63,16 +63,15 @@
 import com.sun.identity.saml.protocol.StatusCode;
 import com.sun.identity.shared.Constants;
 import com.sun.identity.shared.DateUtils;
+import com.sun.identity.shared.configuration.SystemPropertiesManager;
 import com.sun.identity.shared.debug.Debug;
 import com.sun.identity.shared.encode.Base64;
 import com.sun.identity.shared.encode.CookieUtils;
 import com.sun.identity.shared.encode.URLEncDec;
-import com.sun.identity.shared.configuration.SystemPropertiesManager;
 import com.sun.identity.sm.SMSEntry;
-import org.forgerock.guice.core.InjectorHolder;
-import org.forgerock.openam.ldap.LDAPUtils;
 
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.text.ParseException;
@@ -81,9 +80,9 @@
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Iterator;
-import java.util.StringTokenizer;
 import java.util.List;
 import java.util.Set;
+import java.util.StringTokenizer;
 import java.util.logging.Level;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
@@ -94,6 +93,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.forgerock.guice.core.InjectorHolder;
+import org.forgerock.openam.ldap.LDAPUtils;
+import org.forgerock.openam.utils.StringUtils;
+
 /**
  * The <code>CDCServlet</code> is the heart of the Cross Domain Single
  * Signon mechanism of OpenAM.
@@ -640,7 +643,25 @@ private void redirectForAuthentication(
                     dispatcher.forward(request, response);
                 }
             } else {
-                // Redirect the user to the authenticated URL
+                // Redirect the user to the OpenAM host that they originally authenticated against. The authURL is
+                // set by AuthClientUtils#setHostUrlCookie when in restricted cookie mode. It's not entirely clear
+                // exactly what this use-case is for, but we should validate the cookie against the known server list
+                // to prevent an unvalidated redirect.
+                boolean valid = false;
+                for (String serverId : WebtopNaming.getAllServerIDs()) {
+                    String serverUrl = WebtopNaming.getServerFromID(serverId);
+                    serverUrl = serverUrl.substring(0, serverUrl.length() - deployDescriptor.length());
+                    if (StringUtils.compareCaseInsensitiveString(serverUrl, authURL)) {
+                        valid = true;
+                        break;
+                    }
+                }
+
+                if (!valid) {
+                    response.sendError(HttpURLConnection.HTTP_BAD_REQUEST, "Invalid cookie");
+                    return;
+                }
+
                 redirectURL.append(authURL).append(deployDescriptor)
                     .append(CDCURI).append(QUESTION_MARK)
                     .append(request.getQueryString());
@@ -649,24 +670,16 @@ private void redirectForAuthentication(
                  * Reset the cookie value to null, to avoid continous loop
                  * when a load balancer is used.
                  */
-                if (authCookie != null) {
-                    authCookie.setValue("");
-                    response.addCookie(authCookie);
-                }
+                authCookie.setValue("");
+                response.addCookie(authCookie);
                 response.sendRedirect(redirectURL.toString());
             }
             
             if (debug.messageEnabled()) {
                 debug.message("Forwarding for authentication to: " +
                     redirectURL);
             }
-        } catch (IOException e) {
-            debug.error("CDCServlet.redirectForAuthentication", e);
-            showError(response);
-        } catch (ServletException e) {
-            debug.error("CDCServlet.redirectForAuthentication", e);
-            showError(response);
-        } catch (IllegalStateException e) {
+        } catch (Exception e) {
             debug.error("CDCServlet.redirectForAuthentication", e);
             showError(response);
         }
