Set strict default value as true

Author: pitbulk

README.md

@@ -6,8 +6,10 @@ Add SAML support to your Java applications using this library.
 Forget those complicated libraries and use that open source library provided and supported by OneLogin Inc.
 
 Version >= 2.5.0 compatible with java7 / java8 / java9.
+2.5.0 sets the 'strict' setting parameter to true.
 2.5.0 uses xmlsec 2.1.4 which fixes [CVE-2019-12400](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-460281)
 
+
 Version 2.0.0 - 2.4.0, compatible with java7 / java8.
 
 We [introduced some incompatibilities](https://github.com/onelogin/java-saml/issues/90), that could be fixed and make it compatible with java6.

core/src/main/java/com/onelogin/saml2/settings/Saml2Settings.java

@@ -31,7 +31,7 @@ public class Saml2Settings {
 	private static final Logger LOGGER = LoggerFactory.getLogger(Saml2Settings.class);
 
 	// Toolkit settings
-	private boolean strict = false;
+	private boolean strict = true;
 	private boolean debug = false;
 
 	// SP

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -364,6 +364,7 @@ public void testGetNameIdNoKey() throws Exception {
 	@Test
 	public void testGetNameIdEmptyNameIDValue() throws Exception {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		settings.setStrict(false);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/empty_nameid.xml.base64");
 		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		String nameId = samlResponse.getNameId();
@@ -499,6 +500,7 @@ public void testGetNameIdDataWrongSPNameQualifier() throws Exception {
 	@Test
 	public void testGetNameIdDataEmptyNameIDValue() throws Exception {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		settings.setStrict(false);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/empty_nameid.xml.base64");
 		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		Map<String, String> nameIdData = samlResponse.getNameIdData();
@@ -2140,6 +2142,7 @@ public void testIsInValidEncIssues() throws IOException, Error, XPathExpressionE
 	@Test
 	public void testIsInValidCert() throws IOException, Error, XPathExpressionException, ParserConfigurationException, SAXException, SettingsException, ValidationError {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.invalididpcertstring.properties").build();
+		settings.setStrict(false);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/valid_response.xml.base64");
 		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertFalse(samlResponse.isValid());

core/src/test/java/com/onelogin/saml2/test/settings/Saml2SettingsTest.java

@@ -39,11 +39,11 @@ public class Saml2SettingsTest {
 	public void testIsStrict() {
 		Saml2Settings settings = new Saml2Settings();
 
-		assertFalse(settings.isStrict());
-		settings.setStrict(true);
 		assertTrue(settings.isStrict());
 		settings.setStrict(false);
 		assertFalse(settings.isStrict());
+		settings.setStrict(true);
+		assertTrue(settings.isStrict());
 	}
 
 	/**

core/src/test/java/com/onelogin/saml2/test/settings/SettingBuilderTest.java

@@ -76,7 +76,7 @@ public void testLoadFromFileEmpty() throws IOException, CertificateException, UR
 		Saml2Settings setting = new SettingsBuilder().fromFile("config/config.empty.properties").build();
 
 		assertFalse(setting.isDebugActive());
-		assertFalse(setting.isStrict());
+		assertTrue(setting.isStrict());
 
 		assertTrue(setting.getSpEntityId().isEmpty());
 		assertNull(setting.getSpAssertionConsumerServiceUrl());
@@ -130,7 +130,7 @@ public void testLoadFromFileMinProp() throws IOException, CertificateException,
 		Saml2Settings setting = new SettingsBuilder().fromFile("config/config.min.properties").build();
 
 		assertFalse(setting.isDebugActive());
-		assertFalse(setting.isStrict());
+		assertTrue(setting.isStrict());
 
 		assertEquals("http://localhost:8080/java-saml-jspsample/metadata.jsp", setting.getSpEntityId());
 		assertEquals("http://localhost:8080/java-saml-jspsample/acs.jsp", setting.getSpAssertionConsumerServiceUrl().toString());
@@ -569,7 +569,7 @@ public void testFromProperties() throws IOException, Error, CertificateException
 		Saml2Settings setting2 = new SettingsBuilder().fromProperties(prop).build();
 
 		assertFalse(setting2.isDebugActive());
-		assertFalse(setting2.isStrict());
+		assertTrue(setting2.isStrict());
 
 		assertEquals("http://localhost:8080/java-saml-jspsample/metadata.jsp", setting2.getSpEntityId());
 		assertEquals("http://localhost:8080/java-saml-jspsample/acs.jsp", setting2.getSpAssertionConsumerServiceUrl().toString());

samples/java-saml-tookit-jspsample/src/main/resources/onelogin.saml.properties

@@ -1,7 +1,7 @@
 #  If 'strict' is True, then the Java Toolkit will reject unsigned
 #  or unencrypted messages if it expects them signed or encrypted
 #  Also will reject the messages if not strictly follow the SAML
-onelogin.saml2.strict =  false
+onelogin.saml2.strict =  true
 
 # Enable debug mode (to print errors)
 onelogin.saml2.debug =  false
@@ -50,33 +50,32 @@ onelogin.saml2.sp.privatekey =
 #
 
 # Identifier of the IdP entity  (must be a URI)
-onelogin.saml2.idp.entityid = https://app.onelogin.com/saml/metadata/672234
+onelogin.saml2.idp.entityid =
 
 # SSO endpoint info of the IdP. (Authentication Request protocol)
 # URL Target of the IdP where the SP will send the Authentication Request Message
-onelogin.saml2.idp.single_sign_on_service.url = https://sgarcia-us-preprod.onelogin.com/trust/saml2/http-post/sso/672234
-
+onelogin.saml2.idp.single_sign_on_service.url =
 # SAML protocol binding to be used when returning the <Response>
 # message.  Onelogin Toolkit supports for this endpoint the
 # HTTP-Redirect binding only
 onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
 
 # SLO endpoint info of the IdP.
 # URL Location of the IdP where the SP will send the SLO Request
-onelogin.saml2.idp.single_logout_service.url = https://sgarcia-us-preprod.onelogin.com/trust/saml2/http-redirect/slo/672234
+onelogin.saml2.idp.single_logout_service.url =
 
 # Optional SLO Response endpoint info of the IdP.
 # URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
 # Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
-onelogin.saml2.idp.single_logout_service.response.url = https://sgarcia-us-preprod.onelogin.com/trust/saml2/http-redirect/slo/672234
+onelogin.saml2.idp.single_logout_service.response.url =
 
 # SAML protocol binding to be used when returning the <Response>
 # message.  Onelogin Toolkit supports for this endpoint the
 # HTTP-Redirect binding only
 onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
 
 # Public x509 certificate of the IdP
-onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----MIIGZTCCBE2gAwIBAgIULEW2UPHc+tQMo/j0NBM+8SbWK7IwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNzA2MjAxMDA4MTlaFw0yMjA2MjExMDA4MTlaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDzOWemVjGJTRG72AlAYnNapp26qnnNeNQVt4e56xi+56hjW5OTfgriP27rvAOd+CePIYA3ZyL0pk2LOPA/JtA0JA8LKN1vcGvfJcrpcsbFM5Y2BN5wTnqprT8rvG5eFmeK4r72qJ4wb4bUZJroT9+fU/gs/JOizhP4Z79icLQcbTTe0mc4n+/yoTxThAAraAsiOr3KQzXlTYB8zPMA2GI9TJ5Djc+g52C2vk2OhLEaSAPXGKLhvWukbyUMS34ofnqHaNO0ZbwUmw+8lgHBjIndXsSaFsm18SPnKTtfs1cLekzDveFvJ0T5V8PQWooqWUdg3hkrIiKZpOIcz8uYElpkQDJ2q++MjC7VsT1tKkjMGTv7SMicPscxAG89OaWRg+zmaDzqvdtNPGFe+8oatXp0FBMsnlsyIwdcoHTstloVEcOTSiT8wmjvkkIg5YR6vScmLhR6AQArRP2lWR0kXoSddEDk5fFDG+qMLus+N09YfUOKPswP6MtT9vNhPeIBP87qZLl4qbVCY+TWdNr5lONAH+Xmtk3Pf2phg74qZIZ87bEmJBSXKp8/Qm6Y4ruj6S+SPYt3/vKw130VfaGaSFyOlfAq3naiJqffa2tzneJ7Om/sHFee2Zj2hYqncxu6KR1qeR7lucB5o7z0ljGeUukp8GiVcubsQ3RNnfuCdsaeSwIDAQABo4HyMIHvMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKewY7diVRP96TRYhW2f/1ktWrJAMIGvBgNVHSMEgacwgaSAFKewY7diVRP96TRYhW2f/1ktWrJAoXakdDByMQswCQYDVQQGEwJVUzErMCkGA1UECgwiT25lTG9naW4gVGVzdCAoc2dhcmNpYS11cy1wcmVwcm9kKTEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDg5MTQ2ghQsRbZQ8dz61Ayj+PQ0Ez7xJtYrsjAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAC2TQ4yqwk0ePey99JYI5PfMRVEnUyyCSPfKmyVJgoOZwk97+CZuq1MNqGavcExd1ofc4wkN3unk/g7qVRPBV24k9FZaicYrp5maSHakL2SJD8qo/deohYFaeH8RzszxEZbJJYMLiXyRJi44T28TyF8admIwUJVg/KBhNAHi/IlAsRWPL92nWJjSCBHgiPaG5HF10t/GaQSJuQpdhxniUlseuqXZ/Qm0MjAgSTlyaBIxLyOErrpVujwiR5RTHLw0wn+2P0WmfVp7e79GOqzFuwmoLfxUtJgalc7av9VwFdEB2nWF2hu7BwE9rzg8FTaw1uAEu+LQ++IUuI+ydparFWoo/IwtSrXF59mBoKMld58K4L+TfWwUYF3hAmH2XNiSBTFZn1HBsK+XqS1CUGD8R0WSVvQC2jjFbxztFkrOIzz5ITLzKcjr1E86r5PvBQXeeTvVz6g2L+wEA5VXGYh/RItHEkuwn7EPWpvJUfc5B0m57rfr0+UqWZaLbhczrmHFn0HaDXcs2ldi7y+Eiv6IP3vrJrHhdCDlVPLQH8w0f4vNcR8YYVOfWFHYzyo4oqRYFMRmoqfubs90zGLcB5ugm56k5VaseP+VGwjjTEyiD4CYPLEvKm0Z2M0L6MIkhp/9VYl8ZAWvPGKFMSaANkiMlux2uEBeG3s4nLQcunumphAo-----END CERTIFICATE-----
+onelogin.saml2.idp.x509cert =
 
 # Instead of use the whole x509cert you can use a fingerprint
 # (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,