SES-66 Removed subjectLocality check as the field is just advisory an…

…d not supposed to be verified according to spec.
sannies · Mar 22, 2011 · 7810d98 · 7810d98
1 parent 09263eb
commit 7810d98
Showing 1 changed file with 2 additions and 10 deletions.
diff --git a/...ore/src/main/java/org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.java b/...ore/src/main/java/org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.java
@@ -380,15 +380,15 @@ protected void verifyAssertionConditions(Conditions conditions, SAMLMessageConte
     }
 
     /**
-     * Verifies that authentication statement is valid. Checks the authInstant, sessionNotOnOrAfter and subjectLocality
-     * fields.
+     * Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields.
      *
      * @param auth    statement to check
      * @param requestedAuthnContext original requested context can be null for unsolicited messages or when no context was requested
      * @param context message context
      * @throws AuthenticationException in case the statement is invalid
      */
     protected void verifyAuthenticationStatement(AuthnStatement auth, RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context) throws AuthenticationException {
+
         // Validate that user wasn't authenticated too long time ago
         if (!isDateTimeSkewValid(getMaxAuthenticationAge(), auth.getAuthnInstant())) {
             log.debug("Authentication statement is too old to be used", auth.getAuthnInstant());
@@ -404,14 +404,6 @@ protected void verifyAuthenticationStatement(AuthnStatement auth, RequestedAuthn
         // Verify context
         verifyAuthnContext(requestedAuthnContext, auth.getAuthnContext(), context);
 
-        if (auth.getSubjectLocality() != null) {
-            HTTPInTransport httpInTransport = (HTTPInTransport) context.getInboundMessageTransport();
-            if (auth.getSubjectLocality().getAddress() != null) {
-                if (!httpInTransport.getPeerAddress().equals(auth.getSubjectLocality().getAddress())) { // TODO Log message
-                    throw new BadCredentialsException("User is accessing the service from invalid address");
-                }
-            }
-        }
     }
 
     /**