You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/12/20 10:57:29 UTC
[1/4] cxf-fediz git commit: Minor change to Spring plugins
Repository: cxf-fediz
Updated Branches:
refs/heads/master 84856d7a6 -> b94137a45
Minor change to Spring plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/811da0cb
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/811da0cb
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/811da0cb
Branch: refs/heads/master
Commit: 811da0cbd9f67c9a01a905c84852e817512306fd
Parents: 84856d7
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 20 09:33:22 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 20 09:33:22 2016 +0000
----------------------------------------------------------------------
.../cxf/fediz/spring/web/FederationAuthenticationFilter.java | 2 +-
.../cxf/fediz/spring/web/FederationAuthenticationFilter.java | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/811da0cb/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index c18d238..3f172e5 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -69,7 +69,7 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(wa);
wfReq.setResponseToken(responseToken);
- wfReq.setState(request.getParameter(SAMLSSOConstants.RELAY_STATE));
+ wfReq.setState(getState(request));
wfReq.setRequest(request);
X509Certificate certs[] =
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/811da0cb/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 6011c37..154aab1 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -118,7 +118,7 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
FedizRequest wfReq = new FedizRequest();
wfReq.setAction(wa);
wfReq.setResponseToken(responseToken);
- wfReq.setState(request.getParameter(SAMLSSOConstants.RELAY_STATE));
+ wfReq.setState(getState(request));
wfReq.setRequest(request);
X509Certificate certs[] =
[2/4] cxf-fediz git commit: Fixing CSRF test
Posted by co...@apache.org.
Fixing CSRF test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a6f7a69a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a6f7a69a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a6f7a69a
Branch: refs/heads/master
Commit: a6f7a69a457d7459ce65d09592a82c0d8d8aedc8
Parents: 811da0c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 20 10:20:59 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 20 10:20:59 2016 +0000
----------------------------------------------------------------------
.../org/apache/cxf/fediz/integrationtests/AbstractTests.java | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a6f7a69a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 5908db8..c4e76eb 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -794,10 +794,7 @@ public abstract class AbstractTests {
}
try {
- HtmlPage rpPage2 = webClient.getPage(request);
- String bodyTextContent = rpPage2.getBody().getTextContent();
- Assert.assertTrue("Principal not " + user,
- bodyTextContent.contains("userPrincipal=" + user));
+ webClient.getPage(request);
Assert.fail("Failure expected on a CSRF attack");
} catch (FailingHttpStatusCodeException ex) {
// expected
[4/4] cxf-fediz git commit: Save the context from the sign in request
Posted by co...@apache.org.
Save the context from the sign in request
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/b94137a4
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/b94137a4
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/b94137a4
Branch: refs/heads/master
Commit: b94137a4592d7f8fdfa015af9241df5b749153bd
Parents: 24d993e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 20 10:41:17 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 20 10:41:17 2016 +0000
----------------------------------------------------------------------
.../fediz/jetty8/FederationAuthenticator.java | 27 ++++++++++++++++----
.../fediz/jetty9/FederationAuthenticator.java | 27 ++++++++++++++++----
2 files changed, 44 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b94137a4/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
index dfeab1d..56656a0 100644
--- a/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
+++ b/plugins/jetty8/src/main/java/org/apache/cxf/fediz/jetty8/FederationAuthenticator.java
@@ -84,6 +84,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
public static final String J_URI = "org.eclipse.jetty.security.form_URI";
public static final String J_POST = "org.eclipse.jetty.security.form_POST";
+ public static final String J_CONTEXT = "org.eclipse.jetty.security.form_CONTEXT";
private static final Logger LOG = Log.getLogger(FederationAuthenticator.class);
@@ -222,13 +223,19 @@ public class FederationAuthenticator extends LoginAuthenticator {
{
session=renewSession(request,response);
- FederationUserIdentity fui = (FederationUserIdentity)user;
- session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
-
// Redirect to original request
String nuri;
synchronized(session)
{
+ // Check the context
+ String savedContext = (String) session.getAttribute(J_CONTEXT);
+ String receivedContext = request.getParameter(FederationConstants.PARAM_CONTEXT);
+ if (savedContext == null || !savedContext.equals(receivedContext)) {
+ LOG.warn("The received wctx parameter does not match the saved value");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return Authentication.UNAUTHENTICATED;
+ }
+
nuri = (String) session.getAttribute(J_URI);
if (nuri == null || nuri.length() == 0)
@@ -241,6 +248,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
Authentication cached=new SessionAuthentication(getAuthMethod(), user, wfRes);
session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
}
+
+ FederationUserIdentity fui = (FederationUserIdentity)user;
+ session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
+
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
@@ -253,6 +264,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
}
if (response != null) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return Authentication.UNAUTHENTICATED;
}
}
@@ -369,7 +381,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
- signInRedirectToIssuer(request, response, wfProc);
+ signInRedirectToIssuer(request, response, wfProc, session);
return Authentication.SEND_CONTINUE;
@@ -445,12 +457,13 @@ public class FederationAuthenticator extends LoginAuthenticator {
* Response we are populating
* @param processor
* FederationProcessor
+ * @param session The HTTPSession
* @throws IOException
* If the forward to the login page fails and the call to
* {@link HttpServletResponse#sendError(int, String)} throws an
* {@link IOException}
*/
- protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor)
+ protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor, HttpSession session)
throws IOException {
//Not supported in jetty 7.6
@@ -471,6 +484,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
}
}
+ synchronized(session) {
+ session.setAttribute(J_CONTEXT, redirectionResponse.getRequestState().getState());
+ }
+
response.sendRedirect(redirectURL);
} else {
LOG.warn("Failed to create SignInRequest.");
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/b94137a4/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
index 7205e44..e845b08 100644
--- a/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
+++ b/plugins/jetty9/src/main/java/org/apache/cxf/fediz/jetty9/FederationAuthenticator.java
@@ -83,6 +83,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
public static final String J_URI = "org.eclipse.jetty.security.form_URI";
public static final String J_POST = "org.eclipse.jetty.security.form_POST";
+ public static final String J_CONTEXT = "org.eclipse.jetty.security.form_CONTEXT";
private static final Logger LOG = Log.getLogger(FederationAuthenticator.class);
@@ -221,13 +222,19 @@ public class FederationAuthenticator extends LoginAuthenticator {
{
session=renewSession(request,response);
- FederationUserIdentity fui = (FederationUserIdentity)user;
- session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
-
// Redirect to original request
String nuri;
synchronized(session)
{
+ // Check the context
+ String savedContext = (String) session.getAttribute(J_CONTEXT);
+ String receivedContext = request.getParameter(FederationConstants.PARAM_CONTEXT);
+ if (savedContext == null || !savedContext.equals(receivedContext)) {
+ LOG.warn("The received wctx parameter does not match the saved value");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return Authentication.UNAUTHENTICATED;
+ }
+
nuri = (String) session.getAttribute(J_URI);
if (nuri == null || nuri.length() == 0)
@@ -240,6 +247,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
Authentication cached=new SessionAuthentication(getAuthMethod(), user, wfRes);
session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
}
+
+ FederationUserIdentity fui = (FederationUserIdentity)user;
+ session.setAttribute(SECURITY_TOKEN_ATTR, fui.getToken());
+
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
@@ -252,6 +263,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
}
if (response != null) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return Authentication.UNAUTHENTICATED;
}
}
@@ -371,7 +383,7 @@ public class FederationAuthenticator extends LoginAuthenticator {
FedizProcessor wfProc =
FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol());
- signInRedirectToIssuer(request, response, wfProc);
+ signInRedirectToIssuer(request, response, wfProc, session);
return Authentication.SEND_CONTINUE;
@@ -447,12 +459,13 @@ public class FederationAuthenticator extends LoginAuthenticator {
* Response we are populating
* @param processor
* FederationProcessor
+ * @param session The HTTPSession
* @throws IOException
* If the forward to the login page fails and the call to
* {@link HttpServletResponse#sendError(int, String)} throws an
* {@link IOException}
*/
- protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor)
+ protected void signInRedirectToIssuer(HttpServletRequest request, HttpServletResponse response, FedizProcessor processor, HttpSession session)
throws IOException {
//Not supported in jetty 7.6
@@ -473,6 +486,10 @@ public class FederationAuthenticator extends LoginAuthenticator {
}
}
+ synchronized(session) {
+ session.setAttribute(J_CONTEXT, redirectionResponse.getRequestState().getState());
+ }
+
response.sendRedirect(redirectURL);
} else {
LOG.warn("Failed to create SignInRequest.");
[3/4] cxf-fediz git commit: Enabling CSRF test
Posted by co...@apache.org.
Enabling CSRF test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/24d993e2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/24d993e2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/24d993e2
Branch: refs/heads/master
Commit: 24d993e22513109f6d69c177e6e11d9171746c54
Parents: a6f7a69
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 20 10:29:07 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 20 10:29:07 2016 +0000
----------------------------------------------------------------------
.../java/org/apache/cxf/fediz/integrationtests/AbstractTests.java | 1 -
1 file changed, 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/24d993e2/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index c4e76eb..d33e212 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -733,7 +733,6 @@ public abstract class AbstractTests {
}
@org.junit.Test
- @org.junit.Ignore
public void testCSRFAttack() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
csrfAttackTest(url);