cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf-fediz] branch 1.4.x-fixes updated: Some improvements to the Spring plugins
Date Fri, 06 Oct 2017 16:01:09 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
     new ccdb12b  Some improvements to the Spring plugins
ccdb12b is described below

commit ccdb12b26ff89e0a998a333e84dd84bd713ac76c
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Fri Oct 6 16:16:19 2017 +0100

    Some improvements to the Spring plugins
---
 .../spring/web/FederationAuthenticationFilter.java | 19 +++++---
 .../spring/web/FederationAuthenticationFilter.java | 19 +++++---
 .../cxf/fediz/integrationtests/Spring3Test.java    |  8 ++++
 .../cxf/fediz/integrationtests/SpringTest.java     |  8 ++++
 .../cxf/fediz/integrationtests/AbstractTests.java  | 53 ++++++++++++++++++++++
 .../webapp/WEB-INF/applicationContext-security.xml |  1 +
 6 files changed, 94 insertions(+), 14 deletions(-)

diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 485ca38..49a0593 100644
--- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -128,14 +128,19 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
 
     private void verifySavedState(HttpServletRequest request) {
         HttpSession session = request.getSession(false);
-        if (session != null) {
-            String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
-            String state = getState(request);
-            if (savedContext != null && !savedContext.equals(state)) {
-                logger.warn("The received state does not match the state saved in the context");
-                throw new BadCredentialsException("The received state does not match the
state saved in the context");
-            }
+
+        if (session == null) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state
saved in the context");
+        }
+
+        String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+        String state = getState(request);
+        if (savedContext == null || !savedContext.equals(state)) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state
saved in the context");
         }
+        session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
     }
 
     /**
diff --git a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 485ca38..49a0593 100644
--- a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -128,14 +128,19 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces
 
     private void verifySavedState(HttpServletRequest request) {
         HttpSession session = request.getSession(false);
-        if (session != null) {
-            String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
-            String state = getState(request);
-            if (savedContext != null && !savedContext.equals(state)) {
-                logger.warn("The received state does not match the state saved in the context");
-                throw new BadCredentialsException("The received state does not match the
state saved in the context");
-            }
+
+        if (session == null) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state
saved in the context");
+        }
+
+        String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+        String state = getState(request);
+        if (savedContext == null || !savedContext.equals(state)) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state
saved in the context");
         }
+        session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
     }
 
     /**
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java
b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java
index facc3e8..f59ee75 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java
@@ -159,4 +159,12 @@ public class Spring3Test extends AbstractTests {
         csrfAttackTest(url);
     }
 
+    @Override
+    @org.junit.Test
+    public void testCSRFAttack2() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+            + "/j_spring_fediz_security_check";
+        csrfAttackTest2(url);
+    }
+
 }
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
index 86f2cbc..6f8545a 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java
@@ -157,4 +157,12 @@ public class SpringTest extends AbstractTests {
             + "/j_spring_fediz_security_check";
         csrfAttackTest(url);
     }
+
+    @Override
+    @org.junit.Test
+    public void testCSRFAttack2() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+            + "/j_spring_fediz_security_check";
+        csrfAttackTest2(url);
+    }
 }
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 65dead1..a400174 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -799,4 +799,57 @@ public abstract class AbstractTests {
 
     }
 
+    @org.junit.Test
+    public void testCSRFAttack2() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+        csrfAttackTest2(url);
+    }
+
+    protected void csrfAttackTest2(String rpURL) throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
+
+        // 1. Log in as "bob" using another WebClient
+        WebClient webClient2 = new WebClient();
+        webClient2.getOptions().setUseInsecureSSL(true);
+        webClient2.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials("bob", "bob"));
+
+        webClient2.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage2 = webClient2.getPage(url);
+        webClient2.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());
+
+        // 2. Now instead of clicking on the form, send the form via alice's WebClient instead
+
+        // Send with context...
+        WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST);
+        request.setRequestParameters(new ArrayList<NameValuePair>());
+
+        DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
+
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))
+                || "wa".equals(result.getAttributeNS(null, "name"))
+                || "wctx".equals(result.getAttributeNS(null, "name"))) {
+                String value = result.getAttributeNS(null, "value");
+                request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+            }
+        }
+
+        WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+
+        try {
+            webClient.getPage(request);
+            Assert.fail("Failure expected on a CSRF attack");
+        } catch (FailingHttpStatusCodeException ex) {
+            // expected
+        }
+
+        webClient.close();
+        webClient2.close();
+
+    }
+
 }
diff --git a/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
b/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
index 68d1a5b..c6ad4a3 100644
--- a/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -37,6 +37,7 @@ http://www.springframework.org/schema/context http://www.springframework.org/sch
         <sec:intercept-url pattern="/index.html" access="permitAll"/>
         <sec:intercept-url pattern="/FederationMetadata/**" access="isAuthenticated()"/>
         <sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
+        <sec:intercept-url pattern="/secure/test.html" access="isAuthenticated()"/>
         <sec:intercept-url pattern="/secure/manager/**" access="hasRole('ROLE_MANAGER')"/>
         <sec:intercept-url pattern="/secure/admin/**" access="hasRole('ROLE_ADMIN')"/>
         <sec:intercept-url pattern="/secure/user/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_MANAGER')"/>

-- 
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <commits@cxf.apache.org>'].

Mime
View raw message