You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/10/06 16:19:09 UTC
[cxf-fediz] branch 1.3.x-fixes updated: Some improvements to the
Spring plugins
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.3.x-fixes by this push:
new 48dd9b6 Some improvements to the Spring plugins
48dd9b6 is described below
commit 48dd9b68d67c6b729376c1ce8886f52a57df6c45
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 6 16:16:19 2017 +0100
Some improvements to the Spring plugins
---
.../spring/web/FederationAuthenticationFilter.java | 19 +++++---
.../cxf/fediz/integrationtests/SpringTest.java | 8 ++++
.../cxf/fediz/integrationtests/AbstractTests.java | 52 ++++++++++++++++++++++
.../webapp/WEB-INF/applicationContext-security.xml | 1 +
4 files changed, 73 insertions(+), 7 deletions(-)
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 3f172e5..f20c618 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -128,14 +128,19 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
private void verifySavedState(HttpServletRequest request) {
HttpSession session = request.getSession(false);
- if (session != null) {
- String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
- String state = getState(request);
- if (savedContext != null && !savedContext.equals(state)) {
- logger.warn("The received state does not match the state saved in the context");
- throw new BadCredentialsException("The received state does not match the state saved in the context");
- }
+
+ if (session == null) {
+ logger.warn("The received state does not match the state saved in the context");
+ throw new BadCredentialsException("The received state does not match the state saved in the context");
+ }
+
+ String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+ String state = getState(request);
+ if (savedContext == null || !savedContext.equals(state)) {
+ logger.warn("The received state does not match the state saved in the context");
+ throw new BadCredentialsException("The received state does not match the state saved in the context");
}
+ session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
}
/**
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
index 93b4201..44580a6 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
@@ -157,4 +157,12 @@ public class SpringTest extends AbstractTests {
+ "/j_spring_fediz_security_check";
csrfAttackTest(url);
}
+
+ @Override
+ @org.junit.Test
+ public void testCSRFAttack2() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/j_spring_fediz_security_check";
+ csrfAttackTest2(url);
+ }
}
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index d33e212..907d134 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -803,4 +803,56 @@ public abstract class AbstractTests {
}
+ @org.junit.Test
+ public void testCSRFAttack2() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ csrfAttackTest2(url);
+ }
+
+ protected void csrfAttackTest2(String rpURL) throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+
+ // 1. Log in as "bob" using another WebClient
+ WebClient webClient2 = new WebClient();
+ webClient2.getOptions().setUseInsecureSSL(true);
+ webClient2.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials("bob", "bob"));
+
+ webClient2.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage2 = webClient2.getPage(url);
+ webClient2.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());
+
+ // 2. Now instead of clicking on the form, send the form via alice's WebClient instead
+
+ // Send with context...
+ WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST);
+ request.setRequestParameters(new ArrayList<NameValuePair>());
+
+ DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
+
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))
+ || "wa".equals(result.getAttributeNS(null, "name"))
+ || "wctx".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
+ }
+
+ WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+
+ try {
+ webClient.getPage(request);
+ Assert.fail("Failure expected on a CSRF attack");
+ } catch (FailingHttpStatusCodeException ex) {
+ // expected
+ }
+
+ // webClient.close();
+ // webClient2.close();
+
+ }
}
diff --git a/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml b/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
index 2f5a518..b3dbe82 100644
--- a/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -37,6 +37,7 @@ http://www.springframework.org/schema/context http://www.springframework.org/sch
<sec:intercept-url pattern="/index.html" access="permitAll"/>
<sec:intercept-url pattern="/FederationMetadata/**" access="isAuthenticated()"/>
<sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
+ <sec:intercept-url pattern="/secure/test.html" access="isAuthenticated()"/>
<sec:intercept-url pattern="/secure/manager/**" access="hasRole('ROLE_MANAGER')"/>
<sec:intercept-url pattern="/secure/admin/**" access="hasRole('ROLE_ADMIN')"/>
<sec:intercept-url pattern="/secure/user/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_MANAGER')"/>
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].