cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf-fediz] branch 1.4.x-fixes updated: Porting fix to spring2
Date Fri, 06 Oct 2017 16:49:08 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
     new 2d1917a  Porting fix to spring2
2d1917a is described below

commit 2d1917a1d6273e364880bfb2cc12136e508fe83b
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Fri Oct 6 17:48:57 2017 +0100

    Porting fix to spring2
---
 .../spring/web/FederationAuthenticationFilter.java    | 19 ++++++++++++-------
 .../cxf/fediz/integrationtests/Spring2Test.java       |  7 +++++++
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
index 4104e8f..44fcc55 100644
--- a/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
+++ b/plugins/spring2/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java
@@ -134,14 +134,19 @@ public class FederationAuthenticationFilter extends AbstractProcessingFilter
{
 
     private void verifySavedState(HttpServletRequest request) {
         HttpSession session = request.getSession(false);
-        if (session != null) {
-            String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
-            String state = getState(request);
-            if (savedContext != null && !savedContext.equals(state)) {
-                logger.warn("The received state does not match the state saved in the context");
-                throw new BadCredentialsException("The received state does not match the
state saved in the context");
-            }
+
+        if (session == null) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state
saved in the context");
+        }
+
+        String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
+        String state = getState(request);
+        if (savedContext == null || !savedContext.equals(state)) {
+            logger.warn("The received state does not match the state saved in the context");
+            throw new BadCredentialsException("The received state does not match the state
saved in the context");
         }
+        session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
     }
 
     private String getState(ServletRequest request) {
diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
index f358924..53f606c 100644
--- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
+++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java
@@ -258,4 +258,11 @@ public class Spring2Test extends AbstractTests {
         csrfAttackTest(url);
     }
 
+    @Override
+    @org.junit.Test
+    public void testCSRFAttack2() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+            + "/j_spring_fediz_security_check";
+        csrfAttackTest2(url);
+    }
 }

-- 
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <commits@cxf.apache.org>'].

Mime
View raw message