You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/10/06 16:49:36 UTC
[cxf-fediz] branch 1.3.x-fixes updated: Porting fix to spring2
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.3.x-fixes by this push:
new 509b1d0 Porting fix to spring2
509b1d0 is described below
commit 509b1d0b9919beeefeff255e231cba9f26b04c95
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 6 17:48:57 2017 +0100
Porting fix to spring2
---
.../spring/web/FederationAuthenticationFilter.java | 19 ++++++++++++-------
.../cxf/fediz/integrationtests/Spring2Test.java | 7 +++++++
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 154aab1..d531fde 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -134,14 +134,19 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
private void verifySavedState(HttpServletRequest request) {
HttpSession session = request.getSession(false);
- if (session != null) {
- String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
- String state = getState(request);
- if (savedContext != null && !savedContext.equals(state)) {
- logger.warn("The received state does not match the state saved in the context");
- throw new BadCredentialsException("The received state does not match the state saved in the context");
- }
+
+ if (session == null) {
+ logger.warn("The received state does not match the state saved in the context");
+ throw new BadCredentialsException("The received state does not match the state saved in the context");
+ }
+
+ String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+ String state = getState(request);
+ if (savedContext == null || !savedContext.equals(state)) {
+ logger.warn("The received state does not match the state saved in the context");
+ throw new BadCredentialsException("The received state does not match the state saved in the context");
}
+ session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
}
private String getState(ServletRequest request) {
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index cd68992..083300d 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -258,4 +258,11 @@ public class Spring2Test extends AbstractTests {
csrfAttackTest(url);
}
+ @Override
+ @org.junit.Test
+ public void testCSRFAttack2() throws Exception {
+ String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ + "/j_spring_fediz_security_check";
+ csrfAttackTest2(url);
+ }
}
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].