From 3e0ac07b48639f7fbe8144f2e4c92c1212111cac Mon Sep 17 00:00:00 2001 From: Ray Lee Date: Mon, 27 Nov 2023 21:50:28 -0500 Subject: [PATCH] Require candidate SAML usernames to contain @, and remove dupes. --- .../services/common/security/SecurityConfig.java | 2 +- .../services/common/security/SecurityUtils.java | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java index 30d59068e..1efa9c554 100644 --- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java +++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java @@ -561,7 +561,7 @@ public class SecurityConfig { List attemptedUsernames = new ArrayList<>(); for (Assertion assertion : responseToken.getResponse().getAssertions()) { - List candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes); + Set candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes); for (String candidateUsername : candidateUsernames) { try { diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java index 5017bbe6c..ab89e8917 100644 --- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java +++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityUtils.java @@ -23,7 +23,9 @@ package org.collectionspace.services.common.security; import java.util.ArrayList; +import java.util.LinkedHashSet; import java.util.List; +import java.util.Set; import java.net.URISyntaxException; import java.util.StringTokenizer; @@ -345,8 +347,8 @@ public class SecurityUtils { /* * Retrieve the possible CSpace usernames from a SAML assertion. */ - public static List findSamlAssertionCandidateUsernames(Assertion assertion, AssertionProbesType assertionProbes) { - List candidateUsernames = new ArrayList<>(); + public static Set findSamlAssertionCandidateUsernames(Assertion assertion, AssertionProbesType assertionProbes) { + Set candidateUsernames = new LinkedHashSet<>(); List probes = null; if (assertionProbes != null) { @@ -361,7 +363,7 @@ public class SecurityUtils { if (probe instanceof AssertionNameIDProbeType) { String subjectNameID = assertion.getSubject().getNameID().getValue(); - if (subjectNameID != null && subjectNameID.length() > 0) { + if (subjectNameID != null && subjectNameID.contains("@")) { candidateUsernames.add(subjectNameID); } } else if (probe instanceof AssertionAttributeProbeType) { @@ -393,7 +395,7 @@ public class SecurityUtils { XSString stringValue = (XSString) value; String candidateValue = stringValue.getValue(); - if (candidateValue != null && candidateValue.length() > 0) { + if (candidateValue != null && candidateValue.contains("@")) { values.add(candidateValue); } } -- 2.47.3