You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/11/28 17:41:10 UTC
[1/4] cxf-fediz git commit: Fixing token expiration logic
Repository: cxf-fediz
Updated Branches:
refs/heads/1.3.x-fixes a5a607aac -> 33f1cb9ba
Fixing token expiration logic
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/6733ea68
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/6733ea68
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/6733ea68
Branch: refs/heads/1.3.x-fixes
Commit: 6733ea689d070c1af37bb52c7bef69d7e1ad16a5
Parents: a5a607a
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Nov 28 14:58:26 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Nov 28 17:38:52 2016 +0000
----------------------------------------------------------------------
.../idp/beans/IdpTokenExpiredAction.java | 20 +++++++++-----------
.../service/idp/beans/wsfed/WfreshParser.java | 9 ++++++---
2 files changed, 15 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6733ea68/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
index 2ea9a7d..cbe4ee8 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/IdpTokenExpiredAction.java
@@ -38,17 +38,15 @@ public class IdpTokenExpiredAction {
public boolean isTokenExpired(String homeRealm, RequestContext context)
throws Exception {
- if (tokenExpirationValidation) {
- SecurityToken idpToken =
- (SecurityToken) WebUtils.getAttributeFromExternalContext(context, homeRealm);
- if (idpToken == null) {
- return true;
- }
-
- if (idpToken.isExpired()) {
- LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] is expired.");
- return true;
- }
+ SecurityToken idpToken =
+ (SecurityToken) WebUtils.getAttributeFromExternalContext(context, homeRealm);
+ if (idpToken == null) {
+ return true;
+ }
+
+ if (tokenExpirationValidation && idpToken.isExpired()) {
+ LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] is expired.");
+ return true;
}
return false;
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/6733ea68/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
index 1a11873..148d24b 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WfreshParser.java
@@ -38,6 +38,12 @@ public class WfreshParser {
public boolean authenticationRequired(String wfresh, String whr, RequestContext context)
throws Exception {
+ SecurityToken idpToken =
+ (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
+ if (idpToken == null) {
+ return true;
+ }
+
if (wfresh == null || wfresh.trim().isEmpty()) {
return false;
}
@@ -55,9 +61,6 @@ public class WfreshParser {
long ttlMs = ttl * 60L * 1000L;
if (ttlMs > 0) {
-
- SecurityToken idpToken =
- (SecurityToken) WebUtils.getAttributeFromExternalContext(context, whr);
Date createdDate = idpToken.getCreated();
if (createdDate != null) {
Date expiryDate = new Date();
[4/4] cxf-fediz git commit: Use HttpOnly for cookie-config
Posted by co...@apache.org.
Use HttpOnly for cookie-config
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/33f1cb9b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/33f1cb9b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/33f1cb9b
Branch: refs/heads/1.3.x-fixes
Commit: 33f1cb9ba1b2c655d9d9371249e0d28804170359
Parents: 064ad65
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Nov 28 16:36:51 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Nov 28 17:39:14 2016 +0000
----------------------------------------------------------------------
services/idp/src/main/webapp/WEB-INF/web.xml | 3 +++
services/oidc/src/main/webapp/WEB-INF/web.xml | 3 +++
2 files changed, 6 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/33f1cb9b/services/idp/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/web.xml b/services/idp/src/main/webapp/WEB-INF/web.xml
index 4129e72..807fa23 100644
--- a/services/idp/src/main/webapp/WEB-INF/web.xml
+++ b/services/idp/src/main/webapp/WEB-INF/web.xml
@@ -26,6 +26,9 @@ under the License.
<display-name>Fediz IDP</display-name>
<session-config>
+ <cookie-config>
+ <http-only>true</http-only>
+ </cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/33f1cb9b/services/oidc/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/web.xml b/services/oidc/src/main/webapp/WEB-INF/web.xml
index ebc17f0..a41a03b 100644
--- a/services/oidc/src/main/webapp/WEB-INF/web.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/web.xml
@@ -25,6 +25,9 @@
<display-name>WS Federation Spring Example</display-name>
<session-config>
+ <cookie-config>
+ <http-only>true</http-only>
+ </cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
[2/4] cxf-fediz git commit: Fix wreply parsing on logout
Posted by co...@apache.org.
Fix wreply parsing on logout
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a8f7d07e
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a8f7d07e
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a8f7d07e
Branch: refs/heads/1.3.x-fixes
Commit: a8f7d07e4d65eec66ed4e15252b98d53a2f484be
Parents: 6733ea6
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Nov 28 15:24:27 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Nov 28 17:39:00 2016 +0000
----------------------------------------------------------------------
.../WEB-INF/flows/federation-validate-request.xml | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a8f7d07e/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index 35ce933..bee5ce0 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -72,7 +72,7 @@
<action-state id="validateWReplyForSignout">
<evaluate expression="commonsURLValidator.isValid(flowRequestContext, flowScope.wreply)"/>
<transition on="yes" to="selectSignOutProcess" />
- <transition on="no" to="viewBadRequest" />
+ <transition on="no" to="viewBadRequestAndLogout" />
</action-state>
<decision-state id="selectSignOutProcess">
@@ -190,6 +190,16 @@
<!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
</on-entry>
</end-state>
+
+ <end-state id="viewBadRequestAndLogout" view="genericerror">
+ <on-entry>
+ <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)" />
+ <evaluate expression="logoutAction.submit(flowRequestContext)" />
+ <evaluate
+ expression="externalContext.nativeResponse.setStatus(400,flowRequestContext.currentTransition.toString())" />
+ <!--<set name="requestScope.reason" value="flowRequestContext.currentTransition" />-->
+ </on-entry>
+ </end-state>
<!-- abnormal exit point : Http 500 Internal Server Error -->
<end-state id="scInternalServerError" view="genericerror">
[3/4] cxf-fediz git commit: Adding more IdP tests
Posted by co...@apache.org.
Adding more IdP tests
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/064ad652
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/064ad652
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/064ad652
Branch: refs/heads/1.3.x-fixes
Commit: 064ad6520f46ba2d9077dcffe738c3c49609c922
Parents: a8f7d07
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Nov 28 16:32:16 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Nov 28 17:39:07 2016 +0000
----------------------------------------------------------------------
.../apache/cxf/fediz/systests/idp/IdpTest.java | 185 ++++++++++++++++++-
1 file changed, 184 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/064ad652/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 04bc875..9455227 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -21,6 +21,7 @@ package org.apache.cxf.fediz.systests.idp;
import java.io.File;
import java.io.IOException;
+import java.io.InputStream;
import java.net.URLEncoder;
import javax.servlet.ServletException;
@@ -29,11 +30,14 @@ import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+import com.gargoylesoftware.htmlunit.CookieManager;
import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
import org.apache.catalina.LifecycleException;
@@ -41,6 +45,7 @@ import org.apache.catalina.LifecycleState;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.commons.io.IOUtils;
+import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
@@ -371,7 +376,9 @@ public class IdpTest {
String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
url += "&wreply=" + wreply;
- String entity = IOUtils.toString(this.getClass().getClassLoader().getResource("entity_wreq.xml").openStream());
+ InputStream is = this.getClass().getClassLoader().getResource("entity_wreq.xml").openStream();
+ String entity = IOUtils.toString(is, "UTF-8");
+ is.close();
String validWreq =
"<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+ "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>"
@@ -617,5 +624,181 @@ public class IdpTest {
webClient.close();
}
+
+ @Test
+ public void testIdPLogout() throws Exception {
+
+ // 1. First let's login to the IdP
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+ webClient.close();
+
+ // 2. now we logout from IdP
+ String idpLogoutUrl = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?wa="
+ + FederationConstants.ACTION_SIGNOUT;
+
+ webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ idpPage = webClient.getPage(idpLogoutUrl);
+
+ Assert.assertEquals("IDP SignOut Confirmation Response Page", idpPage.getTitleText());
+
+ HtmlForm form = idpPage.getFormByName("signoutconfirmationresponseform");
+ HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+ button.click();
+
+ webClient.close();
+
+ // 3. now we try to access the idp without authentication but with the existing cookies
+ // to see if we are really logged out
+ webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setThrowExceptionOnFailingStatusCode(false);
+ idpPage = webClient.getPage(url);
+
+ Assert.assertEquals(401, idpPage.getWebResponse().getStatusCode());
+
+ webClient.close();
+ }
+
+ @Test
+ public void testIdPLogoutCleanup() throws Exception {
+
+ // 1. First let's login to the IdP
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+ webClient.close();
+
+ // 2. now we logout from IdP
+ String idpLogoutUrl = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?wa="
+ + FederationConstants.ACTION_SIGNOUT_CLEANUP;
+
+ webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ idpPage = webClient.getPage(idpLogoutUrl);
+
+ Assert.assertEquals("IDP SignOut Response Page", idpPage.getTitleText());
+
+ webClient.close();
+
+ // 3. now we try to access the idp without authentication but with the existing cookies
+ // to see if we are really logged out
+ webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setThrowExceptionOnFailingStatusCode(false);
+ idpPage = webClient.getPage(url);
+
+ Assert.assertEquals(401, idpPage.getWebResponse().getStatusCode());
+
+ webClient.close();
+ }
+
+ @Test
+ public void testIdPLogoutCleanupWithBadWReply() throws Exception {
+
+ // 1. First let's login to the IdP
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+ webClient.close();
+
+ // 2. now we logout from IdP using a bad wreply
+ String badWReply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/secure//fedservlet";
+ String idpLogoutUrl = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?wa="
+ + FederationConstants.ACTION_SIGNOUT_CLEANUP;
+ idpLogoutUrl += "&wreply=" + badWReply;
+
+ webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ try {
+ webClient.getPage(idpLogoutUrl);
+ Assert.fail("Failure expected on a bad wreply value");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+
+ webClient.close();
+
+ // 3. now we try to access the idp without authentication but with the existing cookies
+ // to see if we are really logged out. Even though an error was thrown on a bad wreply, we should still
+ // be logged out
+ webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getOptions().setThrowExceptionOnFailingStatusCode(false);
+ idpPage = webClient.getPage(url);
+
+ Assert.assertEquals(401, idpPage.getWebResponse().getStatusCode());
+
+ webClient.close();
+ }
}