cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf-fediz git commit: Another change to the CXF plugin
Date Fri, 16 Dec 2016 17:11:46 GMT
Another change to the CXF plugin


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/53d4554c
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/53d4554c
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/53d4554c

Branch: refs/heads/1.3.x-fixes
Commit: 53d4554c6fbd63e3d5990e0acf01512980b31cae
Parents: ba9c864
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Dec 16 16:57:20 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Dec 16 17:11:35 2016 +0000

----------------------------------------------------------------------
 .../plugin/AbstractServiceProviderFilter.java   | 25 +++++++++++++++++++-
 .../cxf/plugin/FedizRedirectBindingFilter.java  | 12 +---------
 2 files changed, 25 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/53d4554c/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
index eb807f7..2acffb3 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java
@@ -34,21 +34,27 @@ import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
 import javax.ws.rs.core.Cookie;
 import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.xml.bind.JAXBException;
 
 import org.w3c.dom.Element;
 
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.common.i18n.BundleUtils;
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.SAMLSSOConstants;
 import org.apache.cxf.fediz.core.SecurityTokenThreadLocal;
+import org.apache.cxf.fediz.core.config.FederationProtocol;
 import org.apache.cxf.fediz.core.config.FedizConfigurator;
 import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.SAMLProtocol;
 import org.apache.cxf.fediz.core.util.CookieUtils;
 import org.apache.cxf.fediz.cxf.plugin.state.EHCacheSPStateManager;
 import org.apache.cxf.fediz.cxf.plugin.state.ResponseState;
 import org.apache.cxf.fediz.cxf.plugin.state.SPStateManager;
 import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
 import org.apache.cxf.jaxrs.impl.UriInfoImpl;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.SecurityContext;
@@ -143,7 +149,7 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
         stateManager.close();
     }
     
-    protected boolean checkSecurityContext(FedizContext fedConfig, Message m) {
+    protected boolean checkSecurityContext(FedizContext fedConfig, Message m, MultivaluedMap<String,
String> params) {
         HttpHeaders headers = new HttpHeadersImpl(m);
         Map<String, Cookie> cookies = headers.getCookies();
         
@@ -166,6 +172,13 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
             return false;
         }
         
+        // Check to see if a CSRF-style attack is being mounted
+        String state = getState(fedConfig, params);
+        if (state != null && !state.equals(responseState.getState())) {
+            LOG.error("wctx parameter does not match stored value");
+            throw ExceptionUtils.toForbiddenException(null, null);
+        }
+        
         // Create SecurityContext
         try {
             Element token = 
@@ -235,6 +248,16 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF
         return responseState;
     }
     
+    protected String getState(FedizContext fedConfig, MultivaluedMap<String, String>
params) {
+        if (params != null && fedConfig.getProtocol() instanceof FederationProtocol)
{
+            return params.getFirst(FederationConstants.PARAM_CONTEXT);
+        } else if (params != null && fedConfig.getProtocol() instanceof SAMLProtocol)
{
+            return params.getFirst(SAMLSSOConstants.RELAY_STATE);
+        }
+
+        return null;
+    }
+    
     protected FedizContext getFedizContext(Message message) {
         String contextName = getWebAppContext(message);
         String[] contextPath = contextName.split("/");

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/53d4554c/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
----------------------------------------------------------------------
diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
index 50ce7b1..a62b97a 100644
--- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
+++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java
@@ -108,7 +108,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
         // See if it is a Logout request first
         if (isLogoutRequest(context, fedConfig, m, params) || isSignoutCleanupRequest(fedConfig,
m, params)) {
             return;
-        } else if (checkSecurityContext(fedConfig, m)) {
+        } else if (checkSecurityContext(fedConfig, m, params)) {
             return;
         } else if (isSignInRequired(fedConfig, params)) {
             processSignInRequired(context, fedConfig);
@@ -436,16 +436,6 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter
         return null;
     }
 
-    private String getState(FedizContext fedConfig, MultivaluedMap<String, String>
params) {
-        if (params != null && fedConfig.getProtocol() instanceof FederationProtocol)
{
-            return params.getFirst(FederationConstants.PARAM_CONTEXT);
-        } else if (params != null && fedConfig.getProtocol() instanceof SAMLProtocol)
{
-            return params.getFirst(SAMLSSOConstants.RELAY_STATE);
-        }
-
-        return null;
-    }
-            
     private FedizResponse validateSignInRequest(
         FedizContext fedConfig,
         MultivaluedMap<String, String> params,


Mime
View raw message