You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/12/19 14:18:37 UTC
[3/3] cxf-fediz git commit: Enabling CSRF tests for the spring plugins
Enabling CSRF tests for the spring plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/73a11b5f
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/73a11b5f
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/73a11b5f
Branch: refs/heads/1.2.x-fixes
Commit: 73a11b5f2aa799a4218d6777bdafbafcf695ff0c
Parents: 707b8f9
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 19 13:21:05 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 19 14:18:28 2016 +0000
----------------------------------------------------------------------
.../apache/cxf/fediz/integrationtests/Spring2Test.java | 9 +++++++++
.../apache/cxf/fediz/integrationtests/SpringTest.java | 8 ++++++++
.../apache/cxf/fediz/integrationtests/AbstractTests.java | 11 ++++++-----
3 files changed, 23 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/73a11b5f/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index d763132..52cc06f 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -240,4 +240,13 @@ public class Spring2Test extends AbstractTests {
public void testEntityExpansionAttack() throws Exception {
}
+
+ @Override
+ @org.junit.Test
+ public void testCSRFAttack() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/j_spring_fediz_security_check";
+ csrfAttackTest(url);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/73a11b5f/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
index 036b189..93b4201 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
@@ -149,4 +149,12 @@ public class SpringTest extends AbstractTests {
public void testConcurrentRequests() throws Exception {
// super.testConcurrentRequests();
}
+
+ @Override
+ @org.junit.Test
+ public void testCSRFAttack() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/j_spring_fediz_security_check";
+ csrfAttackTest(url);
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/73a11b5f/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 40c2d59..30d99d3 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -680,6 +680,11 @@ public abstract class AbstractTests {
@org.junit.Ignore
public void testCSRFAttack() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ csrfAttackTest(url);
+ }
+
+ protected void csrfAttackTest(String rpURL) throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
String user = "alice";
String password = "ecila";
@@ -718,7 +723,7 @@ public abstract class AbstractTests {
// 3. Now instead of clicking on the form, send the form via alice's WebClient instead
// Send with context...
- WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+ WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST);
request.setRequestParameters(new ArrayList<NameValuePair>());
DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
@@ -740,10 +745,6 @@ public abstract class AbstractTests {
Assert.fail("Failure expected on a CSRF attack");
} catch (FailingHttpStatusCodeException ex) {
// expected
- Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
- || ex.getMessage().contains("401 Authentication Failed")
- || ex.getMessage().contains("403 Forbidden")
- || ex.getMessage().contains("408 Request Timeout"));
}
// webClient.close();