You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/03/10 16:31:25 UTC
[2/2] cxf-fediz git commit: Adding modified signature replay test

Adding modified signature replay test


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/dd161ea2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/dd161ea2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/dd161ea2

Branch: refs/heads/master
Commit: dd161ea296dedd3028a0308d60ecdd50d44c6598
Parents: 2626770
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Mar 10 15:25:33 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Mar 10 15:25:33 2015 +0000

----------------------------------------------------------------------
 .../fediz/integrationtests/AbstractTests.java   | 55 ++++++++++++++++++++
 1 file changed, 55 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/dd161ea2/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 53e2e79..210afa3 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -26,12 +26,18 @@ import org.w3c.dom.Node;
 import com.gargoylesoftware.htmlunit.CookieManager;
 import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
 import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.DomElement;
+import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
 import com.gargoylesoftware.htmlunit.xml.XmlPage;
 
 import org.apache.cxf.fediz.core.ClaimTypes;
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.wss4j.dom.WSSConfig;
 import org.apache.xml.security.keys.KeyInfo;
 import org.apache.xml.security.signature.XMLSignature;
@@ -439,4 +445,53 @@ public abstract class AbstractTests {
 
         Assert.assertEquals(401, idpPage.getWebResponse().getStatusCode());
     }
+    
+    @org.junit.Test
+    public void testAliceModifiedSignature() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+        String user = "alice";
+        String password = "ecila";
+        
+        // Get the initial token
+        CookieManager cookieManager = new CookieManager();
+        final WebClient webClient = new WebClient();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient.getPage(url);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Parse the form to get the token (wresult)
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                // Now modify the Signature
+                String value = result.getAttributeNS(null, "value");
+                value = value.replace("alice", "bob");
+                result.setAttributeNS(null, "value", value);
+            }
+        }
+        
+        // Invoke back on the RP
+        
+        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+        try {
+            button.click();
+            Assert.fail("Failure expected on a modified signature");
+        } catch (FailingHttpStatusCodeException ex) {
+            // expected
+            Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+                              || ex.getMessage().contains("401 Authentication Failed")
+                              || ex.getMessage().contains("403 Forbidden"));
+        }
+
+    }
 }