You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/01/22 16:49:06 UTC
[1/2] cxf-fediz git commit: More work on URI validation in OIDC
Repository: cxf-fediz
Updated Branches:
refs/heads/master 6a8e7a72a -> 14978697c
More work on URI validation in OIDC
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/14978697
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/14978697
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/14978697
Branch: refs/heads/master
Commit: 14978697c3f43d22b7ea076070192666ea2859ec
Parents: a9e8f8e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jan 22 15:48:31 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jan 22 15:49:01 2016 +0000
----------------------------------------------------------------------
.../service/oidc/ClientRegistrationService.java | 42 ++++++--
.../webapp/WEB-INF/views/registerClient.jsp | 4 +-
.../cxf/fediz/systests/oidc/OIDCTest.java | 107 ++++++++++++++++++-
3 files changed, 142 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/14978697/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
index df01e41..9f8bf76 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
@@ -20,6 +20,7 @@
package org.apache.cxf.fediz.service.oidc;
import java.net.URI;
+import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -206,12 +207,11 @@ public class ClientRegistrationService {
if (!("confidential".equals(appType) || "public".equals(appType))) {
throw new InvalidRegistrationException("An invalid client type was specified: " + appType);
}
- if (redirectURI != null) {
- String[] schemes = {"https"};
- UrlValidator urlValidator = new UrlValidator(schemes, UrlValidator.ALLOW_LOCAL_URLS);
- if (!urlValidator.isValid(redirectURI)) {
- throw new InvalidRegistrationException("An invalid redirect URI was specified: " + redirectURI);
- }
+ if (redirectURI != null && !"".equals(redirectURI) && !isValidURI(redirectURI, false)) {
+ throw new InvalidRegistrationException("An invalid redirect URI was specified: " + redirectURI);
+ }
+ if (audience != null && !"".equals(audience) && !isValidURI(audience, true)) {
+ throw new InvalidRegistrationException("An invalid audience URI was specified: " + audience);
}
String clientId = generateClientId();
@@ -250,6 +250,36 @@ public class ClientRegistrationService {
return registerNewClient(newClient);
}
+
+ private boolean isValidURI(String uri, boolean requireHttps) {
+
+ UrlValidator urlValidator = null;
+
+ if (requireHttps) {
+ String[] schemes = {"https"};
+ urlValidator = new UrlValidator(schemes, UrlValidator.ALLOW_LOCAL_URLS);
+ } else {
+ urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
+ + UrlValidator.ALLOW_ALL_SCHEMES);
+ }
+
+ if (!urlValidator.isValid(uri)) {
+ return false;
+ }
+
+ // Do additional checks on the URI
+ try {
+ URI parsedURI = new URI(uri);
+ // The URI can't have a fragment according to the OAuth 2.0 spec (+ audience spec)
+ if (parsedURI.getFragment() != null) {
+ return false;
+ }
+ } catch (URISyntaxException ex) {
+ return false;
+ }
+
+ return true;
+ }
protected String generateClientId() {
return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(10));
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/14978697/services/oidc/src/main/webapp/WEB-INF/views/registerClient.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/registerClient.jsp b/services/oidc/src/main/webapp/WEB-INF/views/registerClient.jsp
index 5530991..9b56414 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/registerClient.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/registerClient.jsp
@@ -79,13 +79,13 @@ input, select, button {
</select>
</div>
<div class="form-line">
- <label for="client_redirectURI" id="label_redirect" class="form-label"> Redirect URL </label>
+ <label for="client_redirectURI" id="label_redirect" class="form-label"> Redirect URI </label>
<input type="text" value="" size="40" name="client_redirectURI"
placeholder="URL of the client to consume OIDC service response"
id="input_6" data-type="input-textbox" />
</div>
<div class="form-line">
- <label for="client_audience" id="label_redirect" class="form-label"> Audience URL </label>
+ <label for="client_audience" id="label_audience" class="form-label"> Audience URL </label>
<input type="text" value="" size="40" name="client_audience"
placeholder="URL of the server the tokens will be restricted to"
id="input_7" data-type="input-textbox" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/14978697/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
----------------------------------------------------------------------
diff --git a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
index 3c2aed3..fe21b64 100644
--- a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
+++ b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/OIDCTest.java
@@ -231,7 +231,8 @@ public class OIDCTest {
// Now try to register a new client
HtmlPage registeredClientPage =
- registerNewClient(webClient, url, "new-client", "https://127.0.0.1");
+ registerNewClient(webClient, url, "new-client", "https://127.0.0.1",
+ "https://cxf.apache.org");
String registeredClientPageBody = registeredClientPage.getBody().getTextContent();
Assert.assertTrue(registeredClientPageBody.contains("Registered Clients"));
Assert.assertTrue(registeredClientPageBody.contains("new-client"));
@@ -243,7 +244,8 @@ public class OIDCTest {
// Try to register another new client
registeredClientPage =
- registerNewClient(webClient, url, "new-client2", "https://127.0.1.1");
+ registerNewClient(webClient, url, "new-client2", "https://127.0.1.1",
+ "https://ws.apache.org");
registeredClientPageBody = registeredClientPage.getBody().getTextContent();
Assert.assertTrue(registeredClientPageBody.contains("Registered Clients"));
Assert.assertTrue(registeredClientPageBody.contains("new-client"));
@@ -262,7 +264,8 @@ public class OIDCTest {
}
private static HtmlPage registerNewClient(WebClient webClient, String url,
- String clientName, String redirectURI) throws Exception {
+ String clientName, String redirectURI,
+ String clientAudience) throws Exception {
HtmlPage registerPage = webClient.getPage(url + "/register");
final HtmlForm form = registerPage.getForms().get(0);
@@ -274,6 +277,8 @@ public class OIDCTest {
clientTypeSelect.setSelectedAttribute("confidential", true);
final HtmlTextInput redirectURIInput = form.getInputByName("client_redirectURI");
redirectURIInput.setValueAttribute(redirectURI);
+ final HtmlTextInput clientAudienceURIInput = form.getInputByName("client_audience");
+ clientAudienceURIInput.setValueAttribute(clientAudience);
final HtmlButton button = form.getButtonByName("submit_button");
return button.click();
@@ -510,6 +515,102 @@ public class OIDCTest {
webClient.close();
}
+ @org.junit.Test
+ public void testCreateClientWithInvalidRegistrationURI() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/clients";
+ String user = "alice";
+ String password = "ecila";
+
+ // Login to the client page successfully
+ WebClient webClient = setupWebClient(user, password, getIdpHttpsPort());
+ HtmlPage loginPage = login(url, webClient);
+ final String bodyTextContent = loginPage.getBody().getTextContent();
+ Assert.assertTrue(bodyTextContent.contains("Registered Clients"));
+
+ // Now try to register a new client
+ try {
+ registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1//",
+ "https://cxf.apache.org");
+ Assert.fail("Failure expected on an invalid registration URI");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ webClient.close();
+ }
+
+ @org.junit.Test
+ public void testCreateClientWithRegistrationURIFragment() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/clients";
+ String user = "alice";
+ String password = "ecila";
+
+ // Login to the client page successfully
+ WebClient webClient = setupWebClient(user, password, getIdpHttpsPort());
+ HtmlPage loginPage = login(url, webClient);
+ final String bodyTextContent = loginPage.getBody().getTextContent();
+ Assert.assertTrue(bodyTextContent.contains("Registered Clients"));
+
+ // Now try to register a new client
+ try {
+ registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1#fragment",
+ "https://cxf.apache.org");
+ Assert.fail("Failure expected on an invalid registration URI");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ webClient.close();
+ }
+
+ @org.junit.Test
+ public void testCreateClientWithInvalidAudienceURI() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/clients";
+ String user = "alice";
+ String password = "ecila";
+
+ // Login to the client page successfully
+ WebClient webClient = setupWebClient(user, password, getIdpHttpsPort());
+ HtmlPage loginPage = login(url, webClient);
+ final String bodyTextContent = loginPage.getBody().getTextContent();
+ Assert.assertTrue(bodyTextContent.contains("Registered Clients"));
+
+ // Now try to register a new client
+ try {
+ registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1/",
+ "https://cxf.apache.org//");
+ Assert.fail("Failure expected on an invalid audience URI");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ webClient.close();
+ }
+
+ @org.junit.Test
+ public void testCreateClientWithAudienceURIFragment() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/clients";
+ String user = "alice";
+ String password = "ecila";
+
+ // Login to the client page successfully
+ WebClient webClient = setupWebClient(user, password, getIdpHttpsPort());
+ HtmlPage loginPage = login(url, webClient);
+ final String bodyTextContent = loginPage.getBody().getTextContent();
+ Assert.assertTrue(bodyTextContent.contains("Registered Clients"));
+
+ // Now try to register a new client
+ try {
+ registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1",
+ "https://cxf.apache.org#fragment");
+ Assert.fail("Failure expected on an invalid audience URI");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ webClient.close();
+ }
+
private static WebClient setupWebClient(String user, String password, String idpPort) {
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
[2/2] cxf-fediz git commit: Loosen the scheme restriction for the IdP
Posted by co...@apache.org.
Loosen the scheme restriction for the IdP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a9e8f8e5
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a9e8f8e5
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a9e8f8e5
Branch: refs/heads/master
Commit: a9e8f8e53ae8cbeb72dc46db965cd543066341d6
Parents: 6a8e7a7
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jan 22 13:58:14 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jan 22 15:49:01 2016 +0000
----------------------------------------------------------------------
.../org/apache/cxf/fediz/service/idp/beans/STSClientAction.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a9e8f8e5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index fcd3f8e..dcbcc53 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -316,8 +316,8 @@ public class STSClientAction {
(String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
// Validate it first using commons-validator
- String[] schemes = {"https"};
- UrlValidator urlValidator = new UrlValidator(schemes, UrlValidator.ALLOW_LOCAL_URLS);
+ UrlValidator urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
+ + UrlValidator.ALLOW_ALL_SCHEMES);
if (!urlValidator.isValid(wreply)) {
LOG.warn("The given wreply parameter {} is not a valid URL", wreply);
throw new ProcessingException(TYPE.BAD_REQUEST);