cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf-fediz] 06/07: Adding CSRF tests for SAML SSO
Date Thu, 17 May 2018 17:13:34 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git

commit 5f5fd5b148b2ae3f3124d9610a522871d6163c1a
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Thu May 17 17:30:42 2018 +0100

    Adding CSRF tests for SAML SSO
---
 .../cxf/fediz/integrationtests/AbstractTests.java  | 45 +++++++++++++---------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index c5f2425..5bad8b5 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -887,10 +887,6 @@ public abstract class AbstractTests {
     @org.junit.Test
     public void testCSRFAttack() throws Exception {
 
-        if (!isWSFederation()) {
-            return;
-        }
-
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
         csrfAttackTest(url);
     }
@@ -912,7 +908,7 @@ public abstract class AbstractTests {
         webClient.getOptions().setJavaScriptEnabled(true);
         Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
 
-        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlForm form = idpPage.getFormByName(getLoginFormName());
         final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
 
         final HtmlPage rpPage = button.click();
@@ -941,11 +937,19 @@ public abstract class AbstractTests {
         DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
 
         for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))
-                || "wa".equals(result.getAttributeNS(null, "name"))
-                || "wctx".equals(result.getAttributeNS(null, "name"))) {
-                String value = result.getAttributeNS(null, "value");
-                request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+            if (isWSFederation()) {
+                if ("wresult".equals(result.getAttributeNS(null, "name"))
+                    || "wa".equals(result.getAttributeNS(null, "name"))
+                    || "wctx".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
+            } else {
+                if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+                    || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
             }
         }
 
@@ -962,9 +966,6 @@ public abstract class AbstractTests {
 
     @org.junit.Test
     public void testCSRFAttack2() throws Exception {
-        if (!isWSFederation()) {
-            return;
-        }
 
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/secure/fedservlet";
         csrfAttackTest2(url);
@@ -994,11 +995,19 @@ public abstract class AbstractTests {
         DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");
 
         for (DomElement result : results) {
-            if ("wresult".equals(result.getAttributeNS(null, "name"))
-                || "wa".equals(result.getAttributeNS(null, "name"))
-                || "wctx".equals(result.getAttributeNS(null, "name"))) {
-                String value = result.getAttributeNS(null, "value");
-                request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+            if (isWSFederation()) {
+                if ("wresult".equals(result.getAttributeNS(null, "name"))
+                    || "wa".equals(result.getAttributeNS(null, "name"))
+                    || "wctx".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
+            } else {
+                if ("SAMLResponse".equals(result.getAttributeNS(null, "name"))
+                    || "RelayState".equals(result.getAttributeNS(null, "name"))) {
+                    String value = result.getAttributeNS(null, "value");
+                    request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null,
"name"), value));
+                }
             }
         }
 

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

Mime
View raw message