This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 1.4.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 5f5fd5b148b2ae3f3124d9610a522871d6163c1a Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Thu May 17 17:30:42 2018 +0100 Adding CSRF tests for SAML SSO --- .../cxf/fediz/integrationtests/AbstractTests.java | 45 +++++++++++++--------- 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java index c5f2425..5bad8b5 100644 --- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java +++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java @@ -887,10 +887,6 @@ public abstract class AbstractTests { @org.junit.Test public void testCSRFAttack() throws Exception { - if (!isWSFederation()) { - return; - } - String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; csrfAttackTest(url); } @@ -912,7 +908,7 @@ public abstract class AbstractTests { webClient.getOptions().setJavaScriptEnabled(true); Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); - final HtmlForm form = idpPage.getFormByName("signinresponseform"); + final HtmlForm form = idpPage.getFormByName(getLoginFormName()); final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); final HtmlPage rpPage = button.click(); @@ -941,11 +937,19 @@ public abstract class AbstractTests { DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input"); for (DomElement result : results) { - if ("wresult".equals(result.getAttributeNS(null, "name")) - || "wa".equals(result.getAttributeNS(null, "name")) - || "wctx".equals(result.getAttributeNS(null, "name"))) { - String value = result.getAttributeNS(null, "value"); - request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value)); + if (isWSFederation()) { + if ("wresult".equals(result.getAttributeNS(null, "name")) + || "wa".equals(result.getAttributeNS(null, "name")) + || "wctx".equals(result.getAttributeNS(null, "name"))) { + String value = result.getAttributeNS(null, "value"); + request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value)); + } + } else { + if ("SAMLResponse".equals(result.getAttributeNS(null, "name")) + || "RelayState".equals(result.getAttributeNS(null, "name"))) { + String value = result.getAttributeNS(null, "value"); + request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value)); + } } } @@ -962,9 +966,6 @@ public abstract class AbstractTests { @org.junit.Test public void testCSRFAttack2() throws Exception { - if (!isWSFederation()) { - return; - } String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; csrfAttackTest2(url); @@ -994,11 +995,19 @@ public abstract class AbstractTests { DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input"); for (DomElement result : results) { - if ("wresult".equals(result.getAttributeNS(null, "name")) - || "wa".equals(result.getAttributeNS(null, "name")) - || "wctx".equals(result.getAttributeNS(null, "name"))) { - String value = result.getAttributeNS(null, "value"); - request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value)); + if (isWSFederation()) { + if ("wresult".equals(result.getAttributeNS(null, "name")) + || "wa".equals(result.getAttributeNS(null, "name")) + || "wctx".equals(result.getAttributeNS(null, "name"))) { + String value = result.getAttributeNS(null, "value"); + request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value)); + } + } else { + if ("SAMLResponse".equals(result.getAttributeNS(null, "name")) + || "RelayState".equals(result.getAttributeNS(null, "name"))) { + String value = result.getAttributeNS(null, "value"); + request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value)); + } } } -- To stop receiving notification emails like this one, please contact cohei...@apache.org.