Skip to content

Commit 09d1e6a

Browse files
committed
Same behaviour on java-saml InResponse LogoutResponse validation than SAMLResponse
1 parent 6687c9f commit 09d1e6a

2 files changed

Lines changed: 11 additions & 7 deletions

File tree

core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
import java.util.Calendar;
77
import java.util.HashMap;
88
import java.util.Map;
9+
import java.util.Objects;
910

1011
import javax.xml.xpath.XPathExpressionException;
1112

@@ -174,13 +175,16 @@ public Boolean isValid(String requestId) {
174175
}
175176
}
176177

177-
// Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
178-
if (requestId != null && rootElement.hasAttribute("InResponseTo")) {
179-
String responseInResponseTo = rootElement.getAttribute("InResponseTo");
180-
if (!responseInResponseTo.equals(requestId)) {
178+
String responseInResponseTo = rootElement.hasAttribute("InResponseTo") ? rootElement.getAttribute("InResponseTo") : null;
179+
if (requestId == null && responseInResponseTo != null && settings.isRejectUnsolicitedResponsesWithInResponseTo()) {
180+
throw new Exception("The Response has an InResponseTo attribute: " + responseInResponseTo +
181+
" while no InResponseTo was expected");
182+
}
183+
184+
// Check if the InResponseTo of the Response matches the ID of the AuthNRequest (requestId) if provided
185+
if (requestId != null && !Objects.equals(responseInResponseTo, requestId)) {
181186
throw new Exception("The InResponseTo of the Logout Response: " + responseInResponseTo
182-
+ ", does not match the ID of the Logout request sent by the SP:: " + requestId);
183-
}
187+
+ ", does not match the ID of the Logout request sent by the SP: " + requestId);
184188
}
185189

186190
// Check issuer

toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -661,7 +661,7 @@ public void testProcessSLOResponseWrongRequestId() throws Exception {
661661
auth.processSLO(false, "wrong_request_id");
662662
verify(session, times(0)).invalidate();
663663
assertTrue(auth.getErrors().contains("invalid_logout_response"));
664-
assertEquals("The InResponseTo of the Logout Response: ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e, does not match the ID of the Logout request sent by the SP:: wrong_request_id", auth.getLastErrorReason());
664+
assertEquals("The InResponseTo of the Logout Response: ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e, does not match the ID of the Logout request sent by the SP: wrong_request_id", auth.getLastErrorReason());
665665
}
666666

667667
/**

0 commit comments

Comments
 (0)