You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/12/19 14:01:31 UTC
[1/4] cxf-fediz git commit: Make the wctx mandatory for the Tomcat
plugins
Repository: cxf-fediz
Updated Branches:
refs/heads/master 4ef71257a -> 84856d7a6
Make the wctx mandatory for the Tomcat plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f31bc88b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f31bc88b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f31bc88b
Branch: refs/heads/master
Commit: f31bc88befe3147acf403e9933b06faa659ce510
Parents: 4ef7125
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 19 10:44:49 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 19 10:44:49 2016 +0000
----------------------------------------------------------------------
.../fediz/tomcat7/FederationAuthenticator.java | 45 ++++++++++----------
.../fediz/tomcat8/FederationAuthenticator.java | 45 ++++++++++----------
2 files changed, 44 insertions(+), 46 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f31bc88b/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/FederationAuthenticator.java b/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/FederationAuthenticator.java
index ba33b53..142e166 100644
--- a/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/FederationAuthenticator.java
+++ b/plugins/tomcat7/src/main/java/org/apache/cxf/fediz/tomcat7/FederationAuthenticator.java
@@ -236,36 +236,35 @@ public class FederationAuthenticator extends FormAuthenticator {
return false;
}
- protected void resumeRequest(HttpServletRequest request, HttpServletResponse response) {
- String originalURL = null;
+ protected void resumeRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
String contextId = request.getParameter(FederationConstants.PARAM_CONTEXT);
- if (contextId != null) {
+ if (contextId == null) {
+ LOG.warn("The 'wctx' parameter has not been provided back with signin request.");
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+
+ } else {
Session session = ((Request)request).getSessionInternal();
- originalURL = (String)session.getNote(FederationAuthenticator.SESSION_SAVED_URI_PREFIX + contextId);
+ String originalURL = (String)session.getNote(FederationAuthenticator.SESSION_SAVED_URI_PREFIX + contextId);
session.removeNote(FederationAuthenticator.SESSION_SAVED_URI_PREFIX + contextId); // Cleanup session
- } else {
- LOG.warn("The 'wctx' parameter has not been provided back with signin request. "
- + "Trying to resume now with signin URL (without parameters)");
- originalURL = request.getRequestURI();
- }
- try {
- if (originalURL != null) {
- LOG.debug("Restore request to {}", originalURL);
- response.sendRedirect(response.encodeRedirectURL(originalURL));
- } else {
- LOG.debug("User took so long to log on the session expired");
- if (landingPage == null) {
- response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm
- .getString("authenticator.sessionExpired"));
+ try {
+ if (originalURL != null) {
+ LOG.debug("Restore request to {}", originalURL);
+ response.sendRedirect(response.encodeRedirectURL(originalURL));
} else {
- // Redirect to landing page
- String uri = request.getContextPath() + landingPage;
- response.sendRedirect(response.encodeRedirectURL(uri));
+ LOG.debug("User took so long to log on the session expired");
+ if (landingPage == null) {
+ response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm
+ .getString("authenticator.sessionExpired"));
+ } else {
+ // Redirect to landing page
+ String uri = request.getContextPath() + landingPage;
+ response.sendRedirect(response.encodeRedirectURL(uri));
+ }
}
+ } catch (IOException e) {
+ LOG.error("Cannot resume with request.", e.getMessage());
}
- } catch (IOException e) {
- LOG.error("Cannot resume with request.", e.getMessage());
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f31bc88b/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java
----------------------------------------------------------------------
diff --git a/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java b/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java
index dbd1f4c..485d2aa 100644
--- a/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java
+++ b/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/FederationAuthenticator.java
@@ -226,36 +226,35 @@ public class FederationAuthenticator extends FormAuthenticator {
return false;
}
- protected void resumeRequest(HttpServletRequest request, HttpServletResponse response) {
- String originalURL = null;
+ protected void resumeRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
String contextId = request.getParameter(FederationConstants.PARAM_CONTEXT);
- if (contextId != null) {
+ if (contextId == null) {
+ LOG.warn("The 'wctx' parameter has not been provided back with signin request.");
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+
+ } else {
Session session = ((Request)request).getSessionInternal();
- originalURL = (String)session.getNote(FederationAuthenticator.SESSION_SAVED_URI_PREFIX + contextId);
+ String originalURL = (String)session.getNote(FederationAuthenticator.SESSION_SAVED_URI_PREFIX + contextId);
session.removeNote(FederationAuthenticator.SESSION_SAVED_URI_PREFIX + contextId); // Cleanup session
- } else {
- LOG.warn("The 'wctx' parameter has not been provided back with signin request. "
- + "Trying to resume now with signin URL (without parameters)");
- originalURL = request.getRequestURI();
- }
- try {
- if (originalURL != null) {
- LOG.debug("Restore request to {}", originalURL);
- response.sendRedirect(response.encodeRedirectURL(originalURL));
- } else {
- LOG.debug("User took so long to log on the session expired");
- if (landingPage == null) {
- response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm
- .getString("authenticator.sessionExpired"));
+ try {
+ if (originalURL != null) {
+ LOG.debug("Restore request to {}", originalURL);
+ response.sendRedirect(response.encodeRedirectURL(originalURL));
} else {
- // Redirect to landing page
- String uri = request.getContextPath() + landingPage;
- response.sendRedirect(response.encodeRedirectURL(uri));
+ LOG.debug("User took so long to log on the session expired");
+ if (landingPage == null) {
+ response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm
+ .getString("authenticator.sessionExpired"));
+ } else {
+ // Redirect to landing page
+ String uri = request.getContextPath() + landingPage;
+ response.sendRedirect(response.encodeRedirectURL(uri));
+ }
}
+ } catch (IOException e) {
+ LOG.error("Cannot resume with request.", e.getMessage());
}
- } catch (IOException e) {
- LOG.error("Cannot resume with request.", e.getMessage());
}
}
[2/4] cxf-fediz git commit: Fixing test for Tomcat plugins
Posted by co...@apache.org.
Fixing test for Tomcat plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/c6aa62c1
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/c6aa62c1
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/c6aa62c1
Branch: refs/heads/master
Commit: c6aa62c1e20627c1d6d40f90d6a3a828b73883f7
Parents: f31bc88
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 19 10:52:29 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 19 10:52:29 2016 +0000
----------------------------------------------------------------------
.../java/org/apache/cxf/fediz/integrationtests/AbstractTests.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/c6aa62c1/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 8daaa14..9104d64 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -798,7 +798,8 @@ public abstract class AbstractTests {
// expected
Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
|| ex.getMessage().contains("401 Authentication Failed")
- || ex.getMessage().contains("403 Forbidden"));
+ || ex.getMessage().contains("403 Forbidden")
+ || ex.getMessage().contains("408 Request Timeout"));
}
// webClient.close();
[3/4] cxf-fediz git commit: Fixing Spring plugins
Posted by co...@apache.org.
Fixing Spring plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/acdbe8c2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/acdbe8c2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/acdbe8c2
Branch: refs/heads/master
Commit: acdbe8c213576792dd95d87315bcc181ea61b57f
Parents: c6aa62c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 19 13:20:30 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 19 13:20:30 2016 +0000
----------------------------------------------------------------------
.../web/FederationAuthenticationEntryPoint.java | 10 ++++-
.../web/FederationAuthenticationFilter.java | 39 +++++++++++++++-----
.../web/FederationAuthenticationEntryPoint.java | 8 ++++
.../web/FederationAuthenticationFilter.java | 34 +++++++++++++----
4 files changed, 74 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
index c4c9010..4993cd4 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
@@ -26,6 +26,7 @@ import java.util.Map.Entry;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.exception.ProcessingException;
@@ -55,6 +56,11 @@ import org.springframework.util.Assert;
public class FederationAuthenticationEntryPoint implements AuthenticationEntryPoint,
InitializingBean, ApplicationContextAware {
+ /**
+ * The key used to save the context of the request
+ */
+ public static final String SAVED_CONTEXT = "SAVED_CONTEXT";
+
private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationEntryPoint.class);
private ApplicationContext appContext;
@@ -106,6 +112,8 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
}
}
+ HttpSession session = servletRequest.getSession(true);
+ session.setAttribute(SAVED_CONTEXT, redirectionResponse.getRequestState().getState());
} catch (ProcessingException ex) {
LOG.warn("Failed to create SignInRequest", ex);
throw new ServletException("Failed to create SignInRequest: " + ex.getMessage());
@@ -117,7 +125,7 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
}
response.sendRedirect(redirectUrl);
}
-
+
/**
* Template method for you to do your own pre-processing before the redirect occurs.
*
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 1c13f18..c18d238 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -26,6 +26,7 @@ import java.util.Date;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.SAMLSSOConstants;
@@ -33,6 +34,7 @@ import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.spring.FederationConfig;
import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
import org.apache.cxf.fediz.spring.authentication.FederationAuthenticationToken;
+import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
@@ -55,15 +57,12 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
public Authentication attemptAuthentication(final HttpServletRequest request, final HttpServletResponse response)
throws AuthenticationException, IOException {
- SecurityContext context = SecurityContextHolder.getContext();
- if (context != null) {
- Authentication authentication = context.getAuthentication();
- if (authentication instanceof FederationAuthenticationToken) {
- // If we reach this point then the token must be expired
- throw new ExpiredTokenException("Token is expired");
- }
+ if (isTokenExpired()) {
+ throw new ExpiredTokenException("Token is expired");
}
-
+
+ verifySavedState(request);
+
String wa = request.getParameter(FederationConstants.PARAM_ACTION);
String responseToken = getResponseToken(request);
@@ -106,7 +105,7 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
return false;
}
-
+
private String getResponseToken(ServletRequest request) {
if (request.getParameter(FederationConstants.PARAM_RESULT) != null) {
return request.getParameter(FederationConstants.PARAM_RESULT);
@@ -116,7 +115,29 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
return null;
}
+
+ private String getState(ServletRequest request) {
+ if (request.getParameter(FederationConstants.PARAM_CONTEXT) != null) {
+ return request.getParameter(FederationConstants.PARAM_CONTEXT);
+ } else if (request.getParameter(SAMLSSOConstants.RELAY_STATE) != null) {
+ return request.getParameter(SAMLSSOConstants.RELAY_STATE);
+ }
+
+ return null;
+ }
+ private void verifySavedState(HttpServletRequest request) {
+ HttpSession session = request.getSession(false);
+ if (session != null) {
+ String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+ String state = getState(request);
+ if (savedContext != null && !savedContext.equals(state)) {
+ logger.warn("The received state does not match the state saved in the context");
+ throw new BadCredentialsException("The received state does not match the state saved in the context");
+ }
+ }
+ }
+
/**
*
*/
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
index a4b58e3..eeff761 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationEntryPoint.java
@@ -28,6 +28,7 @@ import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.exception.ProcessingException;
@@ -57,6 +58,11 @@ import org.springframework.util.Assert;
public class FederationAuthenticationEntryPoint implements AuthenticationEntryPoint,
InitializingBean, ApplicationContextAware {
+ /**
+ * The key used to save the context of the request
+ */
+ public static final String SAVED_CONTEXT = "SAVED_CONTEXT";
+
private static final Logger LOG = LoggerFactory.getLogger(FederationAuthenticationEntryPoint.class);
private ApplicationContext appContext;
@@ -129,6 +135,8 @@ public class FederationAuthenticationEntryPoint implements AuthenticationEntryPo
}
}
+ HttpSession session = ((HttpServletRequest)request).getSession(true);
+ session.setAttribute(SAVED_CONTEXT, redirectionResponse.getRequestState().getState());
} catch (ProcessingException ex) {
System.err.println("Failed to create SignInRequest: " + ex.getMessage());
LOG.warn("Failed to create SignInRequest: " + ex.getMessage());
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/acdbe8c2/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 9a1373b..6011c37 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -28,6 +28,7 @@ import java.util.Map.Entry;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.SAMLSSOConstants;
@@ -106,15 +107,12 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
- SecurityContext context = SecurityContextHolder.getContext();
- if (context != null) {
- Authentication authentication = context.getAuthentication();
- if (authentication instanceof FederationAuthenticationToken) {
- // If we reach this point then the token must be expired
- throw new ExpiredTokenException("Token is expired");
- }
+ if (isTokenExpired()) {
+ throw new ExpiredTokenException("Token is expired");
}
+ verifySavedState(request);
+
String wa = request.getParameter(FederationConstants.PARAM_ACTION);
String responseToken = getResponseToken(request);
FedizRequest wfReq = new FedizRequest();
@@ -134,6 +132,28 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
return this.getAuthenticationManager().authenticate(authRequest);
}
+ private void verifySavedState(HttpServletRequest request) {
+ HttpSession session = request.getSession(false);
+ if (session != null) {
+ String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+ String state = getState(request);
+ if (savedContext != null && !savedContext.equals(state)) {
+ logger.warn("The received state does not match the state saved in the context");
+ throw new BadCredentialsException("The received state does not match the state saved in the context");
+ }
+ }
+ }
+
+ private String getState(ServletRequest request) {
+ if (request.getParameter(FederationConstants.PARAM_CONTEXT) != null) {
+ return request.getParameter(FederationConstants.PARAM_CONTEXT);
+ } else if (request.getParameter(SAMLSSOConstants.RELAY_STATE) != null) {
+ return request.getParameter(SAMLSSOConstants.RELAY_STATE);
+ }
+
+ return null;
+ }
+
@Override
public void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) {
[4/4] cxf-fediz git commit: Enabling CSRF tests for the spring plugins
Posted by co...@apache.org.
Enabling CSRF tests for the spring plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/84856d7a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/84856d7a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/84856d7a
Branch: refs/heads/master
Commit: 84856d7a67db2f44ff2d48da4fc410435b481636
Parents: acdbe8c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 19 13:21:05 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 19 13:21:05 2016 +0000
----------------------------------------------------------------------
.../apache/cxf/fediz/integrationtests/Spring2Test.java | 8 ++++++++
.../apache/cxf/fediz/integrationtests/SpringTest.java | 8 ++++++++
.../apache/cxf/fediz/integrationtests/AbstractTests.java | 11 ++++++-----
3 files changed, 22 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/84856d7a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index f9754ba..cd68992 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -250,4 +250,12 @@ public class Spring2Test extends AbstractTests {
}
+ @Override
+ @org.junit.Test
+ public void testCSRFAttack() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/j_spring_fediz_security_check";
+ csrfAttackTest(url);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/84856d7a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
index 036b189..93b4201 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
@@ -149,4 +149,12 @@ public class SpringTest extends AbstractTests {
public void testConcurrentRequests() throws Exception {
// super.testConcurrentRequests();
}
+
+ @Override
+ @org.junit.Test
+ public void testCSRFAttack() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/j_spring_fediz_security_check";
+ csrfAttackTest(url);
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/84856d7a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 9104d64..5908db8 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -736,6 +736,11 @@ public abstract class AbstractTests {
@org.junit.Ignore
public void testCSRFAttack() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ csrfAttackTest(url);
+ }
+
+ protected void csrfAttackTest(String rpURL) throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
String user = "alice";
String password = "ecila";
@@ -774,7 +779,7 @@ public abstract class AbstractTests {
// 3. Now instead of clicking on the form, send the form via alice's WebClient instead
// Send with context...
- WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+ WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST);
request.setRequestParameters(new ArrayList<NameValuePair>());
DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
@@ -796,10 +801,6 @@ public abstract class AbstractTests {
Assert.fail("Failure expected on a CSRF attack");
} catch (FailingHttpStatusCodeException ex) {
// expected
- Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
- || ex.getMessage().contains("401 Authentication Failed")
- || ex.getMessage().contains("403 Forbidden")
- || ex.getMessage().contains("408 Request Timeout"));
}
// webClient.close();