You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/01/18 15:18:13 UTC
[1/6] cxf-fediz git commit: Adding malicious redirection test
Repository: cxf-fediz
Updated Branches:
refs/heads/1.2.x-fixes 46b05ed9a -> 85258b076
Adding malicious redirection test
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/8c99b2f6
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/8c99b2f6
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/8c99b2f6
Branch: refs/heads/1.2.x-fixes
Commit: 8c99b2f672c6525fccde600f8cd502956194b7d1
Parents: 46b05ed
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Nov 16 16:53:49 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 13:42:05 2016 +0000
----------------------------------------------------------------------
.../fediz/integrationtests/AbstractTests.java | 82 ++++++++++++++++++++
1 file changed, 82 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8c99b2f6/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index c636aeb..88ab429 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -25,14 +25,21 @@ import org.w3c.dom.Node;
import com.gargoylesoftware.htmlunit.CookieManager;
import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.HttpMethod;
import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebRequest;
import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.DomNodeList;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+import com.gargoylesoftware.htmlunit.util.NameValuePair;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
@@ -577,4 +584,79 @@ public abstract class AbstractTests {
Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure Test"));
}
+ @org.junit.Test
+ public void testMaliciousRedirect() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ // 1. Login
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+
+ // 2. Now we should have a cookie from the RP and IdP and should be able to do
+ // subsequent requests without authenticate again. Lets test this first.
+ WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ HtmlPage rpPage = webClient.getPage(url);
+ Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
+ || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));
+
+ // 3. Now a malicious user sends the client a URL with a bad "wreply" address to the IdP
+ String maliciousURL = "https://www.apache.org/attack";
+ String idpUrl
+ = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation";
+ idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8");
+ idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld";
+ idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A";
+
+ final WebClient webClient2 = new WebClient();
+ webClient2.setCookieManager(cookieManager);
+ webClient2.getOptions().setUseInsecureSSL(true);
+ webClient2.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient2.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient2.getPage(idpUrl);
+ webClient2.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Check that the form is to be posted to the malicious URL
+ DomNodeList<DomElement> formResults = idpPage.getElementsByTagName("form");
+ Assert.assertTrue(formResults.size() == 1);
+ Assert.assertEquals(formResults.get(0).getAttributeNS(null, "action"), maliciousURL);
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ String wresult = null;
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ wresult = result.getAttributeNS(null, "value");
+ }
+ }
+ Assert.assertNotNull(wresult);
+
+ // 4. Now the malicious user has the token. Try to invoke on the endpoint
+ final WebClient webClient3 = new WebClient();
+ webClient3.getOptions().setUseInsecureSSL(true);
+
+ WebRequest requestSettings = new WebRequest(new URL(url), HttpMethod.POST);
+
+ requestSettings.setRequestParameters(new ArrayList<NameValuePair>());
+ requestSettings.getRequestParameters().add(new NameValuePair("wa", "wsignin1.0"));
+ requestSettings.getRequestParameters().add(new NameValuePair("wresult", wresult));
+ requestSettings.getRequestParameters().add(new NameValuePair("wtrealm",
+ "urn:org:apache:cxf:fediz:fedizhelloworld"));
+
+ try {
+ rpPage = webClient3.getPage(url);
+ Assert.fail("Exception expected");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 401);
+ }
+ }
}
[2/6] cxf-fediz git commit: Fixing redirection attack issue
Posted by co...@apache.org.
Fixing redirection attack issue
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/fd8dcda5
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/fd8dcda5
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/fd8dcda5
Branch: refs/heads/1.2.x-fixes
Commit: fd8dcda574889e1d1e7021072f47c71f2e38e4db
Parents: 8c99b2f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Nov 27 17:10:51 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 13:43:40 2016 +0000
----------------------------------------------------------------------
.../service/idp/beans/STSClientAction.java | 25 +++++++++++
.../fediz/service/idp/domain/Application.java | 23 +++++++++-
.../idp/service/jpa/ApplicationDAOJPAImpl.java | 2 +
.../idp/service/jpa/ApplicationEntity.java | 11 +++++
.../idp/src/main/resources/entities-realma.xml | 2 +
.../src/test/resources/entities-realma.xml | 2 +
.../test/resources/realma/entities-realma.xml | 2 +
.../fediz/integrationtests/AbstractTests.java | 44 +++-----------------
.../test/resources/realma/entities-realma.xml | 2 +
9 files changed, 74 insertions(+), 39 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index 948c557..1e316b1 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -25,6 +25,7 @@ import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.List;
+import java.util.regex.Matcher;
import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;
@@ -199,6 +200,9 @@ public class STSClientAction {
throw new ProcessingException(TYPE.BAD_REQUEST);
}
+ // Check wreply parameter against passive requestor endpoint constraint
+ validateApplicationEndpoint(serviceConfig, context);
+
// Parse wreq parameter - we only support parsing TokenType and KeyType for now
String wreq = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REQUEST);
String stsTokenType = null;
@@ -299,6 +303,27 @@ public class STSClientAction {
return StringEscapeUtils.escapeXml11(rpToken);
}
+ // The wreply address must match the passive endpoint requestor constraint (if it is specified)
+ private void validateApplicationEndpoint(Application serviceConfig, RequestContext context)
+ throws ProcessingException {
+ if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
+ LOG.info("No passive requestor endpoint constraint is configured for the application. "
+ + "This could lead to a malicious redirection attack");
+ return;
+ }
+
+ String wreply =
+ (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
+ if (wreply != null) {
+ Matcher matcher = serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
+ if (!matcher.matches()) {
+ LOG.error("The wreply value of {} does not match any of the passive requestor values",
+ wreply);
+ throw new ProcessingException(TYPE.BAD_REQUEST);
+ }
+ }
+ }
+
private String getIdFromToken(String token) throws XMLStreamException {
InputStream is = new ByteArrayInputStream(token.getBytes());
Document doc = StaxUtils.read(is);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
index 5f14f5b..43c7e8a 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/domain/Application.java
@@ -22,6 +22,7 @@ import java.io.Serializable;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
+import java.util.regex.Pattern;
import javax.xml.bind.annotation.XmlAttribute;
import javax.xml.bind.annotation.XmlElementRef;
@@ -32,7 +33,7 @@ import javax.xml.bind.annotation.XmlType;
@XmlRootElement(name = "application", namespace = "http://org.apache.cxf.fediz/")
@XmlType(propOrder = {"realm", "role", "serviceDisplayName", "serviceDescription", "protocol",
"tokenType", "lifeTime", "encryptionCertificate", "requestedClaims",
- "policyNamespace", "passiveRequestorEndpoint", "id" })
+ "policyNamespace", "passiveRequestorEndpoint", "passiveRequestorEndpointConstraint", "id" })
public class Application implements Serializable {
private static final long serialVersionUID = 5644327504861846964L;
@@ -86,6 +87,10 @@ public class Application implements Serializable {
//fed:ApplicationServiceType, fed:SecurityTokenServiceType
private String passiveRequestorEndpoint;
+ // A regular expression constraint on the passiveRequestorEndpoint
+ private String passiveRequestorEndpointConstraint;
+ private Pattern compiledPassiveRequestorEndpointConstraint;
+
@XmlAttribute
public int getId() {
@@ -195,4 +200,20 @@ public class Application implements Serializable {
this.passiveRequestorEndpoint = passiveRequestorEndpoint;
}
+ public String getPassiveRequestorEndpointConstraint() {
+ return passiveRequestorEndpointConstraint;
+ }
+
+ public void setPassiveRequestorEndpointConstraint(String passiveRequestorEndpointConstraint) {
+ this.passiveRequestorEndpointConstraint = passiveRequestorEndpointConstraint;
+ if (passiveRequestorEndpointConstraint != null) {
+ compiledPassiveRequestorEndpointConstraint = Pattern.compile(passiveRequestorEndpointConstraint);
+ } else {
+ compiledPassiveRequestorEndpointConstraint = null;
+ }
+ }
+
+ public Pattern getCompiledPassiveRequestorEndpointConstraint() {
+ return compiledPassiveRequestorEndpointConstraint;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java
index 0cebe38..4829764 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationDAOJPAImpl.java
@@ -200,6 +200,7 @@ public class ApplicationDAOJPAImpl implements ApplicationDAO {
entity.setTokenType(application.getTokenType());
entity.setPolicyNamespace(application.getPolicyNamespace());
entity.setPassiveRequestorEndpoint(application.getPassiveRequestorEndpoint());
+ entity.setPassiveRequestorEndpointConstraint(application.getPassiveRequestorEndpointConstraint());
}
public static Application entity2domain(ApplicationEntity entity, List<String> expandList) {
@@ -215,6 +216,7 @@ public class ApplicationDAOJPAImpl implements ApplicationDAO {
application.setTokenType(entity.getTokenType());
application.setPolicyNamespace(entity.getPolicyNamespace());
application.setPassiveRequestorEndpoint(entity.getPassiveRequestorEndpoint());
+ application.setPassiveRequestorEndpointConstraint(entity.getPassiveRequestorEndpointConstraint());
if (expandList != null && (expandList.contains("all") || expandList.contains("claims"))) {
for (ApplicationClaimEntity item : entity.getRequestedClaims()) {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java
index c6af8b2..e450132 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/service/jpa/ApplicationEntity.java
@@ -81,6 +81,9 @@ public class ApplicationEntity {
private String policyNamespace;
private String passiveRequestorEndpoint;
+
+ // A regular expression constraint on the passiveRequestorEndpoint
+ private String passiveRequestorEndpointConstraint;
public int getId() {
@@ -178,5 +181,13 @@ public class ApplicationEntity {
public void setPassiveRequestorEndpoint(String passiveRequestorEndpoint) {
this.passiveRequestorEndpoint = passiveRequestorEndpoint;
}
+
+ public String getPassiveRequestorEndpointConstraint() {
+ return passiveRequestorEndpointConstraint;
+ }
+
+ public void setPassiveRequestorEndpointConstraint(String passiveRequestorEndpointConstraint) {
+ this.passiveRequestorEndpointConstraint = passiveRequestorEndpointConstraint;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/services/idp/src/main/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml
index e28aa52..b76bf66 100644
--- a/services/idp/src/main/resources/entities-realma.xml
+++ b/services/idp/src/main/resources/entities-realma.xml
@@ -104,6 +104,8 @@
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint"
+ value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/systests/federation/samlsso/src/test/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/entities-realma.xml b/systests/federation/samlsso/src/test/resources/entities-realma.xml
index 04d9d52..86fd540 100644
--- a/systests/federation/samlsso/src/test/resources/entities-realma.xml
+++ b/systests/federation/samlsso/src/test/resources/entities-realma.xml
@@ -110,6 +110,8 @@
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint"
+ value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/systests/federation/wsfed/src/test/resources/realma/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realma/entities-realma.xml b/systests/federation/wsfed/src/test/resources/realma/entities-realma.xml
index a3e1a36..4cca3ec 100644
--- a/systests/federation/wsfed/src/test/resources/realma/entities-realma.xml
+++ b/systests/federation/wsfed/src/test/resources/realma/entities-realma.xml
@@ -98,6 +98,8 @@
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint"
+ value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 88ab429..de8efbf 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -19,21 +19,20 @@
package org.apache.cxf.fediz.integrationtests;
+import java.net.URLEncoder;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import com.gargoylesoftware.htmlunit.CookieManager;
import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.HttpMethod;
import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.WebRequest;
import com.gargoylesoftware.htmlunit.html.DomElement;
import com.gargoylesoftware.htmlunit.html.DomNodeList;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-import com.gargoylesoftware.htmlunit.util.NameValuePair;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
import java.net.URL;
@@ -620,43 +619,12 @@ public abstract class AbstractTests {
new UsernamePasswordCredentials(user, password));
webClient2.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage = webClient2.getPage(idpUrl);
- webClient2.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
- // Check that the form is to be posted to the malicious URL
- DomNodeList<DomElement> formResults = idpPage.getElementsByTagName("form");
- Assert.assertTrue(formResults.size() == 1);
- Assert.assertEquals(formResults.get(0).getAttributeNS(null, "action"), maliciousURL);
-
- // Parse the form to get the token (wresult)
- DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
- String wresult = null;
- for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
- wresult = result.getAttributeNS(null, "value");
- }
- }
- Assert.assertNotNull(wresult);
-
- // 4. Now the malicious user has the token. Try to invoke on the endpoint
- final WebClient webClient3 = new WebClient();
- webClient3.getOptions().setUseInsecureSSL(true);
-
- WebRequest requestSettings = new WebRequest(new URL(url), HttpMethod.POST);
-
- requestSettings.setRequestParameters(new ArrayList<NameValuePair>());
- requestSettings.getRequestParameters().add(new NameValuePair("wa", "wsignin1.0"));
- requestSettings.getRequestParameters().add(new NameValuePair("wresult", wresult));
- requestSettings.getRequestParameters().add(new NameValuePair("wtrealm",
- "urn:org:apache:cxf:fediz:fedizhelloworld"));
-
try {
- rpPage = webClient3.getPage(url);
- Assert.fail("Exception expected");
+ webClient2.getPage(idpUrl);
+ Assert.fail("Failure expected on a bad wreply address");
} catch (FailingHttpStatusCodeException ex) {
- Assert.assertEquals(ex.getStatusCode(), 401);
+ Assert.assertEquals(ex.getStatusCode(), 400);
}
}
+
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fd8dcda5/systests/tomcat7/src/test/resources/realma/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/realma/entities-realma.xml b/systests/tomcat7/src/test/resources/realma/entities-realma.xml
index 88a3c67..f947274 100644
--- a/systests/tomcat7/src/test/resources/realma/entities-realma.xml
+++ b/systests/tomcat7/src/test/resources/realma/entities-realma.xml
@@ -104,6 +104,8 @@
<property name="role" value="ApplicationServiceType" />
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
+ <property name="passiveRequestorEndpointConstraint"
+ value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
[6/6] cxf-fediz git commit: Fixing merge
Posted by co...@apache.org.
Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/85258b07
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/85258b07
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/85258b07
Branch: refs/heads/1.2.x-fixes
Commit: 85258b076209ff8df3d9bf72f67ec2977c7ca423
Parents: 5b6540d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 18 14:18:01 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 14:18:01 2016 +0000
----------------------------------------------------------------------
.../integrationtests/AbstractAttackTests.java | 229 -------------------
.../fediz/integrationtests/AbstractTests.java | 124 +++++++++-
2 files changed, 113 insertions(+), 240 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/85258b07/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java
deleted file mode 100644
index 69e3f50..0000000
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java
+++ /dev/null
@@ -1,229 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-import java.net.URLEncoder;
-
-import org.apache.http.auth.AuthScope;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.apache.wss4j.dom.WSSConfig;
-import org.junit.Assert;
-import org.junit.Test;
-
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.html.DomElement;
-import com.gargoylesoftware.htmlunit.html.DomNodeList;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-
-/**
- * Some negative/attack tests for the IdP/RP
- */
-public abstract class AbstractAttackTests {
-
- static final String TEST_WREQ =
- "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
- + "<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV3.0</TokenType>"
- + "</RequestSecurityToken>";
-
- static {
- WSSConfig.init();
- }
-
- public AbstractAttackTests() {
- super();
- }
-
- public abstract String getServletContextName();
-
- public abstract String getIdpHttpsPort();
-
- public abstract String getRpHttpsPort();
-
- @Test
- public void testAliceModifiedSignature() throws Exception {
- String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
- + "/secure/fedservlet";
- String user = "alice";
- String password = "ecila";
-
- // Get the initial token
- CookieManager cookieManager = new CookieManager();
- final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage = webClient.getPage(url);
- webClient.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
- // Parse the form to get the token (wresult)
- DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
- for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
- // Now modify the Signature
- String value = result.getAttributeNS(null, "value");
- value = value.replace("alice", "bob");
- result.setAttributeNS(null, "value", value);
- }
- }
-
- // Invoke back on the RP
-
- final HtmlForm form = idpPage.getFormByName("signinresponseform");
- final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
- try {
- button.click();
- Assert.fail("Failure expected on a modified signature");
- } catch (FailingHttpStatusCodeException ex) {
- // expected
- Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
- || ex.getMessage().contains("401 Authentication Failed")
- || ex.getMessage().contains("403 Forbidden"));
- }
- }
-
- @Test
- public void testConcurrentRequests() throws Exception {
-
- String url1 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
- String url2 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/test.html";
- String user = "bob";
- String password = "bob";
-
- // Get the initial token
- CookieManager cookieManager = new CookieManager();
- final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage1 = webClient.getPage(url1);
- final HtmlPage idpPage2 = webClient.getPage(url2);
- webClient.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage1.getTitleText());
- Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());
-
- // Invoke back on the page1 RP
- final HtmlForm form = idpPage1.getFormByName("signinresponseform");
- final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
- final HtmlPage rpPage1 = button.click();
- Assert.assertTrue("WS Federation Systests Examples".equals(rpPage1.getTitleText())
- || "WS Federation Systests Spring Examples".equals(rpPage1.getTitleText()));
-
- String bodyTextContent1 = rpPage1.getBody().getTextContent();
-
- Assert.assertTrue("Principal not " + user,
- bodyTextContent1.contains("userPrincipal=" + user));
-
- // Invoke back on the page2 RP
- final HtmlForm form2 = idpPage2.getFormByName("signinresponseform");
- final HtmlSubmitInput button2 = form2.getInputByName("_eventId_submit");
- final HtmlPage rpPage2 = button2.click();
- String bodyTextContent2 = rpPage2.getBody().getTextContent();
-
- Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure Test"));
- }
-
- @org.junit.Test
- public void testMaliciousRedirect() throws Exception {
- String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
- String user = "alice";
- String password = "ecila";
-
- CookieManager cookieManager = new CookieManager();
-
- // 1. Login
- HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
-
- // 2. Now we should have a cookie from the RP and IdP and should be able to do
- // subsequent requests without authenticate again. Lets test this first.
- WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- HtmlPage rpPage = webClient.getPage(url);
- Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
- || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));
-
- // 3. Now a malicious user sends the client a URL with a bad "wreply" address to the IdP
- String maliciousURL = "https://www.apache.org/attack";
- String idpUrl
- = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation";
- idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8");
- idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld";
- idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A";
-
- final WebClient webClient2 = new WebClient();
- webClient2.setCookieManager(cookieManager);
- webClient2.getOptions().setUseInsecureSSL(true);
- webClient2.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient2.getOptions().setJavaScriptEnabled(false);
- try {
- webClient2.getPage(idpUrl);
- Assert.fail("Failure expected on a bad wreply address");
- } catch (FailingHttpStatusCodeException ex) {
- Assert.assertEquals(ex.getStatusCode(), 400);
- }
- }
-
- // Send an unknown wreq value
- @org.junit.Test
- public void testBadWReq() throws Exception {
- String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
- url += "wa=wsignin1.0";
- url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
- url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
- String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
- url += "&wreply=" + wreply;
- url += "&wreq=" + URLEncoder.encode(TEST_WREQ, "UTF-8");
-
- String user = "alice";
- String password = "ecila";
-
- final WebClient webClient = new WebClient();
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient.getOptions().setJavaScriptEnabled(false);
- try {
- webClient.getPage(url);
- Assert.fail("Failure expected on a bad wreq value");
- } catch (FailingHttpStatusCodeException ex) {
- Assert.assertEquals(ex.getStatusCode(), 400);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/85258b07/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 9fb3c06..27cdc98 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -19,6 +19,8 @@
package org.apache.cxf.fediz.integrationtests;
+import java.net.URLEncoder;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -38,13 +40,13 @@ import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
-import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.wss4j.dom.WSSConfig;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.junit.Assert;
import org.junit.Test;
-public abstract class AbstractTests extends AbstractAttackTests {
+public abstract class AbstractTests {
static final String TEST_WREQ =
"<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
@@ -483,19 +485,17 @@ public abstract class AbstractTests extends AbstractAttackTests {
Assert.assertEquals(401, idpPage.getWebResponse().getStatusCode());
}
- @org.junit.Test
- public void testSuccessfulInvokeOnIdP() throws Exception {
- String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
- url += "wa=wsignin1.0";
- url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
- url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
- String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
- url += "&wreply=" + wreply;
-
+ @Test
+ public void testAliceModifiedSignature() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/secure/fedservlet";
String user = "alice";
String password = "ecila";
+ // Get the initial token
+ CookieManager cookieManager = new CookieManager();
final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
webClient.getOptions().setUseInsecureSSL(true);
webClient.getCredentialsProvider().setCredentials(
new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
@@ -505,8 +505,21 @@ public abstract class AbstractTests extends AbstractAttackTests {
final HtmlPage idpPage = webClient.getPage(url);
webClient.getOptions().setJavaScriptEnabled(true);
Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ // Now modify the Signature
+ String value = result.getAttributeNS(null, "value");
+ value = value.replace("alice", "bob");
+ result.setAttributeNS(null, "value", value);
+ }
+ }
// Invoke back on the RP
+
final HtmlForm form = idpPage.getFormByName("signinresponseform");
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
@@ -521,4 +534,93 @@ public abstract class AbstractTests extends AbstractAttackTests {
}
}
+ @Test
+ public void testConcurrentRequests() throws Exception {
+
+ String url1 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ String url2 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/test.html";
+ String user = "bob";
+ String password = "bob";
+
+ // Get the initial token
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage1 = webClient.getPage(url1);
+ final HtmlPage idpPage2 = webClient.getPage(url2);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage1.getTitleText());
+ Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());
+
+ // Invoke back on the page1 RP
+ final HtmlForm form = idpPage1.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+ final HtmlPage rpPage1 = button.click();
+ Assert.assertTrue("WS Federation Systests Examples".equals(rpPage1.getTitleText())
+ || "WS Federation Systests Spring Examples".equals(rpPage1.getTitleText()));
+
+ String bodyTextContent1 = rpPage1.getBody().getTextContent();
+
+ Assert.assertTrue("Principal not " + user,
+ bodyTextContent1.contains("userPrincipal=" + user));
+
+ // Invoke back on the page2 RP
+ final HtmlForm form2 = idpPage2.getFormByName("signinresponseform");
+ final HtmlSubmitInput button2 = form2.getInputByName("_eventId_submit");
+ final HtmlPage rpPage2 = button2.click();
+ String bodyTextContent2 = rpPage2.getBody().getTextContent();
+
+ Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure Test"));
+ }
+
+ @org.junit.Test
+ public void testMaliciousRedirect() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ // 1. Login
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+
+ // 2. Now we should have a cookie from the RP and IdP and should be able to do
+ // subsequent requests without authenticate again. Lets test this first.
+ WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ HtmlPage rpPage = webClient.getPage(url);
+ Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
+ || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));
+
+ // 3. Now a malicious user sends the client a URL with a bad "wreply" address to the IdP
+ String maliciousURL = "https://www.apache.org/attack";
+ String idpUrl
+ = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation";
+ idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8");
+ idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld";
+ idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A";
+
+ final WebClient webClient2 = new WebClient();
+ webClient2.setCookieManager(cookieManager);
+ webClient2.getOptions().setUseInsecureSSL(true);
+ webClient2.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient2.getOptions().setJavaScriptEnabled(false);
+ try {
+ webClient2.getPage(idpUrl);
+ Assert.fail("Failure expected on a bad wreply address");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+ }
+
}
[5/6] cxf-fediz git commit: Updating Passive Requestor endpoint log
to warning
Posted by co...@apache.org.
Updating Passive Requestor endpoint log to warning
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/5b6540d4
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/5b6540d4
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/5b6540d4
Branch: refs/heads/1.2.x-fixes
Commit: 5b6540d4f2ef06972e349ce8d3f30d19c8f162e7
Parents: 8758c49
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 18 13:40:59 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 13:47:12 2016 +0000
----------------------------------------------------------------------
.../org/apache/cxf/fediz/service/idp/beans/STSClientAction.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/5b6540d4/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index 1e316b1..3f9f6c6 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -307,7 +307,7 @@ public class STSClientAction {
private void validateApplicationEndpoint(Application serviceConfig, RequestContext context)
throws ProcessingException {
if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
- LOG.info("No passive requestor endpoint constraint is configured for the application. "
+ LOG.warn("No passive requestor endpoint constraint is configured for the application. "
+ "This could lead to a malicious redirection attack");
return;
}
[3/6] cxf-fediz git commit: Fixing spring tests
Posted by co...@apache.org.
Fixing spring tests
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ced3e763
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ced3e763
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ced3e763
Branch: refs/heads/1.2.x-fixes
Commit: ced3e76363b87da4ad59463f26c8fe12d341e1dd
Parents: fd8dcda
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Sat Nov 28 18:04:40 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 13:44:00 2016 +0000
----------------------------------------------------------------------
services/idp/src/main/resources/entities-realma.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ced3e763/services/idp/src/main/resources/entities-realma.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realma.xml b/services/idp/src/main/resources/entities-realma.xml
index b76bf66..995b92d 100644
--- a/services/idp/src/main/resources/entities-realma.xml
+++ b/services/idp/src/main/resources/entities-realma.xml
@@ -105,7 +105,7 @@
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
<property name="lifeTime" value="3600" />
<property name="passiveRequestorEndpointConstraint"
- value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" />
+ value="https://localhost:(\d)*/(\w)*helloworld(\w)*/.*" />
</bean>
<bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
[4/6] cxf-fediz git commit: Adding some tests
Posted by co...@apache.org.
Adding some tests
Conflicts:
systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/BadWReqTest.java
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/8758c493
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/8758c493
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/8758c493
Branch: refs/heads/1.2.x-fixes
Commit: 8758c4930a505b5c0f39d76e8b4977914eed077f
Parents: ced3e76
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 14 16:36:49 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jan 18 13:47:04 2016 +0000
----------------------------------------------------------------------
.../integrationtests/AbstractAttackTests.java | 229 +++++++++++++++++++
.../fediz/integrationtests/AbstractTests.java | 130 +----------
2 files changed, 241 insertions(+), 118 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8758c493/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java
new file mode 100644
index 0000000..69e3f50
--- /dev/null
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java
@@ -0,0 +1,229 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.integrationtests;
+
+import java.net.URLEncoder;
+
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.wss4j.dom.WSSConfig;
+import org.junit.Assert;
+import org.junit.Test;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.DomElement;
+import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
+
+/**
+ * Some negative/attack tests for the IdP/RP
+ */
+public abstract class AbstractAttackTests {
+
+ static final String TEST_WREQ =
+ "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+ + "<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV3.0</TokenType>"
+ + "</RequestSecurityToken>";
+
+ static {
+ WSSConfig.init();
+ }
+
+ public AbstractAttackTests() {
+ super();
+ }
+
+ public abstract String getServletContextName();
+
+ public abstract String getIdpHttpsPort();
+
+ public abstract String getRpHttpsPort();
+
+ @Test
+ public void testAliceModifiedSignature() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ // Get the initial token
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage = webClient.getPage(url);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+ // Parse the form to get the token (wresult)
+ DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+ for (DomElement result : results) {
+ if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+ // Now modify the Signature
+ String value = result.getAttributeNS(null, "value");
+ value = value.replace("alice", "bob");
+ result.setAttributeNS(null, "value", value);
+ }
+ }
+
+ // Invoke back on the RP
+
+ final HtmlForm form = idpPage.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+ try {
+ button.click();
+ Assert.fail("Failure expected on a modified signature");
+ } catch (FailingHttpStatusCodeException ex) {
+ // expected
+ Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+ || ex.getMessage().contains("401 Authentication Failed")
+ || ex.getMessage().contains("403 Forbidden"));
+ }
+ }
+
+ @Test
+ public void testConcurrentRequests() throws Exception {
+
+ String url1 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ String url2 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/test.html";
+ String user = "bob";
+ String password = "bob";
+
+ // Get the initial token
+ CookieManager cookieManager = new CookieManager();
+ final WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ final HtmlPage idpPage1 = webClient.getPage(url1);
+ final HtmlPage idpPage2 = webClient.getPage(url2);
+ webClient.getOptions().setJavaScriptEnabled(true);
+ Assert.assertEquals("IDP SignIn Response Form", idpPage1.getTitleText());
+ Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());
+
+ // Invoke back on the page1 RP
+ final HtmlForm form = idpPage1.getFormByName("signinresponseform");
+ final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+ final HtmlPage rpPage1 = button.click();
+ Assert.assertTrue("WS Federation Systests Examples".equals(rpPage1.getTitleText())
+ || "WS Federation Systests Spring Examples".equals(rpPage1.getTitleText()));
+
+ String bodyTextContent1 = rpPage1.getBody().getTextContent();
+
+ Assert.assertTrue("Principal not " + user,
+ bodyTextContent1.contains("userPrincipal=" + user));
+
+ // Invoke back on the page2 RP
+ final HtmlForm form2 = idpPage2.getFormByName("signinresponseform");
+ final HtmlSubmitInput button2 = form2.getInputByName("_eventId_submit");
+ final HtmlPage rpPage2 = button2.click();
+ String bodyTextContent2 = rpPage2.getBody().getTextContent();
+
+ Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure Test"));
+ }
+
+ @org.junit.Test
+ public void testMaliciousRedirect() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ String user = "alice";
+ String password = "ecila";
+
+ CookieManager cookieManager = new CookieManager();
+
+ // 1. Login
+ HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
+
+ // 2. Now we should have a cookie from the RP and IdP and should be able to do
+ // subsequent requests without authenticate again. Lets test this first.
+ WebClient webClient = new WebClient();
+ webClient.setCookieManager(cookieManager);
+ webClient.getOptions().setUseInsecureSSL(true);
+ HtmlPage rpPage = webClient.getPage(url);
+ Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
+ || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));
+
+ // 3. Now a malicious user sends the client a URL with a bad "wreply" address to the IdP
+ String maliciousURL = "https://www.apache.org/attack";
+ String idpUrl
+ = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation";
+ idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8");
+ idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld";
+ idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A";
+
+ final WebClient webClient2 = new WebClient();
+ webClient2.setCookieManager(cookieManager);
+ webClient2.getOptions().setUseInsecureSSL(true);
+ webClient2.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient2.getOptions().setJavaScriptEnabled(false);
+ try {
+ webClient2.getPage(idpUrl);
+ Assert.fail("Failure expected on a bad wreply address");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+ }
+
+ // Send an unknown wreq value
+ @org.junit.Test
+ public void testBadWReq() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+ url += "&wreq=" + URLEncoder.encode(TEST_WREQ, "UTF-8");
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+ try {
+ webClient.getPage(url);
+ Assert.fail("Failure expected on a bad wreq value");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8758c493/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index de8efbf..9fb3c06 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -19,8 +19,6 @@
package org.apache.cxf.fediz.integrationtests;
-import java.net.URLEncoder;
-
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -35,22 +33,18 @@ import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
import com.gargoylesoftware.htmlunit.xml.XmlPage;
-import java.net.URL;
-import java.net.URLEncoder;
-import java.util.ArrayList;
-
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.core.FederationConstants;
import org.apache.cxf.fediz.core.util.DOMUtils;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
-import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.junit.Assert;
import org.junit.Test;
-public abstract class AbstractTests {
+public abstract class AbstractTests extends AbstractAttackTests {
static final String TEST_WREQ =
"<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
@@ -488,18 +482,20 @@ public abstract class AbstractTests {
Assert.assertEquals(401, idpPage.getWebResponse().getStatusCode());
}
-
- @Test
- public void testAliceModifiedSignature() throws Exception {
- String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
- + "/secure/fedservlet";
+
+ @org.junit.Test
+ public void testSuccessfulInvokeOnIdP() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
String user = "alice";
String password = "ecila";
- // Get the initial token
- CookieManager cookieManager = new CookieManager();
final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
webClient.getOptions().setUseInsecureSSL(true);
webClient.getCredentialsProvider().setCredentials(
new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
@@ -509,21 +505,8 @@ public abstract class AbstractTests {
final HtmlPage idpPage = webClient.getPage(url);
webClient.getOptions().setJavaScriptEnabled(true);
Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
- // Parse the form to get the token (wresult)
- DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
- for (DomElement result : results) {
- if ("wresult".equals(result.getAttributeNS(null, "name"))) {
- // Now modify the Signature
- String value = result.getAttributeNS(null, "value");
- value = value.replace("alice", "bob");
- result.setAttributeNS(null, "value", value);
- }
- }
// Invoke back on the RP
-
final HtmlForm form = idpPage.getFormByName("signinresponseform");
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
@@ -538,93 +521,4 @@ public abstract class AbstractTests {
}
}
- @Test
- public void testConcurrentRequests() throws Exception {
-
- String url1 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
- String url2 = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/test.html";
- String user = "bob";
- String password = "bob";
-
- // Get the initial token
- CookieManager cookieManager = new CookieManager();
- final WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- webClient.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient.getOptions().setJavaScriptEnabled(false);
- final HtmlPage idpPage1 = webClient.getPage(url1);
- final HtmlPage idpPage2 = webClient.getPage(url2);
- webClient.getOptions().setJavaScriptEnabled(true);
- Assert.assertEquals("IDP SignIn Response Form", idpPage1.getTitleText());
- Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());
-
- // Invoke back on the page1 RP
- final HtmlForm form = idpPage1.getFormByName("signinresponseform");
- final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
- final HtmlPage rpPage1 = button.click();
- Assert.assertTrue("WS Federation Systests Examples".equals(rpPage1.getTitleText())
- || "WS Federation Systests Spring Examples".equals(rpPage1.getTitleText()));
-
- String bodyTextContent1 = rpPage1.getBody().getTextContent();
-
- Assert.assertTrue("Principal not " + user,
- bodyTextContent1.contains("userPrincipal=" + user));
-
- // Invoke back on the page2 RP
- final HtmlForm form2 = idpPage2.getFormByName("signinresponseform");
- final HtmlSubmitInput button2 = form2.getInputByName("_eventId_submit");
- final HtmlPage rpPage2 = button2.click();
- String bodyTextContent2 = rpPage2.getBody().getTextContent();
-
- Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure Test"));
- }
-
- @org.junit.Test
- public void testMaliciousRedirect() throws Exception {
- String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
- String user = "alice";
- String password = "ecila";
-
- CookieManager cookieManager = new CookieManager();
-
- // 1. Login
- HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager);
-
- // 2. Now we should have a cookie from the RP and IdP and should be able to do
- // subsequent requests without authenticate again. Lets test this first.
- WebClient webClient = new WebClient();
- webClient.setCookieManager(cookieManager);
- webClient.getOptions().setUseInsecureSSL(true);
- HtmlPage rpPage = webClient.getPage(url);
- Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
- || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));
-
- // 3. Now a malicious user sends the client a URL with a bad "wreply" address to the IdP
- String maliciousURL = "https://www.apache.org/attack";
- String idpUrl
- = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation";
- idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8");
- idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld";
- idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A";
-
- final WebClient webClient2 = new WebClient();
- webClient2.setCookieManager(cookieManager);
- webClient2.getOptions().setUseInsecureSSL(true);
- webClient2.getCredentialsProvider().setCredentials(
- new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
- new UsernamePasswordCredentials(user, password));
-
- webClient2.getOptions().setJavaScriptEnabled(false);
- try {
- webClient2.getPage(idpUrl);
- Assert.fail("Failure expected on a bad wreply address");
- } catch (FailingHttpStatusCodeException ex) {
- Assert.assertEquals(ex.getStatusCode(), 400);
- }
- }
-
}