cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Date Tue, 20 Dec 2016 16:41:55 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/1.2.x-fixes f1aef3778 -> 1d5b956ed


FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory
in the IDP


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/1d5b956e
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/1d5b956e
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/1d5b956e

Branch: refs/heads/1.2.x-fixes
Commit: 1d5b956edf26f621532c917b19827d7b3ffc72ad
Parents: f1aef37
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Dec 20 15:27:28 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Dec 20 16:41:47 2016 +0000

----------------------------------------------------------------------
 .../service/idp/beans/STSClientAction.java      |  29 +++--
 .../idp/src/main/resources/entities-realmb.xml  |   1 +
 .../test/resources/realmb/entities-realmb.xml   |   1 +
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 105 +++++++++++++++++++
 .../test/resources/realma/entities-realma.xml   |  37 +++++++
 5 files changed, 162 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
----------------------------------------------------------------------
diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index ca87991..e99ea43 100644
--- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -320,20 +320,27 @@ public class STSClientAction {
             throw new ProcessingException(TYPE.BAD_REQUEST);
         }
         
-        if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) {
-            LOG.warn("No passive requestor endpoint constraint is configured for the application.
"
-                     + "This could lead to a malicious redirection attack");
-            return;
-        }
-        
-        if (wreply != null) {
-            Matcher matcher = serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
-            if (!matcher.matches()) {
-                LOG.error("The wreply value of {} does not match any of the passive requestor
values",
+        if (serviceConfig.getPassiveRequestorEndpoint() == null 
+            && serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null)
{
+            LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint'
"
+                + "configuration values must be specified for the application");
+        } else if (serviceConfig.getPassiveRequestorEndpoint() != null 
+            && serviceConfig.getPassiveRequestorEndpoint().equals(wreply)) {
+            LOG.debug("The supplied endpoint address {} matches the configured passive requestor
endpoint value", 
                       wreply);
-                throw new ProcessingException(TYPE.BAD_REQUEST);
+            return;
+        } else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null)
{
+            Matcher matcher = 
+                serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
+            if (matcher.matches()) {
+                return;
+            } else {
+                LOG.error("The endpointAddress value of {} does not match any of the passive
requestor values",
+                          wreply);
             }
         }
+        
+        throw new ProcessingException(TYPE.BAD_REQUEST);
     }
 
     private String getIdFromToken(String token) throws XMLStreamException {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/resources/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml
index 152ff52..0018c37 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -85,6 +85,7 @@
         <property name="role" value="SecurityTokenServiceType" />
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
         <property name="lifeTime" value="3600" />
+        <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*"
/>
     </bean>
     
     <bean id="claim_role"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
index fc203fb..26b58c5 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
@@ -79,6 +79,7 @@
         <property name="role" value="SecurityTokenServiceType" />
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
         <property name="lifeTime" value="3600" />
+        <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/federation"
/>
     </bean>
     
     <bean id="claim_role"

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 5998bcf..b0e5816 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -562,6 +562,111 @@ public class IdpTest {
         }
     }
     
+    @org.junit.Test
+    public void testValidWReplyWrongApplication() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld2";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on a bad wreply value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+    }
+    
+    @org.junit.Test
+    public void testWReplyExactMatchingSuccess() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        webClient.getPage(url);
+    }
+    
+    @org.junit.Test
+    public void testWReplyExactMatchingFailure() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()

+            + "/secure/fedservlet/blah";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on a bad wreply value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+    }
+    
+    @org.junit.Test
+    public void testNoEndpointAddressOrConstraint() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld4";
+        String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        // This is an error in the IdP
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on a bad wreply value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+    }
+    
     // Send a bad wreply value. This will pass the reg ex validation but fail the commons-validator

     // validation
     @org.junit.Test

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/idp/src/test/resources/realma/entities-realma.xml
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/resources/realma/entities-realma.xml b/systests/idp/src/test/resources/realma/entities-realma.xml
index 4509f64..76008b1 100644
--- a/systests/idp/src/test/resources/realma/entities-realma.xml
+++ b/systests/idp/src/test/resources/realma/entities-realma.xml
@@ -66,6 +66,9 @@
         <property name="applications">
             <util:list>
                 <ref bean="srv-fedizhelloworld" />
+                <ref bean="srv-fedizhelloworld2" />
+                <ref bean="srv-fedizhelloworld3" />
+                <ref bean="srv-fedizhelloworld4" />
             </util:list>
         </property>
         <property name="trustedIdps">
@@ -107,6 +110,40 @@
         <property name="passiveRequestorEndpointConstraint" value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*"/>
     </bean>
     
+    <bean id="srv-fedizhelloworld2" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld2" />
+        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="serviceDisplayName" value="Fedizhelloworld" />
+        <property name="serviceDescription" value="Web Application to illustrate WS-Federation"
/>
+        <property name="role" value="ApplicationServiceType" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="lifeTime" value="3600" />
+        <property name="passiveRequestorEndpointConstraint" 
+                  value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure2/.*" />
+    </bean>
+    
+    <bean id="srv-fedizhelloworld3" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld3" />
+        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="serviceDisplayName" value="Fedizhelloworld" />
+        <property name="serviceDescription" value="Web Application to illustrate WS-Federation"
/>
+        <property name="role" value="ApplicationServiceType" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="lifeTime" value="3600" />
+        <property name="passiveRequestorEndpoint" 
+                  value="https://localhost:${rp.https.port}/fedizhelloworld/secure/fedservlet"
/>
+    </bean>
+    
+    <bean id="srv-fedizhelloworld4" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity">
+        <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld4" />
+        <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"
/>
+        <property name="serviceDisplayName" value="Fedizhelloworld" />
+        <property name="serviceDescription" value="Web Application to illustrate WS-Federation"
/>
+        <property name="role" value="ApplicationServiceType" />
+        <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
/>
+        <property name="lifeTime" value="3600" />
+    </bean>
+    
     <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity">
         <property name="application" ref="srv-fedizhelloworld" />
         <property name="claim" ref="claim_role" />


Mime
View raw message