You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/12/20 15:28:00 UTC
cxf-fediz git commit: FEDIZ-185 - Make one of
passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in
the IDP
Repository: cxf-fediz
Updated Branches:
refs/heads/master b94137a45 -> 25dcd2754
FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/25dcd275
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/25dcd275
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/25dcd275
Branch: refs/heads/master
Commit: 25dcd275443d84e9927f7ad7c980f46463d03009
Parents: b94137a
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 20 15:27:28 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 20 15:27:28 2016 +0000
----------------------------------------------------------------------
.../idp/beans/PassiveRequestorValidator.java | 34 +++---
.../idp/src/main/resources/entities-realmb.xml | 1 +
.../test/resources/realmb/entities-realmb.xml | 3 +-
.../test/resources/realmb/entities-realmb.xml | 1 +
.../apache/cxf/fediz/systests/idp/IdpTest.java | 113 +++++++++++++++++++
.../test/resources/realma/entities-realma.xml | 37 ++++++
6 files changed, 173 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
index 0393d4f..3f5be36 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
@@ -47,26 +47,30 @@ public class PassiveRequestorValidator {
Application serviceConfig = idpConfig.findApplication(realm);
if (serviceConfig == null) {
LOG.warn("No service config found for " + realm);
- return true;
+ return false;
}
- // The endpointAddress address must match the passive endpoint requestor constraint
- // (if it is specified)
- if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
- LOG.warn("No passive requestor endpoint constraint is configured for the application. "
- + "This could lead to a malicious redirection attack");
- return true;
- }
-
- Matcher matcher =
- serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
- if (!matcher.matches()) {
- LOG.error("The endpointAddress value of {} does not match any of the passive requestor values",
+ if (serviceConfig.getPassiveRequestorEndpoint() == null
+ && serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
+ LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint' "
+ + "configuration values must be specified for the application");
+ } else if (serviceConfig.getPassiveRequestorEndpoint() != null
+ && serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress)) {
+ LOG.debug("The supplied endpoint address {} matches the configured passive requestor endpoint value",
endpointAddress);
- return false;
+ return true;
+ } else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) {
+ Matcher matcher =
+ serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
+ if (matcher.matches()) {
+ return true;
+ } else {
+ LOG.error("The endpointAddress value of {} does not match any of the passive requestor values",
+ endpointAddress);
+ }
}
- return true;
+ return false;
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/resources/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml
index 02cd3ca..68fb3e8 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -85,6 +85,7 @@
<property name="role" value="SecurityTokenServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*" />
</bean>
<bean id="claim_role"
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
index 04cfbf3..91550d0 100644
--- a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
+++ b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
@@ -72,13 +72,14 @@
<bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
<property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
- <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" />
<property name="serviceDisplayName" value="Resource IDP Realm A" />
<property name="serviceDescription" value="Resource IDP Realm A" />
<property name="role" value="SecurityTokenServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="validatingCertificate" value="realma.cert" />
+ <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/saml" />
</bean>
<bean id="claim_role"
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
index 04cfbf3..80baf49 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
@@ -79,6 +79,7 @@
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="validatingCertificate" value="realma.cert" />
+ <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/federation" />
</bean>
<bean id="claim_role"
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 9455227..b8c0e50 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -593,6 +593,119 @@ public class IdpTest {
webClient.close();
}
+ @org.junit.Test
+ public void testValidWReplyWrongApplication() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld2";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ try {
+ webClient.getPage(url);
+ Assert.fail("Failure expected on a bad wreply value");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+
+ webClient.close();
+ }
+
+ @org.junit.Test
+ public void testWReplyExactMatchingSuccess() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ webClient.getPage(url);
+
+ webClient.close();
+ }
+
+ @org.junit.Test
+ public void testWReplyExactMatchingFailure() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/secure/fedservlet/blah";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ try {
+ webClient.getPage(url);
+ Assert.fail("Failure expected on a bad wreply value");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+
+ webClient.close();
+ }
+
+ @org.junit.Test
+ public void testNoEndpointAddressOrConstraint() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld4";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ // This is an error in the IdP
+ try {
+ webClient.getPage(url);
+ Assert.fail("Failure expected on a bad wreply value");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+
+ webClient.close();
+ }
+
// Send a bad wreply value. This will pass the reg ex validation but fail the commons-validator
// validation
@org.junit.Test
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/idp/src/test/resources/realma/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/resources/realma/entities-realma.xml b/systests/idp/src/test/resources/realma/entities-realma.xml
index 88f2b93..b78c09c 100644
--- a/systests/idp/src/test/resources/realma/entities-realma.xml
+++ b/systests/idp/src/test/resources/realma/entities-realma.xml
@@ -66,6 +66,9 @@
<property name="applications">
<util:list>
<ref bean="srv-fedizhelloworld" />
+ <ref bean="srv-fedizhelloworld2" />
+ <ref bean="srv-fedizhelloworld3" />
+ <ref bean="srv-fedizhelloworld4" />
</util:list>
</property>
<property name="trustedIdps">
@@ -108,6 +111,40 @@
value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" />
</bean>
+ <bean id="srv-fedizhelloworld2" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld2" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="Fedizhelloworld" />
+ <property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint"
+ value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure2/.*" />
+ </bean>
+
+ <bean id="srv-fedizhelloworld3" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld3" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="Fedizhelloworld" />
+ <property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpoint"
+ value="https://localhost:${rp.https.port}/fedizhelloworld/secure/fedservlet" />
+ </bean>
+
+ <bean id="srv-fedizhelloworld4" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+ <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld4" />
+ <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" />
+ <property name="serviceDisplayName" value="Fedizhelloworld" />
+ <property name="serviceDescription" value="Web Application to illustrate WS-Federation" />
+ <property name="role" value="ApplicationServiceType" />
+ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
+ <property name="lifeTime" value="3600" />
+ </bean>
+
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
<property name="application" ref="srv-fedizhelloworld" />
<property name="claim" ref="claim_role" />