Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 48B80200D19 for ; Fri, 6 Oct 2017 18:01:13 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 46F941609DF; Fri, 6 Oct 2017 16:01:13 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6575D1609D0 for ; Fri, 6 Oct 2017 18:01:12 +0200 (CEST) Received: (qmail 32290 invoked by uid 500); 6 Oct 2017 16:01:11 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 32281 invoked by uid 99); 6 Oct 2017 16:01:11 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Oct 2017 16:01:11 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 9185E81A5F; Fri, 6 Oct 2017 16:01:09 +0000 (UTC) Date: Fri, 06 Oct 2017 16:01:09 +0000 To: "commits@cxf.apache.org" Subject: [cxf-fediz] branch 1.4.x-fixes updated: Some improvements to the Spring plugins MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <150730566910.22725.12652594073048550114@gitbox.apache.org> From: coheigea@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: cxf-fediz X-Git-Refname: refs/heads/1.4.x-fixes X-Git-Reftype: branch X-Git-Oldrev: 9b7d21114b0940f1d888ee87751a48f217b05c5a X-Git-Newrev: ccdb12b26ff89e0a998a333e84dd84bd713ac76c X-Git-Rev: ccdb12b26ff89e0a998a333e84dd84bd713ac76c X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated archived-at: Fri, 06 Oct 2017 16:01:13 -0000 This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 1.4.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git The following commit(s) were added to refs/heads/1.4.x-fixes by this push: new ccdb12b Some improvements to the Spring plugins ccdb12b is described below commit ccdb12b26ff89e0a998a333e84dd84bd713ac76c Author: Colm O hEigeartaigh AuthorDate: Fri Oct 6 16:16:19 2017 +0100 Some improvements to the Spring plugins --- .../spring/web/FederationAuthenticationFilter.java | 19 +++++--- .../spring/web/FederationAuthenticationFilter.java | 19 +++++--- .../cxf/fediz/integrationtests/Spring3Test.java | 8 ++++ .../cxf/fediz/integrationtests/SpringTest.java | 8 ++++ .../cxf/fediz/integrationtests/AbstractTests.java | 53 ++++++++++++++++++++++ .../webapp/WEB-INF/applicationContext-security.xml | 1 + 6 files changed, 94 insertions(+), 14 deletions(-) diff --git a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java index 485ca38..49a0593 100644 --- a/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java +++ b/plugins/spring/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java @@ -128,14 +128,19 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces private void verifySavedState(HttpServletRequest request) { HttpSession session = request.getSession(false); - if (session != null) { - String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT); - String state = getState(request); - if (savedContext != null && !savedContext.equals(state)) { - logger.warn("The received state does not match the state saved in the context"); - throw new BadCredentialsException("The received state does not match the state saved in the context"); - } + + if (session == null) { + logger.warn("The received state does not match the state saved in the context"); + throw new BadCredentialsException("The received state does not match the state saved in the context"); + } + + String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT); + String state = getState(request); + if (savedContext == null || !savedContext.equals(state)) { + logger.warn("The received state does not match the state saved in the context"); + throw new BadCredentialsException("The received state does not match the state saved in the context"); } + session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT); } /** diff --git a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java index 485ca38..49a0593 100644 --- a/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java +++ b/plugins/spring3/src/main/java/org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.java @@ -128,14 +128,19 @@ public class FederationAuthenticationFilter extends AbstractAuthenticationProces private void verifySavedState(HttpServletRequest request) { HttpSession session = request.getSession(false); - if (session != null) { - String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT); - String state = getState(request); - if (savedContext != null && !savedContext.equals(state)) { - logger.warn("The received state does not match the state saved in the context"); - throw new BadCredentialsException("The received state does not match the state saved in the context"); - } + + if (session == null) { + logger.warn("The received state does not match the state saved in the context"); + throw new BadCredentialsException("The received state does not match the state saved in the context"); + } + + String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT); + String state = getState(request); + if (savedContext == null || !savedContext.equals(state)) { + logger.warn("The received state does not match the state saved in the context"); + throw new BadCredentialsException("The received state does not match the state saved in the context"); } + session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT); } /** diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java index facc3e8..f59ee75 100644 --- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java +++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring3Test.java @@ -159,4 +159,12 @@ public class Spring3Test extends AbstractTests { csrfAttackTest(url); } + @Override + @org.junit.Test + public void testCSRFAttack2() throws Exception { + String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + + "/j_spring_fediz_security_check"; + csrfAttackTest2(url); + } + } diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java index 86f2cbc..6f8545a 100644 --- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java +++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java @@ -157,4 +157,12 @@ public class SpringTest extends AbstractTests { + "/j_spring_fediz_security_check"; csrfAttackTest(url); } + + @Override + @org.junit.Test + public void testCSRFAttack2() throws Exception { + String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + + "/j_spring_fediz_security_check"; + csrfAttackTest2(url); + } } diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java index 65dead1..a400174 100644 --- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java +++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java @@ -799,4 +799,57 @@ public abstract class AbstractTests { } + @org.junit.Test + public void testCSRFAttack2() throws Exception { + String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + csrfAttackTest2(url); + } + + protected void csrfAttackTest2(String rpURL) throws Exception { + String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + + // 1. Log in as "bob" using another WebClient + WebClient webClient2 = new WebClient(); + webClient2.getOptions().setUseInsecureSSL(true); + webClient2.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials("bob", "bob")); + + webClient2.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage2 = webClient2.getPage(url); + webClient2.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText()); + + // 2. Now instead of clicking on the form, send the form via alice's WebClient instead + + // Send with context... + WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST); + request.setRequestParameters(new ArrayList()); + + DomNodeList results = idpPage2.getElementsByTagName("input"); + + for (DomElement result : results) { + if ("wresult".equals(result.getAttributeNS(null, "name")) + || "wa".equals(result.getAttributeNS(null, "name")) + || "wctx".equals(result.getAttributeNS(null, "name"))) { + String value = result.getAttributeNS(null, "value"); + request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value)); + } + } + + WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + + try { + webClient.getPage(request); + Assert.fail("Failure expected on a CSRF attack"); + } catch (FailingHttpStatusCodeException ex) { + // expected + } + + webClient.close(); + webClient2.close(); + + } + } diff --git a/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml b/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml index 68d1a5b..c6ad4a3 100644 --- a/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml +++ b/systests/webapps/springWebapp/src/main/webapp/WEB-INF/applicationContext-security.xml @@ -37,6 +37,7 @@ http://www.springframework.org/schema/context http://www.springframework.org/sch + -- To stop receiving notification emails like this one, please contact ['"commits@cxf.apache.org" '].