cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf-fediz git commit: Enabling CSRF tests for the spring plugins
Date Mon, 19 Dec 2016 14:02:52 GMT
Enabling CSRF tests for the spring plugins


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/aa66ed45
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/aa66ed45
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/aa66ed45

Branch: refs/heads/1.3.x-fixes
Commit: aa66ed45339d2e21069183b3b03c2b8aae10f584
Parents: f368c47
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Dec 19 13:21:05 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Dec 19 14:02:42 2016 +0000

----------------------------------------------------------------------
 .../apache/cxf/fediz/integrationtests/Spring2Test.java   |  8 ++++++++
 .../apache/cxf/fediz/integrationtests/SpringTest.java    |  8 ++++++++
 .../apache/cxf/fediz/integrationtests/AbstractTests.java | 11 ++++++-----
 3 files changed, 22 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aa66ed45/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index f9754ba..cd68992 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -250,4 +250,12 @@ public class Spring2Test extends AbstractTests {
 
     }
     
+    @Override
+    @org.junit.Test
+    public void testCSRFAttack() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()

+            + "/j_spring_fediz_security_check";
+        csrfAttackTest(url);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aa66ed45/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
----------------------------------------------------------------------
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
index 036b189..93b4201 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
@@ -149,4 +149,12 @@ public class SpringTest extends AbstractTests {
     public void testConcurrentRequests() throws Exception {
         // super.testConcurrentRequests();
     }
+    
+    @Override
+    @org.junit.Test
+    public void testCSRFAttack() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()

+            + "/j_spring_fediz_security_check";
+        csrfAttackTest(url);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aa66ed45/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
----------------------------------------------------------------------
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 9104d64..5908db8 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -736,6 +736,11 @@ public abstract class AbstractTests {
     @org.junit.Ignore
     public void testCSRFAttack() throws Exception {
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        csrfAttackTest(url);
+    }
+    
+    protected void csrfAttackTest(String rpURL) throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
         String user = "alice";
         String password = "ecila";
         
@@ -774,7 +779,7 @@ public abstract class AbstractTests {
         // 3. Now instead of clicking on the form, send the form via alice's WebClient instead
         
         // Send with context...
-        WebRequest request = new WebRequest(new URL(url), HttpMethod.POST);
+        WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST);
         request.setRequestParameters(new ArrayList<NameValuePair>());
         
         DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
@@ -796,10 +801,6 @@ public abstract class AbstractTests {
             Assert.fail("Failure expected on a CSRF attack");
         } catch (FailingHttpStatusCodeException ex) {
             // expected
-            Assert.assertTrue(ex.getMessage().contains("401 Unauthorized")
-                              || ex.getMessage().contains("401 Authentication Failed")
-                              || ex.getMessage().contains("403 Forbidden")
-                              || ex.getMessage().contains("408 Request Timeout"));
         }
         
         // webClient.close();


Mime
View raw message