cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf-fediz] 04/04: Adding CSRF tests for SAML SSO
Date Thu, 17 May 2018 16:31:07 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git

commit 09dbe375600623aafa5e92838d74f3409d1bf2dd
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Thu May 17 17:30:42 2018 +0100

    Adding CSRF tests for SAML SSO
---
 .../cxf/fediz/systests/common/AbstractTests.java   | 45 +++++++++++++---------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
index df17bdc..ebdfea7 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/systests/common/AbstractTests.java
@@ -888,10 +888,6 @@ public abstract class AbstractTests {
     @org.junit.Test
     public void testCSRFAttack() throws Exception {
 
-        if (!isWSFederation()) {
-            return;
-        }
-
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
         csrfAttackTest(url);
     }
@@ -913,7 +909,7 @@ public abstract class AbstractTests {
         webClient.getOptions().setJavaScriptEnabled(true);
         Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
 
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlForm form = idpPage.getFormByName(getLoginFormName());
         final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
 
         final HtmlPage rpPage = button.click();
@@ -942,11 +938,19 @@ public abstract class AbstractTests {
         DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
 
         for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))
-                || "wa".equals(result.getAttributeNS(null, "name"))
-                || "wctx".equals(result.getAttributeNS(null, "name"))) {
-                String value = result.getAttributeNS(null, "value");
-                request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+            if (isWSFederation()) {
+                if ("wresult".equals(result.getAttributeNS(null, "name"))
+                    || "wa".equals(result.getAttributeNS(null, "name"))
+                    || "wctx".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
+            } else {
+                if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+                    || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
             }
         }
 
@@ -964,9 +968,6 @@ public abstract class AbstractTests {
 
     @org.junit.Test
     public void testCSRFAttack2() throws Exception {
-        if (!isWSFederation()) {
-            return;
-        }
 
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
         csrfAttackTest2(url);
@@ -996,11 +997,19 @@ public abstract class AbstractTests {
         DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
 
         for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))
-                || "wa".equals(result.getAttributeNS(null, "name"))
-                || "wctx".equals(result.getAttributeNS(null, "name"))) {
-                String value = result.getAttributeNS(null, "value");
-                request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+            if (isWSFederation()) {
+                if ("wresult".equals(result.getAttributeNS(null, "name"))
+                    || "wa".equals(result.getAttributeNS(null, "name"))
+                    || "wctx".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
+            } else {
+                if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+                    || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
             }
         }
 

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

Mime
View raw message