Repository: cxf-fediz Updated Branches: refs/heads/master b94137a45 -> 25dcd2754
FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/25dcd275 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/25dcd275 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/25dcd275 Branch: refs/heads/master Commit: 25dcd275443d84e9927f7ad7c980f46463d03009 Parents: b94137a Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Dec 20 15:27:28 2016 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Dec 20 15:27:28 2016 +0000 ---------------------------------------------------------------------- .../idp/beans/PassiveRequestorValidator.java | 34 +++--- .../idp/src/main/resources/entities-realmb.xml | 1 + .../test/resources/realmb/entities-realmb.xml | 3 +- .../test/resources/realmb/entities-realmb.xml | 1 + .../apache/cxf/fediz/systests/idp/IdpTest.java | 113 +++++++++++++++++++ .../test/resources/realma/entities-realma.xml | 37 ++++++ 6 files changed, 173 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java index 0393d4f..3f5be36 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java @@ -47,26 +47,30 @@ public class PassiveRequestorValidator { Application serviceConfig = idpConfig.findApplication(realm); if (serviceConfig == null) { LOG.warn("No service config found for " + realm); - return true; + return false; } - // The endpointAddress address must match the passive endpoint requestor constraint - // (if it is specified) - if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { - LOG.warn("No passive requestor endpoint constraint is configured for the application. " - + "This could lead to a malicious redirection attack"); - return true; - } - - Matcher matcher = - serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress); - if (!matcher.matches()) { - LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", + if (serviceConfig.getPassiveRequestorEndpoint() == null + && serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { + LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint' " + + "configuration values must be specified for the application"); + } else if (serviceConfig.getPassiveRequestorEndpoint() != null + && serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress)) { + LOG.debug("The supplied endpoint address {} matches the configured passive requestor endpoint value", endpointAddress); - return false; + return true; + } else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) { + Matcher matcher = + serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress); + if (matcher.matches()) { + return true; + } else { + LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", + endpointAddress); + } } - return true; + return false; } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/resources/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml index 02cd3ca..68fb3e8 100644 --- a/services/idp/src/main/resources/entities-realmb.xml +++ b/services/idp/src/main/resources/entities-realmb.xml @@ -85,6 +85,7 @@ <property name="role" value="SecurityTokenServiceType" /> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*" /> </bean> <bean id="claim_role" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml index 04cfbf3..91550d0 100644 --- a/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml +++ b/systests/federation/samlsso/src/test/resources/realmb/entities-realmb.xml @@ -72,13 +72,14 @@ <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" /> - <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /> + <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" /> <property name="serviceDisplayName" value="Resource IDP Realm A" /> <property name="serviceDescription" value="Resource IDP Realm A" /> <property name="role" value="SecurityTokenServiceType" /> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> <property name="lifeTime" value="3600" /> <property name="validatingCertificate" value="realma.cert" /> + <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/saml" /> </bean> <bean id="claim_role" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml index 04cfbf3..80baf49 100644 --- a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml +++ b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml @@ -79,6 +79,7 @@ <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> <property name="lifeTime" value="3600" /> <property name="validatingCertificate" value="realma.cert" /> + <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/federation" /> </bean> <bean id="claim_role" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java index 9455227..b8c0e50 100644 --- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java +++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -593,6 +593,119 @@ public class IdpTest { webClient.close(); } + @org.junit.Test + public void testValidWReplyWrongApplication() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld2"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreply value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + + webClient.close(); + } + + @org.junit.Test + public void testWReplyExactMatchingSuccess() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + webClient.getPage(url); + + webClient.close(); + } + + @org.junit.Test + public void testWReplyExactMatchingFailure() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + + "/secure/fedservlet/blah"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreply value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + + webClient.close(); + } + + @org.junit.Test + public void testNoEndpointAddressOrConstraint() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld4"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + // This is an error in the IdP + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreply value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + + webClient.close(); + } + // Send a bad wreply value. This will pass the reg ex validation but fail the commons-validator // validation @org.junit.Test http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/idp/src/test/resources/realma/entities-realma.xml ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/realma/entities-realma.xml b/systests/idp/src/test/resources/realma/entities-realma.xml index 88f2b93..b78c09c 100644 --- a/systests/idp/src/test/resources/realma/entities-realma.xml +++ b/systests/idp/src/test/resources/realma/entities-realma.xml @@ -66,6 +66,9 @@ <property name="applications"> <util:list> <ref bean="srv-fedizhelloworld" /> + <ref bean="srv-fedizhelloworld2" /> + <ref bean="srv-fedizhelloworld3" /> + <ref bean="srv-fedizhelloworld4" /> </util:list> </property> <property name="trustedIdps"> @@ -108,6 +111,40 @@ value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" /> </bean> + <bean id="srv-fedizhelloworld2" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld2" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> + <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpointConstraint" + value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure2/.*" /> + </bean> + + <bean id="srv-fedizhelloworld3" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld3" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> + <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpoint" + value="https://localhost:${rp.https.port}/fedizhelloworld/secure/fedservlet" /> + </bean> + + <bean id="srv-fedizhelloworld4" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld4" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> + <property name="lifeTime" value="3600" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> <property name="application" ref="srv-fedizhelloworld" /> <property name="claim" ref="claim_role" />