diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionCallbackHandler.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionCallbackHandler.java index 0214069df0..433c1e7de3 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionCallbackHandler.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionCallbackHandler.java @@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import java.io.IOException; +import java.util.Objects; @WebServlet( name = "JIT callback handler", @@ -45,6 +46,7 @@ public class JITProvisionCallbackHandler extends HttpServlet { @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) { + String state = request.getParameter("state"); HttpSession session = request.getSession(false); String JITProvisionCallbackURL = request.getScheme() + HandlerConstants.SCHEME_SEPARATOR + System.getProperty(HandlerConstants.IOT_CORE_HOST_ENV_VAR) @@ -57,6 +59,12 @@ public class JITProvisionCallbackHandler extends HttpServlet { return; } + if (state == null || !Objects.equals(state, session.getAttribute("state").toString())) { + response.sendError(org.apache.http.HttpStatus.SC_BAD_REQUEST, "MismatchingStateError: CSRF Warning! " + + "State not equal in request and response"); + return; + } + JITData JITInfo = (JITData) session.getAttribute(HandlerConstants.SESSION_JIT_DATA_KEY); if (JITInfo == null) { response.sendError(HttpStatus.SC_UNAUTHORIZED); diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionHandler.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionHandler.java index dec743289e..5ff97d4a87 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionHandler.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionHandler.java @@ -70,6 +70,7 @@ public class JITProvisionHandler extends HttpServlet { private String encodedClientCredentials; private String JITConfigurationPath; private String redirectUrl; + private String state; @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) { @@ -83,6 +84,7 @@ public class JITProvisionHandler extends HttpServlet { + HandlerConstants.JIT_PROVISION_CALLBACK_URL; JITConfigurationPath = CarbonUtils.getCarbonConfigDirPath() + File.separator + "jit-config.xml"; String scope = "openid"; + state = HandlerUtil.generateStateToken(); tenantDomain = request.getParameter("tenantDomain"); redirectUrl = request.getParameter("redirectUrl"); JITServiceProviderName = request.getParameter("sp"); @@ -100,7 +102,7 @@ public class JITProvisionHandler extends HttpServlet { response.sendRedirect(keyManagerUrl + HandlerConstants.AUTHORIZATION_ENDPOINT + "?response_type=code" + "&client_id=" + clientId + - "&state=" + + "&state=" + state + "&scope=" + scope + "&redirect_uri=" + JITCallbackUrl); } catch (JITProvisionException | IOException ex) { @@ -129,6 +131,7 @@ public class JITProvisionHandler extends HttpServlet { JITInfo.setRedirectUrl(redirectUrl); JITInfo.setSp(JITServiceProviderName); session.setMaxInactiveInterval(3600); + session.setAttribute("state", state); session.setAttribute(HandlerConstants.SESSION_JIT_DATA_KEY, JITInfo); }