You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/01/18 18:26:52 UTC
[2/2] cxf-fediz git commit: Some test reshuffling
Some test reshuffling
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ca843877
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ca843877
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ca843877
Branch: refs/heads/master
Commit: ca843877ff476d45a0981cef5f4bad34f6d738ce
Parents: c330c42
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 18 17:09:49 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 17:26:46 2016 +0000
----------------------------------------------------------------------
systests/cxf/pom.xml | 1 +
.../apache/cxf/fediz/systests/idp/IdpTest.java | 4 +-
systests/jetty8/pom.xml | 1 +
systests/jetty9/pom.xml | 1 +
systests/spring/pom.xml | 1 +
.../cxf/fediz/integrationtests/Spring2Test.java | 8 +-
.../fediz/integrationtests/AbstractTests.java | 57 +++++
systests/tests/src/test/resources/entity.xml | 25 ++
systests/tomcat7/pom.xml | 1 +
.../EntityExpansionAttackTest.java | 247 -------------------
systests/tomcat7/src/test/resources/entity.xml | 25 --
systests/tomcat8/pom.xml | 1 +
.../EntityExpansionAttackTest.java | 247 -------------------
systests/tomcat8/src/test/resources/entity.xml | 25 --
14 files changed, 96 insertions(+), 548 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/cxf/pom.xml
----------------------------------------------------------------------
diff --git a/systests/cxf/pom.xml b/systests/cxf/pom.xml
index 8d00ae0..c8cf93d 100644
--- a/systests/cxf/pom.xml
+++ b/systests/cxf/pom.xml
@@ -92,6 +92,7 @@
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
+ <classifier>tests</classifier>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 3947229..601d7c7 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -20,7 +20,6 @@
package org.apache.cxf.fediz.systests.idp;
import java.io.File;
-import java.io.FileInputStream;
import java.net.URLEncoder;
import org.w3c.dom.Document;
@@ -294,8 +293,7 @@ public class IdpTest {
String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
url += "&wreply=" + wreply;
- FileInputStream is = new FileInputStream("src/test/resources/entity_wreq.xml");
- String entity = IOUtils.toString(is);
+ String entity = IOUtils.toString(this.getClass().getClassLoader().getResource("entity_wreq.xml").openStream());
String validWreq =
"<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+ "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>"
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/jetty8/pom.xml
----------------------------------------------------------------------
diff --git a/systests/jetty8/pom.xml b/systests/jetty8/pom.xml
index 7d7badd..6d85a6e 100644
--- a/systests/jetty8/pom.xml
+++ b/systests/jetty8/pom.xml
@@ -80,6 +80,7 @@
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
+ <classifier>tests</classifier>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/jetty9/pom.xml
----------------------------------------------------------------------
diff --git a/systests/jetty9/pom.xml b/systests/jetty9/pom.xml
index 5e2c126..80fa755 100644
--- a/systests/jetty9/pom.xml
+++ b/systests/jetty9/pom.xml
@@ -74,6 +74,7 @@
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
+ <classifier>tests</classifier>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/spring/pom.xml
----------------------------------------------------------------------
diff --git a/systests/spring/pom.xml b/systests/spring/pom.xml
index 9cb2940..54ad159 100644
--- a/systests/spring/pom.xml
+++ b/systests/spring/pom.xml
@@ -88,6 +88,7 @@
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
+ <classifier>tests</classifier>
</dependency>
<dependency>
<groupId>org.hsqldb</groupId>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index 8d52ffc..86a928f 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -210,7 +210,6 @@ public class Spring2Test extends AbstractTests {
}
- // Getting 500 error code here
@Override
@Test
public void testAliceModifiedSignature() throws Exception {
@@ -261,4 +260,11 @@ public class Spring2Test extends AbstractTests {
}
}
+
+ @Override
+ @Test
+ @Ignore
+ public void testEntityExpansionAttack() throws Exception {
+
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index baa4ee0..05d7c1c 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -35,6 +35,7 @@ import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
+import org.apache.commons.io.IOUtils;
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
@@ -639,4 +640,60 @@ public abstract class AbstractTests {
}
webClient2.close();
}
+
+ @Test
+ public void testEntityExpansionAttack() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ // Get the initial token
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String entity = IOUtils.toString(this.getClass().getClassLoader().getResource("entity.xml").openStream());
+ String reference = "&m;";
+
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ // Now modify the Signature
+ String value = result.getAttributeNS(null, "value");
+ value = entity + value;
+ value = value.replace("alice", reference);
+ result.setAttributeNS(null, "value", value);
+ }
+ }
+
+ // Invoke back on the RP
+
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ try {
+ button.click();
+ Assert.fail("Failure expected on an entity expansion attack");
+ } catch (FailingHttpStatusCodeException ex) {
+ ex.printStackTrace();
+ // expected
+ Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+ || ex.getMessage().contains("401 Authentication Failed")
+ || ex.getMessage().contains("403 Forbidden"));
+ }
+
+ webClient.close();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tests/src/test/resources/entity.xml
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/resources/entity.xml b/systests/tests/src/test/resources/entity.xml
new file mode 100644
index 0000000..373b575
--- /dev/null
+++ b/systests/tests/src/test/resources/entity.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY a "1234567890" >
+
+<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
+
+<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
+
+<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
+
+<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
+
+<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
+
+<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
+
+<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
+
+<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
+
+<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
+
+<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
+
+<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
+
+<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat7/pom.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/pom.xml b/systests/tomcat7/pom.xml
index 18c311c..87e70fd 100644
--- a/systests/tomcat7/pom.xml
+++ b/systests/tomcat7/pom.xml
@@ -76,6 +76,7 @@
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
+ <classifier>tests</classifier>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
deleted file mode 100644
index 4db1f94..0000000
--- a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
+++ /dev/null
@@ -1,247 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-
-import java.io.File;
-import java.io.FileInputStream;
-
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.html.DomElement;
-import com.gargoylesoftware.htmlunit.html.DomNodeList;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.LifecycleState;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.commons.io.IOUtils;
-import org.apache.cxf.fediz.tomcat7.FederationAuthenticator;
-import org.apache.http.auth.AuthScope;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class EntityExpansionAttackTest {
-
- static String idpHttpsPort;
- static String rpHttpsPort;
-
- private static Tomcat idpServer;
- private static Tomcat rpServer;
-
- @BeforeClass
- public static void init() {
- System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
- System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
- System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
-
- idpHttpsPort = System.getProperty("idp.https.port");
- Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
- rpHttpsPort = System.getProperty("rp.https.port");
- Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
-
- initIdp();
- initRp();
- }
-
- private static void initIdp() {
- try {
- idpServer = new Tomcat();
- idpServer.setPort(0);
- String currentDir = new File(".").getCanonicalPath();
- idpServer.setBaseDir(currentDir + File.separator + "target");
-
- idpServer.getHost().setAppBase("tomcat/idp/webapps");
- idpServer.getHost().setAutoDeploy(true);
- idpServer.getHost().setDeployOnStartup(true);
-
- Connector httpsConnector = new Connector();
- httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
- httpsConnector.setSecure(true);
- httpsConnector.setScheme("https");
- //httpsConnector.setAttribute("keyAlias", keyAlias);
- httpsConnector.setAttribute("keystorePass", "tompass");
- httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("truststorePass", "tompass");
- httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "want");
- // httpsConnector.setAttribute("clientAuth", "false");
- httpsConnector.setAttribute("sslProtocol", "TLS");
- httpsConnector.setAttribute("SSLEnabled", true);
-
- idpServer.getService().addConnector(httpsConnector);
-
- idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
- idpServer.addWebapp("/fediz-idp", "fediz-idp");
-
- idpServer.start();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- private static void initRp() {
- try {
- rpServer = new Tomcat();
- rpServer.setPort(0);
- String currentDir = new File(".").getCanonicalPath();
- rpServer.setBaseDir(currentDir + File.separator + "target");
-
- rpServer.getHost().setAppBase("tomcat/rp/webapps");
- rpServer.getHost().setAutoDeploy(true);
- rpServer.getHost().setDeployOnStartup(true);
-
- Connector httpsConnector = new Connector();
- httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
- httpsConnector.setSecure(true);
- httpsConnector.setScheme("https");
- //httpsConnector.setAttribute("keyAlias", keyAlias);
- httpsConnector.setAttribute("keystorePass", "tompass");
- httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("truststorePass", "tompass");
- httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- // httpsConnector.setAttribute("clientAuth", "false");
- httpsConnector.setAttribute("clientAuth", "want");
- httpsConnector.setAttribute("sslProtocol", "TLS");
- httpsConnector.setAttribute("SSLEnabled", true);
-
- rpServer.getService().addConnector(httpsConnector);
-
- //Context ctx =
- Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
- FederationAuthenticator fa = new FederationAuthenticator();
- fa.setConfigFile(currentDir + File.separator + "target" + File.separator
- + "test-classes" + File.separator + "fediz_config_wreq.xml");
- cxt.getPipeline().addValve(fa);
-
-
- rpServer.start();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- @AfterClass
- public static void cleanup() {
- try {
- if (idpServer.getServer() != null
- && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
- if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
- idpServer.stop();
- }
- idpServer.destroy();
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
-
- try {
- if (rpServer.getServer() != null
- && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
- if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
- rpServer.stop();
- }
- rpServer.destroy();
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- public String getIdpHttpsPort() {
- return idpHttpsPort;
- }
-
- public String getRpHttpsPort() {
- return rpHttpsPort;
- }
-
- public String getServletContextName() {
- return "fedizhelloworld";
- }
-
- @Test
- public void testEntityExpansionAttack() throws Exception {
- String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
- String user = "alice";
- String password = "ecila";
-
- // Get the initial token
- CookieManager cookieManager = new CookieManager();
- final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage = webClient.getPage(url);
- webClient.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
- // Parse the form to get the token (wresult)
- DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
- FileInputStream is = new FileInputStream("src/test/resources/entity.xml");
- String entity = IOUtils.toString(is);
- String reference = "&m;";
-
- for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
- // Now modify the Signature
- String value = result.getAttributeNS(null, "value");
- value = entity + value;
- value = value.replace("alice", reference);
- result.setAttributeNS(null, "value", value);
- }
- }
-
- // Invoke back on the RP
-
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
- final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
- try {
- button.click();
- Assert.fail("Failure expected on an entity expansion attack");
- } catch (FailingHttpStatusCodeException ex) {
- // expected
- Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
- || ex.getMessage().contains("401 Authentication Failed")
- || ex.getMessage().contains("403 Forbidden"));
- }
-
- webClient.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat7/src/test/resources/entity.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/entity.xml b/systests/tomcat7/src/test/resources/entity.xml
deleted file mode 100644
index c0ff502..0000000
--- a/systests/tomcat7/src/test/resources/entity.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY a "1234567890" >
-
-<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
-
-<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
-
-<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
-
-<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
-
-<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
-
-<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
-
-<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
-
-<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
-
-<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
-
-<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
-
-<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
-
-<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat8/pom.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat8/pom.xml b/systests/tomcat8/pom.xml
index 71762f4..ebbbfe2 100644
--- a/systests/tomcat8/pom.xml
+++ b/systests/tomcat8/pom.xml
@@ -76,6 +76,7 @@
<version>${project.version}</version>
<type>test-jar</type>
<scope>test</scope>
+ <classifier>tests</classifier>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
----------------------------------------------------------------------
diff --git a/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java b/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
deleted file mode 100644
index 1758e0c..0000000
--- a/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
+++ /dev/null
@@ -1,247 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-
-import java.io.File;
-import java.io.FileInputStream;
-
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.html.DomElement;
-import com.gargoylesoftware.htmlunit.html.DomNodeList;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.LifecycleState;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.commons.io.IOUtils;
-import org.apache.cxf.fediz.tomcat8.FederationAuthenticator;
-import org.apache.http.auth.AuthScope;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class EntityExpansionAttackTest {
-
- static String idpHttpsPort;
- static String rpHttpsPort;
-
- private static Tomcat idpServer;
- private static Tomcat rpServer;
-
- @BeforeClass
- public static void init() {
- System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
- System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
- System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
- System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
-
- idpHttpsPort = System.getProperty("idp.https.port");
- Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
- rpHttpsPort = System.getProperty("rp.https.port");
- Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
-
- initIdp();
- initRp();
- }
-
- private static void initIdp() {
- try {
- idpServer = new Tomcat();
- idpServer.setPort(0);
- String currentDir = new File(".").getCanonicalPath();
- idpServer.setBaseDir(currentDir + File.separator + "target");
-
- idpServer.getHost().setAppBase("tomcat/idp/webapps");
- idpServer.getHost().setAutoDeploy(true);
- idpServer.getHost().setDeployOnStartup(true);
-
- Connector httpsConnector = new Connector();
- httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
- httpsConnector.setSecure(true);
- httpsConnector.setScheme("https");
- //httpsConnector.setAttribute("keyAlias", keyAlias);
- httpsConnector.setAttribute("keystorePass", "tompass");
- httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("truststorePass", "tompass");
- httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("clientAuth", "want");
- // httpsConnector.setAttribute("clientAuth", "false");
- httpsConnector.setAttribute("sslProtocol", "TLS");
- httpsConnector.setAttribute("SSLEnabled", true);
-
- idpServer.getService().addConnector(httpsConnector);
-
- idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
- idpServer.addWebapp("/fediz-idp", "fediz-idp");
-
- idpServer.start();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- private static void initRp() {
- try {
- rpServer = new Tomcat();
- rpServer.setPort(0);
- String currentDir = new File(".").getCanonicalPath();
- rpServer.setBaseDir(currentDir + File.separator + "target");
-
- rpServer.getHost().setAppBase("tomcat/rp/webapps");
- rpServer.getHost().setAutoDeploy(true);
- rpServer.getHost().setDeployOnStartup(true);
-
- Connector httpsConnector = new Connector();
- httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
- httpsConnector.setSecure(true);
- httpsConnector.setScheme("https");
- //httpsConnector.setAttribute("keyAlias", keyAlias);
- httpsConnector.setAttribute("keystorePass", "tompass");
- httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
- httpsConnector.setAttribute("truststorePass", "tompass");
- httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
- // httpsConnector.setAttribute("clientAuth", "false");
- httpsConnector.setAttribute("clientAuth", "want");
- httpsConnector.setAttribute("sslProtocol", "TLS");
- httpsConnector.setAttribute("SSLEnabled", true);
-
- rpServer.getService().addConnector(httpsConnector);
-
- //Context ctx =
- Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
- FederationAuthenticator fa = new FederationAuthenticator();
- fa.setConfigFile(currentDir + File.separator + "target" + File.separator
- + "test-classes" + File.separator + "fediz_config_wreq.xml");
- cxt.getPipeline().addValve(fa);
-
-
- rpServer.start();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- @AfterClass
- public static void cleanup() {
- try {
- if (idpServer.getServer() != null
- && idpServer.getServer().getState() != LifecycleState.DESTROYED) {
- if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
- idpServer.stop();
- }
- idpServer.destroy();
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
-
- try {
- if (rpServer.getServer() != null
- && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
- if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
- rpServer.stop();
- }
- rpServer.destroy();
- }
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-
- public String getIdpHttpsPort() {
- return idpHttpsPort;
- }
-
- public String getRpHttpsPort() {
- return rpHttpsPort;
- }
-
- public String getServletContextName() {
- return "fedizhelloworld";
- }
-
- @Test
- public void testEntityExpansionAttack() throws Exception {
- String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
- String user = "alice";
- String password = "ecila";
-
- // Get the initial token
- CookieManager cookieManager = new CookieManager();
- final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage = webClient.getPage(url);
- webClient.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
- // Parse the form to get the token (wresult)
- DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
- FileInputStream is = new FileInputStream("src/test/resources/entity.xml");
- String entity = IOUtils.toString(is);
- String reference = "&m;";
-
- for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
- // Now modify the Signature
- String value = result.getAttributeNS(null, "value");
- value = entity + value;
- value = value.replace("alice", reference);
- result.setAttributeNS(null, "value", value);
- }
- }
-
- // Invoke back on the RP
-
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
- final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
- try {
- button.click();
- Assert.fail("Failure expected on an entity expansion attack");
- } catch (FailingHttpStatusCodeException ex) {
- // expected
- Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
- || ex.getMessage().contains("401 Authentication Failed")
- || ex.getMessage().contains("403 Forbidden"));
- }
-
- webClient.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat8/src/test/resources/entity.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat8/src/test/resources/entity.xml b/systests/tomcat8/src/test/resources/entity.xml
deleted file mode 100644
index c0ff502..0000000
--- a/systests/tomcat8/src/test/resources/entity.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY a "1234567890" >
-
-<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
-
-<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
-
-<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
-
-<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
-
-<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
-
-<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
-
-<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
-
-<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
-
-<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
-
-<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
-
-<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
-
-<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]>
\ No newline at end of file