You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/03/10 16:31:24 UTC
[1/2] cxf-fediz git commit: Fixing CXF plugin's exception mapping
Repository: cxf-fediz
Updated Branches:
refs/heads/master 3fa6aaef1 -> dd161ea29
Fixing CXF plugin's exception mapping
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/26267701
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/26267701
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/26267701
Branch: refs/heads/master
Commit: 26267701b1952c3d984af0c92106b9afc910bdfb
Parents: 3fa6aae
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Mar 10 15:25:20 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Mar 10 15:25:20 2015 +0000
----------------------------------------------------------------------
.../cxf/plugin/FedizRedirectBindingFilter.java | 182 +++++++++----------
1 file changed, 89 insertions(+), 93 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/26267701/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
index 7bc417e..e8ad7ea 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
@@ -18,9 +18,7 @@
*/
package org.apache.cxf.fediz.cxf.plugin;
-import java.io.IOException;
import java.io.InputStream;
-import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.Collections;
@@ -49,7 +47,6 @@ import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
-import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
import org.apache.cxf.fediz.core.processor.FedizProcessor;
import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
import org.apache.cxf.fediz.core.processor.FedizRequest;
@@ -109,13 +106,13 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
} else if (checkSecurityContext(m)) {
return;
} else {
- try {
- if (isSignInRequired(fedConfig, params)) {
- // Unauthenticated -> redirect
- FedizProcessor processor =
- FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
+ if (isSignInRequired(fedConfig, params)) {
+ // Unauthenticated -> redirect
+ FedizProcessor processor =
+ FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
- HttpServletRequest request = messageContext.getHttpServletRequest();
+ HttpServletRequest request = messageContext.getHttpServletRequest();
+ try {
RedirectionResponse redirectionResponse =
processor.createSignInRequest(request, fedConfig);
String redirectURL = redirectionResponse.getRedirectionURL();
@@ -127,12 +124,12 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
response.header(headerName, headers.get(headerName));
}
}
-
+
// Save the RequestState
RequestState requestState = redirectionResponse.getRequestState();
if (requestState != null && requestState.getState() != null) {
getStateManager().setRequestState(requestState.getState(), requestState);
-
+
String contextCookie =
CookieUtils.createCookie(SECURITY_CONTEXT_STATE,
requestState.getState(),
@@ -141,92 +138,92 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
getStateTimeToLive());
response.header("Set-Cookie", contextCookie);
}
-
+
context.abortWith(response.build());
} else {
LOG.warn("Failed to create SignInRequest.");
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
- } else if (isSignInRequest(fedConfig, params)) {
- String responseToken = getResponseToken(fedConfig, params);
- String state = getState(fedConfig, params);
-
- if (responseToken == null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("SignIn request must contain a response token from the IdP");
- }
- throw ExceptionUtils.toBadRequestException(null, null);
- } else {
- // processSignInRequest
- if (LOG.isDebugEnabled()) {
- LOG.debug("Process SignIn request");
- LOG.debug("token=\n" + responseToken);
- }
+ } catch (Exception ex) {
+ LOG.debug(ex.getMessage(), ex);
+ throw ExceptionUtils.toInternalServerErrorException(ex, null);
+ }
+ } else if (isSignInRequest(fedConfig, params)) {
+ String responseToken = getResponseToken(fedConfig, params);
+ String state = getState(fedConfig, params);
+
+ if (responseToken == null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("SignIn request must contain a response token from the IdP");
+ }
+ throw ExceptionUtils.toBadRequestException(null, null);
+ } else {
+ // processSignInRequest
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Process SignIn request");
+ LOG.debug("token=\n" + responseToken);
+ }
- FedizResponse wfRes =
- validateSignInRequest(fedConfig, params, responseToken, state);
-
- // Validate AudienceRestriction
- List<String> audienceURIs = fedConfig.getAudienceUris();
- HttpServletRequest request = messageContext.getHttpServletRequest();
- validateAudienceRestrictions(wfRes, audienceURIs, request);
+ FedizResponse wfRes =
+ validateSignInRequest(fedConfig, params, responseToken, state);
- // Set the security context
- String securityContextKey = UUID.randomUUID().toString();
-
- long currentTime = System.currentTimeMillis();
- Date notOnOrAfter = wfRes.getTokenExpires();
- long expiresAt = 0;
- if (notOnOrAfter != null) {
- expiresAt = notOnOrAfter.getTime();
- } else {
- expiresAt = currentTime + getStateTimeToLive();
- }
-
- String webAppDomain = getWebAppDomain();
- String token = DOM2Writer.nodeToString(wfRes.getToken());
- List<String> roles = wfRes.getRoles();
- if (roles == null || roles.size() == 0) {
- roles = Collections.singletonList("Authenticated");
- }
-
- String webAppContext = getWebAppContext(m);
-
- ResponseState responseState =
- new ResponseState(token,
- state,
- webAppContext,
- webAppDomain,
- currentTime,
- expiresAt);
- responseState.setClaims(wfRes.getClaims());
- responseState.setRoles(roles);
- responseState.setIssuer(wfRes.getIssuer());
- responseState.setSubject(wfRes.getUsername());
- getStateManager().setResponseState(securityContextKey, responseState);
-
- long stateTimeToLive = getStateTimeToLive();
- String contextCookie = CookieUtils.createCookie(SECURITY_CONTEXT_TOKEN,
- securityContextKey,
- webAppContext,
- webAppDomain,
- stateTimeToLive);
-
- // Redirect with cookie set
- ResponseBuilder response =
- Response.seeOther(new UriInfoImpl(m).getAbsolutePath());
- response.header("Set-Cookie", contextCookie);
+ // Validate AudienceRestriction
+ List<String> audienceURIs = fedConfig.getAudienceUris();
+ HttpServletRequest request = messageContext.getHttpServletRequest();
+ validateAudienceRestrictions(wfRes, audienceURIs, request);
- context.abortWith(response.build());
+ // Set the security context
+ String securityContextKey = UUID.randomUUID().toString();
+
+ long currentTime = System.currentTimeMillis();
+ Date notOnOrAfter = wfRes.getTokenExpires();
+ long expiresAt = 0;
+ if (notOnOrAfter != null) {
+ expiresAt = notOnOrAfter.getTime();
+ } else {
+ expiresAt = currentTime + getStateTimeToLive();
}
-
- } else {
- LOG.error("SignIn parameter is incorrect or not supported");
- throw ExceptionUtils.toBadRequestException(null, null);
+
+ String webAppDomain = getWebAppDomain();
+ String token = DOM2Writer.nodeToString(wfRes.getToken());
+ List<String> roles = wfRes.getRoles();
+ if (roles == null || roles.size() == 0) {
+ roles = Collections.singletonList("Authenticated");
+ }
+
+ String webAppContext = getWebAppContext(m);
+
+ ResponseState responseState =
+ new ResponseState(token,
+ state,
+ webAppContext,
+ webAppDomain,
+ currentTime,
+ expiresAt);
+ responseState.setClaims(wfRes.getClaims());
+ responseState.setRoles(roles);
+ responseState.setIssuer(wfRes.getIssuer());
+ responseState.setSubject(wfRes.getUsername());
+ getStateManager().setResponseState(securityContextKey, responseState);
+
+ long stateTimeToLive = getStateTimeToLive();
+ String contextCookie = CookieUtils.createCookie(SECURITY_CONTEXT_TOKEN,
+ securityContextKey,
+ webAppContext,
+ webAppDomain,
+ stateTimeToLive);
+
+ // Redirect with cookie set
+ ResponseBuilder response =
+ Response.seeOther(new UriInfoImpl(m).getAbsolutePath());
+ response.header("Set-Cookie", contextCookie);
+
+ context.abortWith(response.build());
}
- } catch (Exception ex) {
- LOG.debug(ex.getMessage(), ex);
- throw ExceptionUtils.toInternalServerErrorException(ex, null);
+
+ } else {
+ LOG.error("SignIn parameter is incorrect or not supported");
+ throw ExceptionUtils.toBadRequestException(null, null);
}
}
}
@@ -394,8 +391,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
return false;
}
- private String getResponseToken(FedizContext fedConfig, MultivaluedMap<String, String> params)
- throws IOException {
+ private String getResponseToken(FedizContext fedConfig, MultivaluedMap<String, String> params) {
if (params != null && fedConfig.getProtocol() instanceof FederationProtocol) {
return params.getFirst(FederationConstants.PARAM_RESULT);
} else if (params != null && fedConfig.getProtocol() instanceof SAMLProtocol) {
@@ -420,14 +416,14 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
MultivaluedMap<String, String> params,
String responseToken,
String state
- ) throws UnsupportedEncodingException, ProcessingException {
+ ) {
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(params.getFirst(FederationConstants.PARAM_ACTION));
wfReq.setResponseToken(responseToken);
if (state == null || state.getBytes().length <= 0) {
LOG.error("Invalid RelayState/WCTX");
- throw new ProcessingException(TYPE.INVALID_REQUEST);
+ throw ExceptionUtils.toBadRequestException(null, null);
}
wfReq.setState(state);
@@ -435,13 +431,13 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter {
if (wfReq.getRequestState() == null) {
LOG.error("Missing Request State");
- throw new ProcessingException(TYPE.INVALID_REQUEST);
+ throw ExceptionUtils.toBadRequestException(null, null);
}
if (CookieUtils.isStateExpired(wfReq.getRequestState().getCreatedAt(), 0,
getStateTimeToLive())) {
LOG.error("EXPIRED_REQUEST_STATE");
- throw new ProcessingException(TYPE.INVALID_REQUEST);
+ throw ExceptionUtils.toBadRequestException(null, null);
}
HttpServletRequest request = messageContext.getHttpServletRequest();
[2/2] cxf-fediz git commit: Adding modified signature replay test
Posted by co...@apache.org.
Adding modified signature replay test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/dd161ea2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/dd161ea2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/dd161ea2
Branch: refs/heads/master
Commit: dd161ea296dedd3028a0308d60ecdd50d44c6598
Parents: 2626770
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Mar 10 15:25:33 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Mar 10 15:25:33 2015 +0000
----------------------------------------------------------------------
.../fediz/integrationtests/AbstractTests.java | 55 ++++++++++++++++++++
1 file changed, 55 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd161ea2/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 53e2e79..210afa3 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -26,12 +26,18 @@ import org.w3c.dom.Node;
import com.gargoylesoftware.htmlunit.CookieManager;
import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.DomElement;
+import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
@@ -439,4 +445,53 @@ public abstract class AbstractTests {
Assert.assertEquals(401, idpPage.getWebResponse().getStatusCode());
}
+
+ @org.junit.Test
+ public void testAliceModifiedSignature() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ // Get the initial token
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ // Now modify the Signature
+ String value = result.getAttributeNS(null, "value");
+ value = value.replace("alice", "bob");
+ result.setAttributeNS(null, "value", value);
+ }
+ }
+
+ // Invoke back on the RP
+
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ try {
+ button.click();
+ Assert.fail("Failure expected on a modified signature");
+ } catch (FailingHttpStatusCodeException ex) {
+ // expected
+ Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+ || ex.getMessage().contains("401 Authentication Failed")
+ || ex.getMessage().contains("403 Forbidden"));
+ }
+
+ }
}