You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/05/17 16:31:07 UTC
[cxf-fediz] 04/04: Adding CSRF tests for SAML SSO
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 09dbe375600623aafa5e92838d74f3409d1bf2dd
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu May 17 17:30:42 2018 +0100
Adding CSRF tests for SAML SSO
---
.../cxf/fediz/systests/common/AbstractTests.java | 45 +++++++++++++---------
1 file changed, 27 insertions(+), 18 deletions(-)
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
index df17bdc..ebdfea7 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
@@ -888,10 +888,6 @@ public abstract class AbstractTests {
@org.junit.Test
public void testCSRFAttack() throws Exception {
- if (!isWSFederation()) {
- return;
- }
-
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
csrfAttackTest(url);
}
@@ -913,7 +909,7 @@ public abstract class AbstractTests {
webClient.getOptions().setJavaScriptEnabled(true);
Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlForm form = idpPage.getFormByName(getLoginFormName());
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
final HtmlPage rpPage = button.click();
@@ -942,11 +938,19 @@ public abstract class AbstractTests {
DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))
- || "wa".equals(result.getAttributeNS(null, "name"))
- || "wctx".equals(result.getAttributeNS(null, "name"))) {
- String value = result.getAttributeNS(null, "value");
- request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ if (isWSFederation()) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))
+ || "wa".equals(result.getAttributeNS(null, "name"))
+ || "wctx".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
+ } else {
+ if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+ || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
}
}
@@ -964,9 +968,6 @@ public abstract class AbstractTests {
@org.junit.Test
public void testCSRFAttack2() throws Exception {
- if (!isWSFederation()) {
- return;
- }
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
csrfAttackTest2(url);
@@ -996,11 +997,19 @@ public abstract class AbstractTests {
DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))
- || "wa".equals(result.getAttributeNS(null, "name"))
- || "wctx".equals(result.getAttributeNS(null, "name"))) {
- String value = result.getAttributeNS(null, "value");
- request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ if (isWSFederation()) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))
+ || "wa".equals(result.getAttributeNS(null, "name"))
+ || "wctx".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
+ } else {
+ if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+ || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+ String value = result.getAttributeNS(null, "value");
+ request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
+ }
}
}
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.