Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0F5C5200C03 for ; Fri, 16 Dec 2016 18:11:45 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 0E1EE160B24; Fri, 16 Dec 2016 17:11:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1BF18160B32 for ; Fri, 16 Dec 2016 18:11:43 +0100 (CET) Received: (qmail 91074 invoked by uid 500); 16 Dec 2016 17:11:43 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 91042 invoked by uid 99); 16 Dec 2016 17:11:43 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Dec 2016 17:11:43 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 23189F1699; Fri, 16 Dec 2016 17:11:43 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Fri, 16 Dec 2016 17:11:46 -0000 Message-Id: In-Reply-To: <0809e13d2b8f4e538c5bdf8a9e0c1579@git.apache.org> References: <0809e13d2b8f4e538c5bdf8a9e0c1579@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [4/4] cxf-fediz git commit: Another change to the CXF plugin archived-at: Fri, 16 Dec 2016 17:11:45 -0000 Another change to the CXF plugin Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/53d4554c Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/53d4554c Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/53d4554c Branch: refs/heads/1.3.x-fixes Commit: 53d4554c6fbd63e3d5990e0acf01512980b31cae Parents: ba9c864 Author: Colm O hEigeartaigh Authored: Fri Dec 16 16:57:20 2016 +0000 Committer: Colm O hEigeartaigh Committed: Fri Dec 16 17:11:35 2016 +0000 ---------------------------------------------------------------------- .../plugin/AbstractServiceProviderFilter.java | 25 +++++++++++++++++++- .../cxf/plugin/FedizRedirectBindingFilter.java | 12 +--------- 2 files changed, 25 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/53d4554c/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java ---------------------------------------------------------------------- diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java index eb807f7..2acffb3 100644 --- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java +++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/AbstractServiceProviderFilter.java @@ -34,21 +34,27 @@ import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.HttpHeaders; +import javax.ws.rs.core.MultivaluedMap; import javax.xml.bind.JAXBException; import org.w3c.dom.Element; import org.apache.cxf.BusFactory; import org.apache.cxf.common.i18n.BundleUtils; +import org.apache.cxf.fediz.core.FederationConstants; +import org.apache.cxf.fediz.core.SAMLSSOConstants; import org.apache.cxf.fediz.core.SecurityTokenThreadLocal; +import org.apache.cxf.fediz.core.config.FederationProtocol; import org.apache.cxf.fediz.core.config.FedizConfigurator; import org.apache.cxf.fediz.core.config.FedizContext; +import org.apache.cxf.fediz.core.config.SAMLProtocol; import org.apache.cxf.fediz.core.util.CookieUtils; import org.apache.cxf.fediz.cxf.plugin.state.EHCacheSPStateManager; import org.apache.cxf.fediz.cxf.plugin.state.ResponseState; import org.apache.cxf.fediz.cxf.plugin.state.SPStateManager; import org.apache.cxf.jaxrs.impl.HttpHeadersImpl; import org.apache.cxf.jaxrs.impl.UriInfoImpl; +import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.cxf.message.Message; import org.apache.cxf.security.SecurityContext; @@ -143,7 +149,7 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF stateManager.close(); } - protected boolean checkSecurityContext(FedizContext fedConfig, Message m) { + protected boolean checkSecurityContext(FedizContext fedConfig, Message m, MultivaluedMap params) { HttpHeaders headers = new HttpHeadersImpl(m); Map cookies = headers.getCookies(); @@ -166,6 +172,13 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF return false; } + // Check to see if a CSRF-style attack is being mounted + String state = getState(fedConfig, params); + if (state != null && !state.equals(responseState.getState())) { + LOG.error("wctx parameter does not match stored value"); + throw ExceptionUtils.toForbiddenException(null, null); + } + // Create SecurityContext try { Element token = @@ -235,6 +248,16 @@ public abstract class AbstractServiceProviderFilter implements ContainerRequestF return responseState; } + protected String getState(FedizContext fedConfig, MultivaluedMap params) { + if (params != null && fedConfig.getProtocol() instanceof FederationProtocol) { + return params.getFirst(FederationConstants.PARAM_CONTEXT); + } else if (params != null && fedConfig.getProtocol() instanceof SAMLProtocol) { + return params.getFirst(SAMLSSOConstants.RELAY_STATE); + } + + return null; + } + protected FedizContext getFedizContext(Message message) { String contextName = getWebAppContext(message); String[] contextPath = contextName.split("/"); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/53d4554c/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java ---------------------------------------------------------------------- diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java index 50ce7b1..a62b97a 100644 --- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java +++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java @@ -108,7 +108,7 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter // See if it is a Logout request first if (isLogoutRequest(context, fedConfig, m, params) || isSignoutCleanupRequest(fedConfig, m, params)) { return; - } else if (checkSecurityContext(fedConfig, m)) { + } else if (checkSecurityContext(fedConfig, m, params)) { return; } else if (isSignInRequired(fedConfig, params)) { processSignInRequired(context, fedConfig); @@ -436,16 +436,6 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter return null; } - private String getState(FedizContext fedConfig, MultivaluedMap params) { - if (params != null && fedConfig.getProtocol() instanceof FederationProtocol) { - return params.getFirst(FederationConstants.PARAM_CONTEXT); - } else if (params != null && fedConfig.getProtocol() instanceof SAMLProtocol) { - return params.getFirst(SAMLSSOConstants.RELAY_STATE); - } - - return null; - } - private FedizResponse validateSignInRequest( FedizContext fedConfig, MultivaluedMap params,