You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/10/06 16:49:36 UTC

[cxf-fediz] branch 1.3.x-fixes updated: Porting fix to spring2

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/1.3.x-fixes by this push:
     new 509b1d0  Porting fix to spring2
509b1d0 is described below

commit 509b1d0b9919beeefeff255e231cba9f26b04c95
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 6 17:48:57 2017 +0100

    Porting fix to spring2
---
 .../spring/web/FederationAuthenticationFilter.java    | 19 ++++++++++++-------
 .../cxf/fediz/integrationtests/Spring2Test.java       |  7 +++++++
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 154aab1..d531fde 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -134,14 +134,19 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter {
     
     private void verifySavedState(HttpServletRequest request) {
         HttpSession session = request.getSession(false);
-        if (session != null) {
-            String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
-            String state = getState(request);
-            if (savedContext != null && !savedContext.equals(state)) {
-                logger.warn("The received state does not match the state saved in the context");
-                throw new BadCredentialsException("The received state does not match the state saved in the context");
-            }
+
+        if (session == null) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state saved in the context");
+        }
+
+        String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+        String state = getState(request);
+        if (savedContext == null || !savedContext.equals(state)) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state saved in the context");
         }
+        session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
     }
     
     private String getState(ServletRequest request) {
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index cd68992..083300d 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -258,4 +258,11 @@ public class Spring2Test extends AbstractTests {
         csrfAttackTest(url);
     }
     
+    @Override
+    @org.junit.Test
+    public void testCSRFAttack2() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+            + "/j_spring_fediz_security_check";
+        csrfAttackTest2(url);
+    }
 }

-- 
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].