diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java
index 21af1ce..7d0d43e 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java
@@ -105,6 +105,7 @@ import org.w3c.dom.NodeList;
import static org.hamcrest.Matchers.*;
import static org.junit.Assert.*;
import static org.keycloak.representations.idm.CredentialRepresentation.PASSWORD;
+import static org.keycloak.testsuite.AbstractAuthTest.createUserRepresentation;
import static org.keycloak.testsuite.admin.ApiUtil.createUserAndResetPasswordWithAdminClient;
import static org.keycloak.testsuite.admin.Users.setPasswordFor;
import static org.keycloak.testsuite.auth.page.AuthRealm.SAMLSERVLETDEMO;
@@ -801,6 +802,48 @@ public abstract class AbstractSAMLServletsAdapterTest extends AbstractServletsAd
}
@Test
+ public void salesPostSigStaxParsingFlawEmailTest() {
+ UserRepresentation user = createUserRepresentation("bburke-additional-domain", "bburke@redhat.com.additional.domain", "Bill", "Burke", true);
+ setPasswordFor(user, PASSWORD);
+
+ String resultPage = new SamlClientBuilder()
+ .navigateTo(salesPostSigEmailServletPage.buildUri())
+ .processSamlResponse(Binding.POST).build()
+ .login().user(user).build()
+ .processSamlResponse(Binding.POST)
+ .transformString(s -> {
+ assertThat(s, org.hamcrest.Matchers.containsString(">bburke@redhat.com.additional.domain<"));
+ s = s.replaceAll("bburke@redhat.com.additional.domain", "bburke@redhat.com<!-- comment -->.additional.domain");
+ return s;
+ })
+ .build()
+ .executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
+
+ assertThat(resultPage, org.hamcrest.Matchers.containsString("principal=bburke@redhat.com.additional.domain"));
+ }
+
+ @Test
+ public void salesPostSigChangeContents() {
+ UserRepresentation user = createUserRepresentation("bburke-additional-domain", "bburke@redhat.com.additional.domain", "Bill", "Burke", true);
+ setPasswordFor(user, PASSWORD);
+
+ String resultPage = new SamlClientBuilder()
+ .navigateTo(salesPostSigEmailServletPage.buildUri())
+ .processSamlResponse(Binding.POST).build()
+ .login().user(user).build()
+ .processSamlResponse(Binding.POST)
+ .transformString(s -> {
+ assertThat(s, org.hamcrest.Matchers.containsString(">bburke@redhat.com.additional.domain<"));
+ s = s.replaceAll("bburke@redhat.com.additional.domain", "bburke@redhat.com");
+ return s;
+ })
+ .build()
+ .executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
+
+ assertThat(resultPage, org.hamcrest.Matchers.containsString("INVALID_SIGNATURE"));
+ }
+
+ @Test
public void salesPostSigPersistentTest() {
salesPostSigPersistentServletPage.navigateTo();
testRealmSAMLPostLoginPage.form().login(bburkeUser);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json
index 99753c6..9c12795 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json
@@ -37,6 +37,23 @@
}
},
{
+ "username" : "bburke-additional-domain",
+ "enabled": true,
+ "email" : "bburke@redhat.com.additional.domain",
+ "credentials" : [
+ { "type" : "password",
+ "value" : "password" }
+ ],
+ "attributes" : {
+ "phone": "617"
+ },
+ "realmRoles": ["manager", "user"],
+ "applicationRoles": {
+ "http://localhost:8081/employee/": [ "employee" ],
+ "http://localhost:8081/employee2/": [ "employee" ]
+ }
+ },
+ {
"username" : "unauthorized",
"enabled": true,
"email" : "unauthorized@redhat.com",
