You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/05/17 17:13:34 UTC
[cxf-fediz] 06/07: Adding CSRF tests for SAML SSO
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 5f5fd5b148b2ae3f3124d9610a522871d6163c1a
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu May 17 17:30:42 2018 +0100
Adding CSRF tests for SAML SSO
---
.../cxf/fediz/integrationtests/AbstractTests.java | 45 +++++++++++++---------
1 file changed, 27 insertions(+), 18 deletions(-)
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index c5f2425..5bad8b5 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -887,10 +887,6 @@ public abstract class AbstractTests {
@org.junit.Test
public void testCSRFAttack() throws Exception {
- if (!isWSFederation()) {
- return;
- }
-
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
csrfAttackTest(url);
}
@@ -912,7 +908,7 @@ public abstract class AbstractTests {
webClient.getOptions().setJavaScriptEnabled(true);
Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlForm form = idpPage.getFormByName(getLoginFormName());
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
final HtmlPage rpPage = button.click();
@@ -941,11 +937,19 @@ public abstract class AbstractTests {
DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))
- || "wa".equals(result.getAttributeNS(null, "name"))
- || "wctx".equals(result.getAttributeNS(null, "name"))) {
- String value = result.getAttributeNS(null, "value");
- request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ if (isWSFederation()) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))
+ || "wa".equals(result.getAttributeNS(null, "name"))
+ || "wctx".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
+ } else {
+ if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+ || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
}
}
@@ -962,9 +966,6 @@ public abstract class AbstractTests {
@org.junit.Test
public void testCSRFAttack2() throws Exception {
- if (!isWSFederation()) {
- return;
- }
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
csrfAttackTest2(url);
@@ -994,11 +995,19 @@ public abstract class AbstractTests {
DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))
- || "wa".equals(result.getAttributeNS(null, "name"))
- || "wctx".equals(result.getAttributeNS(null, "name"))) {
- String value = result.getAttributeNS(null, "value");
- request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ if (isWSFederation()) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))
+ || "wa".equals(result.getAttributeNS(null, "name"))
+ || "wctx".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
+ } else {
+ if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+ || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
}
}
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.