Return 500 Internal Server Error if probe discovery fails.
If we don't, we can end up sending an authentication request to an IdP that is not in the MellonProbeDiscoveryIdP list, which is probably not what the user wants. Patch by Emmanuel Dreyfus.
This commit is contained in:
parent
38ef347045
commit
fe0eb56e29
3
README
3
README
|
@ -471,6 +471,9 @@ MellonPostCount 100
|
|||
|
||||
# MellonProbeDiscoveryIdP can be used to restrict the
|
||||
# list of IdP queried by the IdP probe discovery service.
|
||||
# If probe discovery fails and this is provided, an
|
||||
# HTTP error 500 is returned, instead of proceeding
|
||||
# with first available IdP.
|
||||
#
|
||||
# Default unset, which means that all configured IdP are
|
||||
# queried.
|
||||
|
|
|
@ -3316,9 +3316,17 @@ static int am_handle_probe_discovery(request_rec *r) {
|
|||
}
|
||||
|
||||
/*
|
||||
* On failure, try default
|
||||
* On failure, fail if a MellonProbeDiscoveryIdP
|
||||
* list was provided, otherwise try first IdP.
|
||||
*/
|
||||
if (disco_idp == NULL) {
|
||||
if (!apr_is_empty_table(cfg->probe_discovery_idp)) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
||||
"probeDiscovery failed and non empty "
|
||||
"MellonProbeDiscoveryIdP was provided.");
|
||||
return HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
|
||||
disco_idp = am_first_idp(r);
|
||||
if (disco_idp == NULL) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
||||
|
|
Loading…
Reference in New Issue