Repository: cxf-fediz Updated Branches: refs/heads/1.2.x-fixes f1aef3778 -> 1d5b956ed
FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/1d5b956e Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/1d5b956e Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/1d5b956e Branch: refs/heads/1.2.x-fixes Commit: 1d5b956edf26f621532c917b19827d7b3ffc72ad Parents: f1aef37 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Dec 20 15:27:28 2016 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Dec 20 16:41:47 2016 +0000 ---------------------------------------------------------------------- .../service/idp/beans/STSClientAction.java | 29 +++-- .../idp/src/main/resources/entities-realmb.xml | 1 + .../test/resources/realmb/entities-realmb.xml | 1 + .../apache/cxf/fediz/systests/idp/IdpTest.java | 105 +++++++++++++++++++ .../test/resources/realma/entities-realma.xml | 37 +++++++ 5 files changed, 162 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java ---------------------------------------------------------------------- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java index ca87991..e99ea43 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java @@ -320,20 +320,27 @@ public class STSClientAction { throw new ProcessingException(TYPE.BAD_REQUEST); } - if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { - LOG.warn("No passive requestor endpoint constraint is configured for the application. " - + "This could lead to a malicious redirection attack"); - return; - } - - if (wreply != null) { - Matcher matcher = serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply); - if (!matcher.matches()) { - LOG.error("The wreply value of {} does not match any of the passive requestor values", + if (serviceConfig.getPassiveRequestorEndpoint() == null + && serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { + LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint' " + + "configuration values must be specified for the application"); + } else if (serviceConfig.getPassiveRequestorEndpoint() != null + && serviceConfig.getPassiveRequestorEndpoint().equals(wreply)) { + LOG.debug("The supplied endpoint address {} matches the configured passive requestor endpoint value", wreply); - throw new ProcessingException(TYPE.BAD_REQUEST); + return; + } else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) { + Matcher matcher = + serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply); + if (matcher.matches()) { + return; + } else { + LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", + wreply); } } + + throw new ProcessingException(TYPE.BAD_REQUEST); } private String getIdFromToken(String token) throws XMLStreamException { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/resources/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml index 152ff52..0018c37 100644 --- a/services/idp/src/main/resources/entities-realmb.xml +++ b/services/idp/src/main/resources/entities-realmb.xml @@ -85,6 +85,7 @@ <property name="role" value="SecurityTokenServiceType" /> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*" /> </bean> <bean id="claim_role" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml ---------------------------------------------------------------------- diff --git a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml index fc203fb..26b58c5 100644 --- a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml +++ b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml @@ -79,6 +79,7 @@ <property name="role" value="SecurityTokenServiceType" /> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpoint" value="https://localhost:${idp.https.port}/fediz-idp/federation" /> </bean> <bean id="claim_role" http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java index 5998bcf..b0e5816 100644 --- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java +++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -562,6 +562,111 @@ public class IdpTest { } } + @org.junit.Test + public void testValidWReplyWrongApplication() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld2"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreply value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + } + + @org.junit.Test + public void testWReplyExactMatchingSuccess() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + webClient.getPage(url); + } + + @org.junit.Test + public void testWReplyExactMatchingFailure() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld3"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + + "/secure/fedservlet/blah"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreply value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + } + + @org.junit.Test + public void testNoEndpointAddressOrConstraint() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld4"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + // This is an error in the IdP + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreply value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + } + // Send a bad wreply value. This will pass the reg ex validation but fail the commons-validator // validation @org.junit.Test http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/idp/src/test/resources/realma/entities-realma.xml ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/realma/entities-realma.xml b/systests/idp/src/test/resources/realma/entities-realma.xml index 4509f64..76008b1 100644 --- a/systests/idp/src/test/resources/realma/entities-realma.xml +++ b/systests/idp/src/test/resources/realma/entities-realma.xml @@ -66,6 +66,9 @@ <property name="applications"> <util:list> <ref bean="srv-fedizhelloworld" /> + <ref bean="srv-fedizhelloworld2" /> + <ref bean="srv-fedizhelloworld3" /> + <ref bean="srv-fedizhelloworld4" /> </util:list> </property> <property name="trustedIdps"> @@ -107,6 +110,40 @@ <property name="passiveRequestorEndpointConstraint" value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*"/> </bean> + <bean id="srv-fedizhelloworld2" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld2" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> + <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpointConstraint" + value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure2/.*" /> + </bean> + + <bean id="srv-fedizhelloworld3" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld3" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> + <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpoint" + value="https://localhost:${rp.https.port}/fedizhelloworld/secure/fedservlet" /> + </bean> + + <bean id="srv-fedizhelloworld4" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld4" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706" /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> + <property name="lifeTime" value="3600" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> <property name="application" ref="srv-fedizhelloworld" /> <property name="claim" ref="claim_role" />