cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf-fediz git commit: More work on the IdP beans
Date Wed, 16 Mar 2016 17:03:09 GMT
More work on the IdP beans


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/16a974cb
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/16a974cb
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/16a974cb

Branch: refs/heads/master
Commit: 16a974cba12883286453a6c7c471b4461bc44743
Parents: c23f3a8
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Mar 16 16:55:25 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Mar 16 16:55:25 2016 +0000

----------------------------------------------------------------------
 .../service/idp/beans/STSClientAction.java      | 46 +----------
 .../idp/beans/wsfed/WreplyValidator.java        | 81 ++++++++++++++++++++
 .../WEB-INF/flows/federation-signin-request.xml | 12 ++-
 .../flows/federation-validate-request.xml       |  4 +-
 .../WEB-INF/flows/saml-validate-request.xml     |  2 +-
 5 files changed, 96 insertions(+), 49 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16a974cb/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index 3efd103..ad0a6f4 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -26,7 +26,6 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.cert.X509Certificate;
 import java.util.List;
-import java.util.regex.Matcher;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.xml.namespace.QName;
@@ -37,7 +36,6 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 import org.apache.commons.lang3.StringEscapeUtils;
-import org.apache.commons.validator.routines.UrlValidator;
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.binding.soap.SoapFault;
@@ -66,8 +64,6 @@ import org.springframework.webflow.execution.RequestContext;
 
 public class STSClientAction {
 
-    private static final String IDP_CONFIG = "idpConfig";
-
     private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY = 
             "http://schemas.xmlsoap.org/ws/2005/05/identity";
 
@@ -177,19 +173,18 @@ public class STSClientAction {
     }
     
     /**
-     * @param realm The client/application realm
      * @param context the webflow request context
+     * @param realm The client/application realm
      * @return a serialized RP security token
      * @throws Exception
      */
-    public String submit(String realm, RequestContext context)
+    public String submit(RequestContext context, String realm)
         throws Exception {
         
         SecurityToken idpToken = getSecurityToken(context);
 
-        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, IDP_CONFIG);
-
         Bus cxfBus = getBus();
+        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
 
         IdpSTSClient sts = new IdpSTSClient(cxfBus);
         sts.setAddressingNamespace(HTTP_WWW_W3_ORG_2005_08_ADDRESSING);
@@ -200,9 +195,6 @@ public class STSClientAction {
             throw new ProcessingException(TYPE.BAD_REQUEST);
         }
         
-        // Check that the wreply parameter is valid
-        validateApplicationEndpoint(serviceConfig, context);
-        
         // Parse wreq parameter - we only support parsing TokenType and KeyType for now
         String wreq = (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REQUEST);
         String stsTokenType = null;
@@ -305,38 +297,6 @@ public class STSClientAction {
         return StringEscapeUtils.escapeXml11(rpToken);
     }
     
-    // The wreply address must match the passive endpoint requestor constraint (if it is
specified)
-    // Also, it must be a valid URL + start with https
-    protected void validateApplicationEndpoint(Application serviceConfig, RequestContext
context) 
-        throws ProcessingException {
-        
-        String wreply = 
-            (String)WebUtils.getAttributeFromFlowScope(context, FederationConstants.PARAM_REPLY);
-        
-        if (wreply != null) {
-            // Validate it first using commons-validator
-            UrlValidator urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
-                                                         + UrlValidator.ALLOW_ALL_SCHEMES);
-            if (!urlValidator.isValid(wreply)) {
-                LOG.warn("The given wreply parameter {} is not a valid URL", wreply);
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            }
-
-            if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
-                LOG.warn("No passive requestor endpoint constraint is configured for the
application. "
-                    + "This could lead to a malicious redirection attack");
-                return;
-            }
-        
-            Matcher matcher = serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
-            if (!matcher.matches()) {
-                LOG.error("The wreply value of {} does not match any of the passive requestor
values",
-                      wreply);
-                throw new ProcessingException(TYPE.BAD_REQUEST);
-            }
-        }
-    }
-    
     private String getIdFromToken(String token) throws IOException, XMLStreamException {
         Document doc = null;
         try (InputStream is = new ByteArrayInputStream(token.getBytes())) {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16a974cb/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WreplyValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WreplyValidator.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WreplyValidator.java
new file mode 100644
index 0000000..2b542b0
--- /dev/null
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/wsfed/WreplyValidator.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.idp.beans.wsfed;
+
+import java.util.regex.Matcher;
+
+import org.apache.commons.validator.routines.UrlValidator;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
+import org.apache.cxf.fediz.service.idp.domain.Application;
+import org.apache.cxf.fediz.service.idp.domain.Idp;
+import org.apache.cxf.fediz.service.idp.util.WebUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.webflow.execution.RequestContext;
+
+/**
+ * This class is responsible to validate the 'wreply' parameter 
+ */
+@Component
+public class WreplyValidator {
+
+    private static final Logger LOG = LoggerFactory.getLogger(WreplyValidator.class);
+
+    public boolean isValid(RequestContext context, String wreply, String realm)
+        throws Exception {
+        if (wreply == null) {
+           return true;
+        }
+        
+        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
+        Application serviceConfig = idpConfig.findApplication(realm);
+        if (serviceConfig == null) {
+            LOG.warn("No service config found for " + realm);
+            return true;
+        }
+        
+        // The wreply address must match the passive endpoint requestor constraint (if it
is specified)
+        // Also, it must be a valid URL + start with https
+        // Validate it first using commons-validator
+        UrlValidator urlValidator = new UrlValidator(UrlValidator.ALLOW_LOCAL_URLS
+                                                     + UrlValidator.ALLOW_ALL_SCHEMES);
+        if (!urlValidator.isValid(wreply)) {
+            LOG.warn("The given wreply parameter {} is not a valid URL", wreply);
+            return false;
+        }
+
+        if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
+            LOG.warn("No passive requestor endpoint constraint is configured for the application.
"
+                + "This could lead to a malicious redirection attack");
+            return true;
+        }
+
+        Matcher matcher = serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
+        if (!matcher.matches()) {
+            LOG.error("The wreply value of {} does not match any of the passive requestor
values",
+                      wreply);
+            return false;
+        }
+        
+        return true;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16a974cb/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
index 0dcc21b..4280edc 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-signin-request.xml
@@ -95,11 +95,17 @@
             expression="idpTokenExpiredAction.isTokenExpired(flowScope.whr, flowRequestContext)
or
                         wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
         <transition on="yes" to="redirectToTrustedIDP" />
-        <transition on="no" to="requestRpToken" >
+        <transition on="no" to="validateWReply" >
             <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
     </action-state>
+    
+    <action-state id="validateWReply">
+        <evaluate expression="wreplyValidator.isValid(flowRequestContext, flowScope.wreply,
flowScope.wtrealm)"/>
+        <transition on="yes" to="requestRpToken" />
+        <transition on="no" to="viewBadRequest" />
+    </action-state>
 
     <decision-state id="checkWauthTypeSupported">
         <on-entry>
@@ -126,7 +132,7 @@
             expression="idpTokenExpiredAction.isTokenExpired(flowScope.whr, flowRequestContext)
or
                         wfreshParser.authenticationRequired(flowScope.wfresh, flowScope.whr,
flowRequestContext)" />
         <transition on="yes" to="redirectToLocalIDP" />
-        <transition on="no" to="requestRpToken">
+        <transition on="no" to="validateWReply">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
         </transition>
         <transition on-exception="java.lang.Throwable" to="viewBadRequest" />
@@ -143,7 +149,7 @@
     <action-state id="cacheSecurityToken">
         <secured attributes="IS_AUTHENTICATED_FULLY" />
         <evaluate expression="cacheSecurityToken.submit(flowRequestContext)" />
-        <transition to="requestRpToken">
+        <transition to="validateWReply">
             <set name="flowScope.idpToken" value="externalContext.sessionMap[whr]" />
         </transition>
     </action-state>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16a974cb/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
index d5febf9..e64f153 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/federation-validate-request.xml
@@ -133,11 +133,11 @@
         <transition on="viewBadRequest" to="viewBadRequest" />
         <transition on="scInternalServerError" to="scInternalServerError" />
     </subflow-state>
-
+    
     <!-- produce RP security token (as String type) -->
     <action-state id="requestRpToken">
         <on-entry>
-            <evaluate expression="stsClientForRpAction.submit(flowScope.wtrealm, flowRequestContext)"
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.wtrealm)"
                       result="flowScope.rpToken"/>
         </on-entry>
         <evaluate expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"
/>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/16a974cb/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index 5103c4b..1b438ee 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -65,7 +65,7 @@
         <on-entry>
             <evaluate expression="authnRequestParser.retrieveRealm(flowRequestContext)"

                       result="flowScope.realm"/>
-            <evaluate expression="stsClientForRpAction.submit(flowScope.realm, flowRequestContext)"
+            <evaluate expression="stsClientForRpAction.submit(flowRequestContext, flowScope.realm)"
                       result="flowScope.rpToken"/>
             <evaluate expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)"

                       result="flowScope.consumerURL"/>


Mime
View raw message