cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf-fediz git commit: Some test reshuffling
Date Mon, 18 Jan 2016 17:26:52 GMT
Some test reshuffling


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ca843877
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ca843877
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ca843877

Branch: refs/heads/master
Commit: ca843877ff476d45a0981cef5f4bad34f6d738ce
Parents: c330c42
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jan 18 17:09:49 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jan 18 17:26:46 2016 +0000

----------------------------------------------------------------------
 systests/cxf/pom.xml                            |   1 +
 .../apache/cxf/fediz/systests/idp/IdpTest.java  |   4 +-
 systests/jetty8/pom.xml                         |   1 +
 systests/jetty9/pom.xml                         |   1 +
 systests/spring/pom.xml                         |   1 +
 .../cxf/fediz/integrationtests/Spring2Test.java |   8 +-
 .../fediz/integrationtests/AbstractTests.java   |  57 +++++
 systests/tests/src/test/resources/entity.xml    |  25 ++
 systests/tomcat7/pom.xml                        |   1 +
 .../EntityExpansionAttackTest.java              | 247 -------------------
 systests/tomcat7/src/test/resources/entity.xml  |  25 --
 systests/tomcat8/pom.xml                        |   1 +
 .../EntityExpansionAttackTest.java              | 247 -------------------
 systests/tomcat8/src/test/resources/entity.xml  |  25 --
 14 files changed, 96 insertions(+), 548 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/cxf/pom.xml
----------------------------------------------------------------------
diff --git a/systests/cxf/pom.xml b/systests/cxf/pom.xml
index 8d00ae0..c8cf93d 100644
--- a/systests/cxf/pom.xml
+++ b/systests/cxf/pom.xml
@@ -92,6 +92,7 @@
             <version>${project.version}</version>
             <type>test-jar</type>
             <scope>test</scope>
+            <classifier>tests</classifier>
        </dependency>
        <dependency>
             <groupId>org.apache.tomcat.embed</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 3947229..601d7c7 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -20,7 +20,6 @@
 package org.apache.cxf.fediz.systests.idp;
 
 import java.io.File;
-import java.io.FileInputStream;
 import java.net.URLEncoder;
 
 import org.w3c.dom.Document;
@@ -294,8 +293,7 @@ public class IdpTest {
         String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
         url += "&wreply=" + wreply;
 
-        FileInputStream is = new FileInputStream("src/test/resources/entity_wreq.xml");
-        String entity = IOUtils.toString(is);
+        String entity = IOUtils.toString(this.getClass().getClassLoader().getResource("entity_wreq.xml").openStream());
         String validWreq =
             "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
             + "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/jetty8/pom.xml
----------------------------------------------------------------------
diff --git a/systests/jetty8/pom.xml b/systests/jetty8/pom.xml
index 7d7badd..6d85a6e 100644
--- a/systests/jetty8/pom.xml
+++ b/systests/jetty8/pom.xml
@@ -80,6 +80,7 @@
             <version>${project.version}</version>
             <type>test-jar</type>
             <scope>test</scope>
+            <classifier>tests</classifier>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/jetty9/pom.xml
----------------------------------------------------------------------
diff --git a/systests/jetty9/pom.xml b/systests/jetty9/pom.xml
index 5e2c126..80fa755 100644
--- a/systests/jetty9/pom.xml
+++ b/systests/jetty9/pom.xml
@@ -74,6 +74,7 @@
             <version>${project.version}</version>
             <type>test-jar</type>
             <scope>test</scope>
+            <classifier>tests</classifier>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/spring/pom.xml
----------------------------------------------------------------------
diff --git a/systests/spring/pom.xml b/systests/spring/pom.xml
index 9cb2940..54ad159 100644
--- a/systests/spring/pom.xml
+++ b/systests/spring/pom.xml
@@ -88,6 +88,7 @@
             <version>${project.version}</version>
             <type>test-jar</type>            
             <scope>test</scope>
+            <classifier>tests</classifier>
         </dependency>
         <dependency>
             <groupId>org.hsqldb</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index 8d52ffc..86a928f 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -210,7 +210,6 @@ public class Spring2Test extends AbstractTests {
         
     }
     
-    // Getting 500 error code here
     @Override
     @Test
     public void testAliceModifiedSignature() throws Exception {
@@ -261,4 +260,11 @@ public class Spring2Test extends AbstractTests {
         }
 
     }
+    
+    @Override
+    @Test
+    @Ignore
+    public void testEntityExpansionAttack() throws Exception {
+
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index baa4ee0..05d7c1c 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -35,6 +35,7 @@ import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
 import com.gargoylesoftware.htmlunit.xml.XmlPage;
 
+import org.apache.commons.io.IOUtils;
 import org.apache.cxf.fediz.core.ClaimTypes;
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.util.DOMUtils;
@@ -639,4 +640,60 @@ public abstract class AbstractTests {
         }
         webClient2.close();
     }
+    
+    @Test
+    public void testEntityExpansionAttack() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
+        String user = "alice";
+        String password = "ecila";
+        
+        // Get the initial token
+        CookieManager cookieManager = new CookieManager();
+        final WebClient webClient = new WebClient();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient.getPage(url);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Parse the form to get the token (wresult)
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        String entity = IOUtils.toString(this.getClass().getClassLoader().getResource("entity.xml").openStream());
+        String reference = "&m;";
+        
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                // Now modify the Signature
+                String value = result.getAttributeNS(null, "value");
+                value = entity + value;
+                value = value.replace("alice", reference);
+                result.setAttributeNS(null, "value", value);
+            }
+        }
+        
+        // Invoke back on the RP
+        
+        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+        try {
+            button.click();
+            Assert.fail("Failure expected on an entity expansion attack");
+        } catch (FailingHttpStatusCodeException ex) {
+            ex.printStackTrace();
+            // expected
+            Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
+                              || ex.getMessage().contains("401 Authentication Failed")
+                              || ex.getMessage().contains("403 Forbidden"));
+        }
+
+        webClient.close();
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tests/src/test/resources/entity.xml
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/resources/entity.xml b/systests/tests/src/test/resources/entity.xml
new file mode 100644
index 0000000..373b575
--- /dev/null
+++ b/systests/tests/src/test/resources/entity.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection
[<!ENTITY a "1234567890" > 
+
+<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > 
+
+<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > 
+
+<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > 
+
+<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > 
+
+<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > 
+
+<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > 
+
+<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > 
+
+<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > 
+
+<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > 
+
+<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > 
+
+<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > 
+
+<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat7/pom.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/pom.xml b/systests/tomcat7/pom.xml
index 18c311c..87e70fd 100644
--- a/systests/tomcat7/pom.xml
+++ b/systests/tomcat7/pom.xml
@@ -76,6 +76,7 @@
             <version>${project.version}</version>
             <type>test-jar</type>
             <scope>test</scope>
+            <classifier>tests</classifier>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
b/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
deleted file mode 100644
index 4db1f94..0000000
--- a/systests/tomcat7/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
+++ /dev/null
@@ -1,247 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-
-import java.io.File;
-import java.io.FileInputStream;
-
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.html.DomElement;
-import com.gargoylesoftware.htmlunit.html.DomNodeList;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.LifecycleState;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.commons.io.IOUtils;
-import org.apache.cxf.fediz.tomcat7.FederationAuthenticator;
-import org.apache.http.auth.AuthScope;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class EntityExpansionAttackTest {
-
-    static String idpHttpsPort;
-    static String rpHttpsPort;
-    
-    private static Tomcat idpServer;
-    private static Tomcat rpServer;
-    
-    @BeforeClass
-    public static void init() {
-        System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
-        System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
-        System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
 
-        
-        idpHttpsPort = System.getProperty("idp.https.port");
-        Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
-        rpHttpsPort = System.getProperty("rp.https.port");
-        Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
-
-        initIdp();
-        initRp();
-    }
-    
-    private static void initIdp() {
-        try {
-            idpServer = new Tomcat();
-            idpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            idpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            idpServer.getHost().setAppBase("tomcat/idp/webapps");
-            idpServer.getHost().setAutoDeploy(true);
-            idpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("clientAuth", "want");
-            // httpsConnector.setAttribute("clientAuth", "false");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            idpServer.getService().addConnector(httpsConnector);
-            
-            idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
-            idpServer.addWebapp("/fediz-idp", "fediz-idp");
-            
-            idpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    private static void initRp() {
-        try {
-            rpServer = new Tomcat();
-            rpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            rpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            rpServer.getHost().setAppBase("tomcat/rp/webapps");
-            rpServer.getHost().setAutoDeploy(true);
-            rpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            // httpsConnector.setAttribute("clientAuth", "false");
-            httpsConnector.setAttribute("clientAuth", "want");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            rpServer.getService().addConnector(httpsConnector);
-            
-            //Context ctx =
-            Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
-            FederationAuthenticator fa = new FederationAuthenticator();
-            fa.setConfigFile(currentDir + File.separator + "target" + File.separator
-                             + "test-classes" + File.separator + "fediz_config_wreq.xml");
-            cxt.getPipeline().addValve(fa);
-            
-            
-            rpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    @AfterClass
-    public static void cleanup() {
-        try {
-            if (idpServer.getServer() != null
-                && idpServer.getServer().getState() != LifecycleState.DESTROYED)
{
-                if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    idpServer.stop();
-                }
-                idpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-
-        try {
-            if (rpServer.getServer() != null
-                && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
-                if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    rpServer.stop();
-                }
-                rpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-
-    public String getIdpHttpsPort() {
-        return idpHttpsPort;
-    }
-
-    public String getRpHttpsPort() {
-        return rpHttpsPort;
-    }
-    
-    public String getServletContextName() {
-        return "fedizhelloworld";
-    }
-    
-    @Test
-    public void testEntityExpansionAttack() throws Exception {
-        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-        String user = "alice";
-        String password = "ecila";
-        
-        // Get the initial token
-        CookieManager cookieManager = new CookieManager();
-        final WebClient webClient = new WebClient();
-        webClient.setCookieManager(cookieManager);
-        webClient.getOptions().setUseInsecureSSL(true);
-        webClient.getCredentialsProvider().setCredentials(
-            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
-            new UsernamePasswordCredentials(user, password));
-
-        webClient.getOptions().setJavaScriptEnabled(false);
-        final HtmlPage idpPage = webClient.getPage(url);
-        webClient.getOptions().setJavaScriptEnabled(true);
-        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
-        // Parse the form to get the token (wresult)
-        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
-        FileInputStream is = new FileInputStream("src/test/resources/entity.xml");
-        String entity = IOUtils.toString(is);
-        String reference = "&m;";
-        
-        for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
-                // Now modify the Signature
-                String value = result.getAttributeNS(null, "value");
-                value = entity + value;
-                value = value.replace("alice", reference);
-                result.setAttributeNS(null, "value", value);
-            }
-        }
-        
-        // Invoke back on the RP
-        
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
-        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
-        try {
-            button.click();
-            Assert.fail("Failure expected on an entity expansion attack");
-        } catch (FailingHttpStatusCodeException ex) {
-            // expected
-            Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
-                              || ex.getMessage().contains("401 Authentication Failed")
-                              || ex.getMessage().contains("403 Forbidden"));
-        }
-
-        webClient.close();
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat7/src/test/resources/entity.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat7/src/test/resources/entity.xml b/systests/tomcat7/src/test/resources/entity.xml
deleted file mode 100644
index c0ff502..0000000
--- a/systests/tomcat7/src/test/resources/entity.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection
[<!ENTITY a "1234567890" > 
-
-<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > 
-
-<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > 
-
-<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > 
-
-<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > 
-
-<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > 
-
-<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > 
-
-<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > 
-
-<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > 
-
-<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > 
-
-<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > 
-
-<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > 
-
-<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat8/pom.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat8/pom.xml b/systests/tomcat8/pom.xml
index 71762f4..ebbbfe2 100644
--- a/systests/tomcat8/pom.xml
+++ b/systests/tomcat8/pom.xml
@@ -76,6 +76,7 @@
             <version>${project.version}</version>
             <type>test-jar</type>
             <scope>test</scope>
+            <classifier>tests</classifier>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
----------------------------------------------------------------------
diff --git a/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
b/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
deleted file mode 100644
index 1758e0c..0000000
--- a/systests/tomcat8/src/test/java/org/apache/cxf/fediz/integrationtests/EntityExpansionAttackTest.java
+++ /dev/null
@@ -1,247 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.fediz.integrationtests;
-
-
-import java.io.File;
-import java.io.FileInputStream;
-
-import com.gargoylesoftware.htmlunit.CookieManager;
-import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
-import com.gargoylesoftware.htmlunit.WebClient;
-import com.gargoylesoftware.htmlunit.html.DomElement;
-import com.gargoylesoftware.htmlunit.html.DomNodeList;
-import com.gargoylesoftware.htmlunit.html.HtmlForm;
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.LifecycleState;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.commons.io.IOUtils;
-import org.apache.cxf.fediz.tomcat8.FederationAuthenticator;
-import org.apache.http.auth.AuthScope;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class EntityExpansionAttackTest {
-
-    static String idpHttpsPort;
-    static String rpHttpsPort;
-    
-    private static Tomcat idpServer;
-    private static Tomcat rpServer;
-    
-    @BeforeClass
-    public static void init() {
-        System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
-        System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
-        System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz",
"info");
-        System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
 
-        
-        idpHttpsPort = System.getProperty("idp.https.port");
-        Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
-        rpHttpsPort = System.getProperty("rp.https.port");
-        Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
-
-        initIdp();
-        initRp();
-    }
-    
-    private static void initIdp() {
-        try {
-            idpServer = new Tomcat();
-            idpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            idpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            idpServer.getHost().setAppBase("tomcat/idp/webapps");
-            idpServer.getHost().setAutoDeploy(true);
-            idpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(idpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("clientAuth", "want");
-            // httpsConnector.setAttribute("clientAuth", "false");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            idpServer.getService().addConnector(httpsConnector);
-            
-            idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts");
-            idpServer.addWebapp("/fediz-idp", "fediz-idp");
-            
-            idpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    private static void initRp() {
-        try {
-            rpServer = new Tomcat();
-            rpServer.setPort(0);
-            String currentDir = new File(".").getCanonicalPath();
-            rpServer.setBaseDir(currentDir + File.separator + "target");
-            
-            rpServer.getHost().setAppBase("tomcat/rp/webapps");
-            rpServer.getHost().setAutoDeploy(true);
-            rpServer.getHost().setDeployOnStartup(true);
-            
-            Connector httpsConnector = new Connector();
-            httpsConnector.setPort(Integer.parseInt(rpHttpsPort));
-            httpsConnector.setSecure(true);
-            httpsConnector.setScheme("https");
-            //httpsConnector.setAttribute("keyAlias", keyAlias);
-            httpsConnector.setAttribute("keystorePass", "tompass");
-            httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
-            httpsConnector.setAttribute("truststorePass", "tompass");
-            httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
-            // httpsConnector.setAttribute("clientAuth", "false");
-            httpsConnector.setAttribute("clientAuth", "want");
-            httpsConnector.setAttribute("sslProtocol", "TLS");
-            httpsConnector.setAttribute("SSLEnabled", true);
-
-            rpServer.getService().addConnector(httpsConnector);
-            
-            //Context ctx =
-            Context cxt = rpServer.addWebapp("/fedizhelloworld", "simpleWebapp");
-            FederationAuthenticator fa = new FederationAuthenticator();
-            fa.setConfigFile(currentDir + File.separator + "target" + File.separator
-                             + "test-classes" + File.separator + "fediz_config_wreq.xml");
-            cxt.getPipeline().addValve(fa);
-            
-            
-            rpServer.start();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-    
-    @AfterClass
-    public static void cleanup() {
-        try {
-            if (idpServer.getServer() != null
-                && idpServer.getServer().getState() != LifecycleState.DESTROYED)
{
-                if (idpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    idpServer.stop();
-                }
-                idpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-
-        try {
-            if (rpServer.getServer() != null
-                && rpServer.getServer().getState() != LifecycleState.DESTROYED) {
-                if (rpServer.getServer().getState() != LifecycleState.STOPPED) {
-                    rpServer.stop();
-                }
-                rpServer.destroy();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
-
-    public String getIdpHttpsPort() {
-        return idpHttpsPort;
-    }
-
-    public String getRpHttpsPort() {
-        return rpHttpsPort;
-    }
-    
-    public String getServletContextName() {
-        return "fedizhelloworld";
-    }
-    
-    @Test
-    public void testEntityExpansionAttack() throws Exception {
-        String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
-        String user = "alice";
-        String password = "ecila";
-        
-        // Get the initial token
-        CookieManager cookieManager = new CookieManager();
-        final WebClient webClient = new WebClient();
-        webClient.setCookieManager(cookieManager);
-        webClient.getOptions().setUseInsecureSSL(true);
-        webClient.getCredentialsProvider().setCredentials(
-            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
-            new UsernamePasswordCredentials(user, password));
-
-        webClient.getOptions().setJavaScriptEnabled(false);
-        final HtmlPage idpPage = webClient.getPage(url);
-        webClient.getOptions().setJavaScriptEnabled(true);
-        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
-
-        // Parse the form to get the token (wresult)
-        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
-
-        FileInputStream is = new FileInputStream("src/test/resources/entity.xml");
-        String entity = IOUtils.toString(is);
-        String reference = "&m;";
-        
-        for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
-                // Now modify the Signature
-                String value = result.getAttributeNS(null, "value");
-                value = entity + value;
-                value = value.replace("alice", reference);
-                result.setAttributeNS(null, "value", value);
-            }
-        }
-        
-        // Invoke back on the RP
-        
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
-        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
-
-        try {
-            button.click();
-            Assert.fail("Failure expected on an entity expansion attack");
-        } catch (FailingHttpStatusCodeException ex) {
-            // expected
-            Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
-                              || ex.getMessage().contains("401 Authentication Failed")
-                              || ex.getMessage().contains("403 Forbidden"));
-        }
-
-        webClient.close();
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ca843877/systests/tomcat8/src/test/resources/entity.xml
----------------------------------------------------------------------
diff --git a/systests/tomcat8/src/test/resources/entity.xml b/systests/tomcat8/src/test/resources/entity.xml
deleted file mode 100644
index c0ff502..0000000
--- a/systests/tomcat8/src/test/resources/entity.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection
[<!ENTITY a "1234567890" > 
-
-<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > 
-
-<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > 
-
-<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > 
-
-<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > 
-
-<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > 
-
-<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > 
-
-<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > 
-
-<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > 
-
-<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > 
-
-<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > 
-
-<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > 
-
-<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]>
\ No newline at end of file


Mime
View raw message