Require candidate SAML usernames to contain @, and remove dupes.

diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
index 30d59068eab2be4ad7bcb4a0b785e39c99595b97..1efa9c5548003aa48fe50fbf7a2913e5c53cea2c 100644 (file)
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
@@ -561,7 +561,7 @@ public class SecurityConfig {
                                        List<String> attemptedUsernames = new ArrayList<>();
 
                                        for (Assertion assertion : responseToken.getResponse().getAssertions()) {
-                                               List<String> candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes);
+                                               Set<String> candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes);
 
                                                for (String candidateUsername : candidateUsernames) {
                                                        try {

diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java
index 5017bbe6c3072447b4e5d9242242a83cd2dca085..ab89e89171457c3a1a50fde6bd927c1ae49a1ec5 100644 (file)
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java
@@ -23,7 +23,9 @@
 package org.collectionspace.services.common.security;
 
 import java.util.ArrayList;
+import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Set;
 import java.net.URISyntaxException;
 import java.util.StringTokenizer;
 
@@ -345,8 +347,8 @@ public class SecurityUtils {
     /*
      * Retrieve the possible CSpace usernames from a SAML assertion.
      */
-    public static List<String> findSamlAssertionCandidateUsernames(Assertion assertion, AssertionProbesType assertionProbes) {
-        List<String> candidateUsernames = new ArrayList<>();
+    public static Set<String> findSamlAssertionCandidateUsernames(Assertion assertion, AssertionProbesType assertionProbes) {
+        Set<String> candidateUsernames = new LinkedHashSet<>();
         List<Object> probes = null;
 
         if (assertionProbes != null) {
@@ -361,7 +363,7 @@ public class SecurityUtils {
             if (probe instanceof AssertionNameIDProbeType) {
                 String subjectNameID = assertion.getSubject().getNameID().getValue();
 
-                if (subjectNameID != null && subjectNameID.length() > 0) {
+                if (subjectNameID != null && subjectNameID.contains("@")) {
                     candidateUsernames.add(subjectNameID);
                 }
             } else if (probe instanceof AssertionAttributeProbeType) {
@@ -393,7 +395,7 @@ public class SecurityUtils {
                                 XSString stringValue = (XSString) value;
                                 String candidateValue = stringValue.getValue();
 
-                                if (candidateValue != null && candidateValue.length() > 0) {
+                                if (candidateValue != null && candidateValue.contains("@")) {
                                     values.add(candidateValue);
                                 }
                             }