cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Date Tue, 20 Dec 2016 15:54:44 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/1.3.x-fixes aaeea60c7 -> 483e6a349


FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory
in the IDP


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f26a20c2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f26a20c2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f26a20c2

Branch: refs/heads/1.3.x-fixes
Commit: f26a20c2584460aea2fbf00845d1b37a0b212d07
Parents: aaeea60
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Dec 20 15:27:28 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Dec 20 15:28:34 2016 +0000

----------------------------------------------------------------------
 .../idp/beans/PassiveRequestorValidator.java    |  34 +++---
 .../idp/src/main/resources/entities-realmb.xml  |   1 +
 .../test/resources/realmb/entities-realmb.xml   |   3 +-
 .../test/resources/realmb/entities-realmb.xml   |   2 +
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 113 +++++++++++++++++++
 .../test/resources/realma/entities-realma.xml   |  37 ++++++
 6 files changed, 174 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
index 0393d4f..3f5be36 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
@@ -47,26 +47,30 @@ public class PassiveRequestorValidator {
         Application serviceConfig = idpConfig.findApplication(realm);
         if (serviceConfig == null) {
             LOG.warn("No service config found for " + realm);
-            return true;
+            return false;
         }
         
-        // The endpointAddress address must match the passive endpoint requestor constraint

-        // (if it is specified)
-        if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
-            LOG.warn("No passive requestor endpoint constraint is configured for the application.
"
-                + "This could lead to a malicious redirection attack");
-            return true;
-        }
-
-        Matcher matcher = 
-            serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
-        if (!matcher.matches()) {
-            LOG.error("The endpointAddress value of {} does not match any of the passive
requestor values",
+        if (serviceConfig.getPassiveRequestorEndpoint() == null 
+            && serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null)
{
+            LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint'
"
+                + "configuration values must be specified for the application");
+        } else if (serviceConfig.getPassiveRequestorEndpoint() != null 
+            && serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress))
{
+            LOG.debug("The supplied endpoint address {} matches the configured passive requestor
endpoint value", 
                       endpointAddress);
-            return false;
+            return true;
+        } else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null)
{
+            Matcher matcher = 
+                serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
+            if (matcher.matches()) {
+                return true;
+            } else {
+                LOG.error("The endpointAddress value of {} does not match any of the passive
requestor values",
+                          endpointAddress);
+            }
         }
         
-        return true;
+        return false;
     }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/services/idp/src/main/resources/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml
index 592a605..3f2cd92 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -85,6 +85,7 @@
         <property name="role" value="SecurityTokenServiceType" />
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
         <property name="lifeTime" value="3600" />
+        <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*"
/>
     </bean>
     
     <bean id="claim_role"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
index 9984af1..4d73376 100644
--- a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
+++ b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml
@@ -73,13 +73,14 @@
 
     <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
         <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
-        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser"
/>
         <property name="serviceDisplayName" value="Resource IDP Realm A" />
         <property name="serviceDescription" value="Resource IDP Realm A" />
         <property name="role" value="SecurityTokenServiceType" />
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
         <property name="lifeTime" value="3600" />
         <property name="validatingCertificate" value="realma.cert" />
+        <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/saml"
/>
     </bean>
     
     <bean id="claim_role"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
index fc203fb..ca17d5e 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
@@ -79,6 +79,8 @@
         <property name="role" value="SecurityTokenServiceType" />
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
         <property name="lifeTime" value="3600" />
+        <property name="validatingCertificate" value="realma.cert" />
+        <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/federation"
/>
     </bean>
     
     <bean id="claim_role"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 9455227..b8c0e50 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -593,6 +593,119 @@ public class IdpTest {
         webClient.close();
     }
     
+    @org.junit.Test
+    public void testValidWReplyWrongApplication() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld2";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on a bad wreply value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+
+        webClient.close();
+    }
+    
+    @org.junit.Test
+    public void testWReplyExactMatchingSuccess() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        webClient.getPage(url);
+
+        webClient.close();
+    }
+    
+    @org.junit.Test
+    public void testWReplyExactMatchingFailure() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()

+            + "/secure/fedservlet/blah";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on a bad wreply value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+
+        webClient.close();
+    }
+    
+    @org.junit.Test
+    public void testNoEndpointAddressOrConstraint() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld4";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        // This is an error in the IdP
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on a bad wreply value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+
+        webClient.close();
+    }
+    
     // Send a bad wreply value. This will pass the reg ex validation but fail the commons-validator

     // validation
     @org.junit.Test

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/systests/idp/src/test/resources/realma/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/resources/realma/entities-realma.xml b/systests/idp/src/test/resources/realma/entities-realma.xml
index f947274..49506fa 100644
--- a/systests/idp/src/test/resources/realma/entities-realma.xml
+++ b/systests/idp/src/test/resources/realma/entities-realma.xml
@@ -66,6 +66,9 @@
         <property name="applications">
             <util:list>
                 <ref bean="srv-fedizhelloworld" />
+                <ref bean="srv-fedizhelloworld2" />
+                <ref bean="srv-fedizhelloworld3" />
+                <ref bean="srv-fedizhelloworld4" />
             </util:list>
         </property>
         <property name="trustedIdps">
@@ -108,6 +111,40 @@
                   value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" />
     </bean>
     
+    <bean id="srv-fedizhelloworld2" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld2" />
+        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="serviceDisplayName" value="Fedizhelloworld" />
+        <property name="serviceDescription" value="Web Application to illustrate WS-Federation"
/>
+        <property name="role" value="ApplicationServiceType" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="lifeTime" value="3600" />
+        <property name="passiveRequestorEndpointConstraint" 
+                  value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure2/.*" />
+    </bean>
+    
+    <bean id="srv-fedizhelloworld3" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld3" />
+        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="serviceDisplayName" value="Fedizhelloworld" />
+        <property name="serviceDescription" value="Web Application to illustrate WS-Federation"
/>
+        <property name="role" value="ApplicationServiceType" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="lifeTime" value="3600" />
+        <property name="passiveRequestorEndpoint" 
+                  value="https://localhost:${rp.https.port}/fedizhelloworld/secure/fedservlet"
/>
+    </bean>
+    
+    <bean id="srv-fedizhelloworld4" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld4" />
+        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="serviceDisplayName" value="Fedizhelloworld" />
+        <property name="serviceDescription" value="Web Application to illustrate WS-Federation"
/>
+        <property name="role" value="ApplicationServiceType" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="lifeTime" value="3600" />
+    </bean>
+    
     <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
         <property name="application" ref="srv-fedizhelloworld" />
         <property name="claim" ref="claim_role" />


Mime
View raw message