/** * All the Redirect Uris must match to return true. */ private boolean checkWhiteListRedirectUris(List<String> redirectUris) { boolean valid = true; List<String> whiteList = appConfiguration.getClientWhiteList(); URLPatternList urlPatternList = new URLPatternList(whiteList); for (String redirectUri : redirectUris) { valid &= urlPatternList.isUrlListed(redirectUri); } return valid; }
/** * None of the Redirect Uris must match to return true. */ private boolean checkBlackListRedirectUris(List<String> redirectUris) { boolean valid = true; List<String> blackList = appConfiguration.getClientBlackList(); URLPatternList urlPatternList = new URLPatternList(blackList); for (String redirectUri : redirectUris) { valid &= !urlPatternList.isUrlListed(redirectUri); } return valid; }
/** * Allow post logout redirect without validation only if: * allowPostLogoutRedirectWithoutValidation = true and post_logout_redirect_uri is white listed */ private boolean allowPostLogoutRedirect(String postLogoutRedirectUri) { final Boolean allowPostLogoutRedirectWithoutValidation = appConfiguration.getAllowPostLogoutRedirectWithoutValidation(); return allowPostLogoutRedirectWithoutValidation != null && allowPostLogoutRedirectWithoutValidation && new URLPatternList(appConfiguration.getClientWhiteList()).isUrlListed(postLogoutRedirectUri); }
@Test public void testUrlPatterList() { showTitle("testUrlPatterList"); List<String> urlPatterns = Arrays.asList( "*.gluu.org/foo*bar", "https://example.org/foo/bar.html", "*.attacker.com/*"); URLPatternList urlPatternList = new URLPatternList(urlPatterns); assertFalse(urlPatternList.isUrlListed("gluu.org")); assertFalse(urlPatternList.isUrlListed("www.gluu.org")); assertTrue(urlPatternList.isUrlListed("http://gluu.org/foo/bar")); assertTrue(urlPatternList.isUrlListed("https://mail.gluu.org/foo/bar")); assertTrue(urlPatternList.isUrlListed("http://www.gluu.org/foobar")); assertTrue(urlPatternList.isUrlListed("https://www.gluu.org/foo/baz/bar")); assertFalse(urlPatternList.isUrlListed("http://example.org")); assertFalse(urlPatternList.isUrlListed("http://example.org/foo/bar.html")); assertTrue(urlPatternList.isUrlListed("https://example.org/foo/bar.html")); assertTrue(urlPatternList.isUrlListed("http://attacker.com")); assertTrue(urlPatternList.isUrlListed("https://www.attacker.com")); assertTrue(urlPatternList.isUrlListed("https://www.attacker.com/foo/bar")); }