You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/04/11 16:44:58 UTC
[1/3] cxf-fediz git commit: Improve error handling when failing to
process a SAML Request
Repository: cxf-fediz
Updated Branches:
refs/heads/master 20ab01614 -> e106d24ec
Improve error handling when failing to process a SAML Request
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/8de90b1a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/8de90b1a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/8de90b1a
Branch: refs/heads/master
Commit: 8de90b1a8be6650627b8dad8289ffc4ee6ac0417
Parents: 20ab016
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Apr 11 13:21:03 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Apr 11 13:21:03 2016 +0100
----------------------------------------------------------------------
.../WEB-INF/flows/saml-validate-request.xml | 27 +++++++++--
.../apache/cxf/fediz/systests/idp/IdpTest.java | 51 ++++++++++++++++++++
2 files changed, 74 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8de90b1a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index ef6d813..ae05ae2 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -31,9 +31,9 @@
<set name="flowScope.idpConfig" value="config.getIDP(null)" />
</on-entry>
<if test="requestParameters.RelayState == null or requestParameters.RelayState.length() == 0"
- then="viewBadRequest" />
+ then="handleBadRequestError" />
<if test="requestParameters.SAMLRequest != null and !requestParameters.SAMLRequest.isEmpty()"
- then="signinSAMLRequest" else="viewBadRequest" />
+ then="signinSAMLRequest" else="handleBadRequestError" />
</decision-state>
<subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
@@ -52,7 +52,7 @@
<set name="flowScope.idpToken" value="currentEvent.attributes.idpToken" />
<set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
</transition>
- <transition on="viewBadRequest" to="viewBadRequest">
+ <transition on="viewBadRequest" to="handleBadRequestError">
<set name="flowScope.saml_authn_request" value="currentEvent.attributes.saml_authn_request" />
</transition>
<transition on="scInternalServerError" to="scInternalServerError" />
@@ -69,7 +69,7 @@
</on-entry>
<evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/>
<transition to="produceSAMLResponse" />
- <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="viewBadRequest" />
+ <transition on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" to="handleBadRequestError" />
<transition on-exception="java.lang.Throwable" to="scInternalServerError" />
</action-state>
@@ -99,6 +99,16 @@
</end-state>
<!-- abnormal exit point -->
+ <decision-state id="handleBadRequestError">
+ <on-entry>
+ <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"
+ result="requestScope.samlAction"/>
+ </on-entry>
+ <!-- See if we managed to at least parse the request to get the response URL -->
+ <if test="requestScope.samlAction == null or requestScope.samlAction.length() == 0"
+ then="viewBadRequestParsingError" else="viewBadRequest"/>
+ </decision-state>
+
<end-state id="viewBadRequest" view="samlsigninresponseform">
<on-entry>
<evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"
@@ -111,6 +121,15 @@
result="requestScope.samlResponse"/>
</on-entry>
</end-state>
+
+ <!-- abnormal exit point : Http 400 Bad Request -->
+ <end-state id="viewBadRequestParsingError" view="genericerror">
+ <on-entry>
+ <evaluate
+ expression="externalContext.nativeResponse.setStatus(400,'Error parsing SAML Request')" />
+ <set name="requestScope.reason" value="'Error parsing SAML Request'" />
+ </on-entry>
+ </end-state>
<!-- abnormal exit point : Http 500 Internal Server Error -->
<end-state id="scInternalServerError" view="genericerror">
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8de90b1a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index bc1423e..3c34f55 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -36,6 +36,7 @@ import javax.servlet.ServletException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
import com.gargoylesoftware.htmlunit.HttpMethod;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.WebRequest;
@@ -565,6 +566,56 @@ public class IdpTest {
webClient.close();
}
+ @org.junit.Test
+ public void testProblemWithParsingRequest() throws Exception {
+ OpenSAMLUtil.initSamlEngine();
+
+ // Create SAML AuthnRequest
+ Document doc = DOMUtils.createDocument();
+ doc.appendChild(doc.createElement("root"));
+ // Create the AuthnRequest
+ String consumerURL = "https://localhost:" + getRpHttpsPort() + "/"
+ + getServletContextName() + "/secure/fedservlet";
+ AuthnRequest authnRequest =
+ new DefaultAuthnRequestBuilder().createAuthnRequest(
+ null, "urn:org:apache:cxf:fediz:fedizhelloworld-xyz", consumerURL
+ );
+ authnRequest.setDestination("https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml");
+ signAuthnRequest(authnRequest);
+
+ Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
+
+ // Don't inflate the token...
+ String requestMessage = DOM2Writer.nodeToString(authnRequestElement);
+ String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8"));
+
+ String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8");
+
+ String relayState = UUID.randomUUID().toString();
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml?";
+ url += SSOConstants.RELAY_STATE + "=" + relayState;
+ url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ try {
+ webClient.getPage(url);
+ Assert.fail("Failure expected on parsing the request in the IdP");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+
+ webClient.close();
+ }
+
private String encodeAuthnRequest(Element authnRequest) throws IOException {
String requestMessage = DOM2Writer.nodeToString(authnRequest);
[2/3] cxf-fediz git commit: [FEDIZ-163] - Default to disabling
Deflate Encoding for the SAML SSO response
Posted by co...@apache.org.
[FEDIZ-163] - Default to disabling Deflate Encoding for the SAML SSO response
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/768a3855
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/768a3855
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/768a3855
Branch: refs/heads/master
Commit: 768a38556dc08051e1bf0f83cce5497bf7fcb0e1
Parents: 8de90b1
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Apr 11 15:29:03 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Apr 11 15:44:42 2016 +0100
----------------------------------------------------------------------
.../idp/beans/samlsso/AuthnRequestParser.java | 14 +++++++------
.../idp/beans/samlsso/SamlResponseCreator.java | 2 +-
.../beans/samlsso/SamlResponseErrorCreator.java | 2 +-
.../cxf/fediz/samlsso/example/SamlSso.java | 22 +++++++++++++-------
.../src/test/resources/entities-realma.xml | 2 --
.../apache/cxf/fediz/systests/idp/IdpTest.java | 10 ++++++---
6 files changed, 32 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
index c36f3d9..8a09b03 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
@@ -46,11 +46,11 @@ import org.springframework.webflow.execution.RequestContext;
public class AuthnRequestParser {
private static final Logger LOG = LoggerFactory.getLogger(AuthnRequestParser.class);
- private boolean supportDeflateEncoding = true;
+ private boolean supportDeflateEncoding;
public void parseSAMLRequest(RequestContext context, Idp idp, String samlRequest) throws ProcessingException {
LOG.debug("Received SAML Request: {}", samlRequest);
-
+
AuthnRequest parsedRequest = null;
if (samlRequest == null) {
WebUtils.removeAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
@@ -59,7 +59,7 @@ public class AuthnRequestParser {
(AuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST);
if (parsedRequest == null) {
try {
- parsedRequest = extractRequest(samlRequest);
+ parsedRequest = extractRequest(context, samlRequest);
WebUtils.putAttributeInFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST, parsedRequest);
LOG.debug("SAML Request with id '{}' successfully parsed", parsedRequest.getID());
} catch (Exception ex) {
@@ -135,10 +135,12 @@ public class AuthnRequestParser {
return false;
}
- private AuthnRequest extractRequest(String samlRequest) throws Exception {
+ protected AuthnRequest extractRequest(RequestContext context, String samlRequest) throws Exception {
byte[] deflatedToken = Base64Utility.decode(samlRequest);
- InputStream tokenStream = supportDeflateEncoding
- ? new DeflateEncoderDecoder().inflateToken(deflatedToken)
+ String httpMethod = WebUtils.getHttpServletRequest(context).getMethod();
+
+ InputStream tokenStream = supportDeflateEncoding || "GET".equals(httpMethod)
+ ? new DeflateEncoderDecoder().inflateToken(deflatedToken)
: new ByteArrayInputStream(deflatedToken);
Document responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, "UTF-8"));
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
index a9aadf5..3bc36ea 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
@@ -64,7 +64,7 @@ import org.springframework.webflow.execution.RequestContext;
public class SamlResponseCreator {
private static final Logger LOG = LoggerFactory.getLogger(SamlResponseCreator.class);
- private boolean supportDeflateEncoding = true;
+ private boolean supportDeflateEncoding;
public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken,
String consumerURL, String requestId, String requestIssuer)
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java
index 24b21f4..ce257e0 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseErrorCreator.java
@@ -46,7 +46,7 @@ import org.springframework.webflow.execution.RequestContext;
public class SamlResponseErrorCreator {
private static final Logger LOG = LoggerFactory.getLogger(SamlResponseErrorCreator.class);
- private boolean supportDeflateEncoding = true;
+ private boolean supportDeflateEncoding;
public String createSAMLResponse(RequestContext context, boolean requestor,
Idp idp, String requestID) throws ProcessingException {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
----------------------------------------------------------------------
diff --git a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
index 4d62d87..34db1cd 100644
--- a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
+++ b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
@@ -20,6 +20,7 @@
package org.apache.cxf.fediz.samlsso.example;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
@@ -100,9 +101,10 @@ public class SamlSso {
// Create the response
Element response = createResponse(request.getID(), racs, requestIssuer);
- String responseStr = encodeResponse(response);
+ boolean redirect = "REDIRECT".equals(binding);
+ String responseStr = encodeResponse(response, redirect);
- if ("REDIRECT".equals(binding)) {
+ if (redirect) {
return redirectResponse(relayState, racs, responseStr);
} else {
return postBindingResponse(relayState, racs, responseStr);
@@ -164,19 +166,25 @@ public class SamlSso {
return policyElement;
}
- protected String encodeResponse(Element response) throws IOException {
+ protected String encodeResponse(Element response, boolean redirect) throws IOException {
String responseMessage = DOM2Writer.nodeToString(response);
System.out.println("RESP: " + responseMessage);
- DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
- byte[] deflatedBytes = encoder.deflateToken(responseMessage.getBytes("UTF-8"));
+ byte[] deflatedBytes = null;
+ if (redirect) {
+ DeflateEncoderDecoder encoder = new DeflateEncoderDecoder();
+ deflatedBytes = encoder.deflateToken(responseMessage.getBytes("UTF-8"));
+ } else {
+ deflatedBytes = responseMessage.getBytes("UTF-8");
+ }
return Base64Utility.encode(deflatedBytes);
}
- protected AuthnRequest extractRequest(String samlRequest) throws Base64Exception, DataFormatException,
- XMLStreamException, UnsupportedEncodingException, WSSecurityException {
+ protected AuthnRequest extractRequest(String samlRequest) throws Base64Exception,
+ DataFormatException, XMLStreamException, UnsupportedEncodingException, WSSecurityException {
byte[] deflatedToken = Base64Utility.decode(samlRequest);
+
InputStream tokenStream = new DeflateEncoderDecoder().inflateToken(deflatedToken);
Document responseDoc = StaxUtils.read(new InputStreamReader(tokenStream, "UTF-8"));
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/systests/federation/samlsso/src/test/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/entities-realma.xml b/systests/federation/samlsso/src/test/resources/entities-realma.xml
index 83cc384..d6965d0 100644
--- a/systests/federation/samlsso/src/test/resources/entities-realma.xml
+++ b/systests/federation/samlsso/src/test/resources/entities-realma.xml
@@ -118,7 +118,6 @@
<property name="parameters">
<util:map>
<entry key="sign.request" value="true" />
- <entry key="support.deflate.encoding" value="true" />
</util:map>
</property>
</bean>
@@ -138,7 +137,6 @@
<property name="parameters">
<util:map>
<entry key="sign.request" value="true" />
- <entry key="support.deflate.encoding" value="true" />
</util:map>
</property>
</bean>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/768a3855/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 3c34f55..6a4df36 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -19,6 +19,7 @@
package org.apache.cxf.fediz.systests.idp;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
@@ -254,7 +255,10 @@ public class IdpTest {
signAuthnRequest(authnRequest);
Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
- String authnRequestEncoded = encodeAuthnRequest(authnRequestElement);
+
+ // Don't inflate the token...
+ String requestMessage = DOM2Writer.nodeToString(authnRequestElement);
+ String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8"));
String relayState = UUID.randomUUID().toString();
String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/saml/up";
@@ -587,7 +591,7 @@ public class IdpTest {
// Don't inflate the token...
String requestMessage = DOM2Writer.nodeToString(authnRequestElement);
- String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8"));
+ String authnRequestEncoded = Base64Utility.encode(requestMessage.getBytes("UTF-8"));
String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, "UTF-8");
@@ -698,7 +702,7 @@ public class IdpTest {
// Decode + verify response
byte[] deflatedToken = Base64Utility.decode(samlResponse);
- InputStream inputStream = new DeflateEncoderDecoder().inflateToken(deflatedToken);
+ InputStream inputStream = new ByteArrayInputStream(deflatedToken);
Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));
[3/3] cxf-fediz git commit: Checkstyle fix
Posted by co...@apache.org.
Checkstyle fix
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/e106d24e
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/e106d24e
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/e106d24e
Branch: refs/heads/master
Commit: e106d24ecb5927b901714a242590f6c6fce4cfbf
Parents: 768a385
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Apr 11 15:44:46 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Apr 11 15:44:46 2016 +0100
----------------------------------------------------------------------
.../src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java | 1 -
1 file changed, 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/e106d24e/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
----------------------------------------------------------------------
diff --git a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
index 34db1cd..4adfcc8 100644
--- a/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
+++ b/systests/federation/samlIdpWebapp/src/main/java/org/apache/cxf/fediz/samlsso/example/SamlSso.java
@@ -20,7 +20,6 @@
package org.apache.cxf.fediz.samlsso.example;
-import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;