Closed spring-projects-issues closed 12 years ago
William Miller said:
Please advise if my analysis is correct and if the fix is correct as soon as possible.
Vladimir Schäfer said:
The issue is valid, the signatures on incoming messages were checked by SAMLProtocolMessageXMLSignatureSecurityPolicyRule, but for assertions the return code was ignored and invalid signature could thus pass. Thanks for noticing.
This issue duplicates #57
William Miller (Migrated from SES-73) said:
Invalid signatures on SAML assertions DO NOT prevent the assertion from being accepted. This is a major security issue. This may also affect other signature validations on other SAML message types.
The code assumes that the signature trust engine will throw an exception when the signature is invalid when the semantics of the validate function states that false will be returned.
The return value is NOT being checked.
Line 237 in spring-security-saml/src/org/springframework/security/saml/websso/AbstractProfileBase.java must be changed to something such as: if (! trustEngine.validate(signature, criteriaSet)) { throw new ValidationException("Signature is not trusted or invalid"); } or the return value from validate must be returned from the verifySignature funciton and checked by the caller.