cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Repository: cxf-fediz
Updated Branches:
refs/heads/1.2.x-fixes f1aef3778 -> 1d5b956ed
FEDIZ-185 - Make one of passiveRequestorEndpoint or
passiveRequestorEndpointConstraint mandatory in the IDP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/1d5b956e
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/1d5b956e
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/1d5b956e
Branch: refs/heads/1.2.x-fixes
Commit: 1d5b956edf26f621532c917b19827d7b3ffc72ad
Parents: f1aef37
Author: Colm O hEigeartaigh
Authored: Tue Dec 20 15:27:28 2016 +
Committer: Colm O hEigeartaigh
Committed: Tue Dec 20 16:41:47 2016 +
--
.../service/idp/beans/STSClientAction.java | 29 +++--
.../idp/src/main/resources/entities-realmb.xml | 1 +
.../test/resources/realmb/entities-realmb.xml | 1 +
.../apache/cxf/fediz/systests/idp/IdpTest.java | 105 +++
.../test/resources/realma/entities-realma.xml | 37 +++
5 files changed, 162 insertions(+), 11 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
--
diff --git
a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
index ca87991..e99ea43 100644
---
a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
+++
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java
@@ -320,20 +320,27 @@ public class STSClientAction {
throw new ProcessingException(TYPE.BAD_REQUEST);
}
-if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() ==
null) {
-LOG.warn("No passive requestor endpoint constraint is configured
for the application. "
- + "This could lead to a malicious redirection attack");
-return;
-}
-
-if (wreply != null) {
-Matcher matcher =
serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
-if (!matcher.matches()) {
-LOG.error("The wreply value of {} does not match any of the
passive requestor values",
+if (serviceConfig.getPassiveRequestorEndpoint() == null
+&& serviceConfig.getCompiledPassiveRequestorEndpointConstraint()
== null) {
+LOG.error("Either the 'passiveRequestorEndpoint' or the
'passiveRequestorEndpointConstraint' "
++ "configuration values must be specified for the
application");
+} else if (serviceConfig.getPassiveRequestorEndpoint() != null
+&& serviceConfig.getPassiveRequestorEndpoint().equals(wreply)) {
+LOG.debug("The supplied endpoint address {} matches the configured
passive requestor endpoint value",
wreply);
-throw new ProcessingException(TYPE.BAD_REQUEST);
+return;
+} else if
(serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) {
+Matcher matcher =
+
serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply);
+if (matcher.matches()) {
+return;
+} else {
+LOG.error("The endpointAddress value of {} does not match any
of the passive requestor values",
+ wreply);
}
}
+
+throw new ProcessingException(TYPE.BAD_REQUEST);
}
private String getIdFromToken(String token) throws XMLStreamException {
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/resources/entities-realmb.xml
--
diff --git a/services/idp/src/main/resources/entities-realmb.xml
b/services/idp/src/main/resources/entities-realmb.xml
index 152ff52..0018c37 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -85,6 +85,7 @@
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
/>
+https://localhost:?(\d)*/.*" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
--
diff --git
a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml
index fc203fb..26b58c5 100644
--
[1/2] cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Repository: cxf-fediz
Updated Branches:
refs/heads/1.3.x-fixes aaeea60c7 -> 483e6a349
FEDIZ-185 - Make one of passiveRequestorEndpoint or
passiveRequestorEndpointConstraint mandatory in the IDP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f26a20c2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f26a20c2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f26a20c2
Branch: refs/heads/1.3.x-fixes
Commit: f26a20c2584460aea2fbf00845d1b37a0b212d07
Parents: aaeea60
Author: Colm O hEigeartaigh
Authored: Tue Dec 20 15:27:28 2016 +
Committer: Colm O hEigeartaigh
Committed: Tue Dec 20 15:28:34 2016 +
--
.../idp/beans/PassiveRequestorValidator.java| 34 +++---
.../idp/src/main/resources/entities-realmb.xml | 1 +
.../test/resources/realmb/entities-realmb.xml | 3 +-
.../test/resources/realmb/entities-realmb.xml | 2 +
.../apache/cxf/fediz/systests/idp/IdpTest.java | 113 +++
.../test/resources/realma/entities-realma.xml | 37 ++
6 files changed, 174 insertions(+), 16 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
--
diff --git
a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
index 0393d4f..3f5be36 100644
---
a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
+++
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
@@ -47,26 +47,30 @@ public class PassiveRequestorValidator {
Application serviceConfig = idpConfig.findApplication(realm);
if (serviceConfig == null) {
LOG.warn("No service config found for " + realm);
-return true;
+return false;
}
-// The endpointAddress address must match the passive endpoint
requestor constraint
-// (if it is specified)
-if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() ==
null) {
-LOG.warn("No passive requestor endpoint constraint is configured
for the application. "
-+ "This could lead to a malicious redirection attack");
-return true;
-}
-
-Matcher matcher =
-
serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
-if (!matcher.matches()) {
-LOG.error("The endpointAddress value of {} does not match any of
the passive requestor values",
+if (serviceConfig.getPassiveRequestorEndpoint() == null
+&& serviceConfig.getCompiledPassiveRequestorEndpointConstraint()
== null) {
+LOG.error("Either the 'passiveRequestorEndpoint' or the
'passiveRequestorEndpointConstraint' "
++ "configuration values must be specified for the
application");
+} else if (serviceConfig.getPassiveRequestorEndpoint() != null
+&&
serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress)) {
+LOG.debug("The supplied endpoint address {} matches the configured
passive requestor endpoint value",
endpointAddress);
-return false;
+return true;
+} else if
(serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) {
+Matcher matcher =
+
serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
+if (matcher.matches()) {
+return true;
+} else {
+LOG.error("The endpointAddress value of {} does not match any
of the passive requestor values",
+ endpointAddress);
+}
}
-return true;
+return false;
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/services/idp/src/main/resources/entities-realmb.xml
--
diff --git a/services/idp/src/main/resources/entities-realmb.xml
b/services/idp/src/main/resources/entities-realmb.xml
index 592a605..3f2cd92 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -85,6 +85,7 @@
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
/>
+https://localhost:?(\d)*/.*" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/systests/federation/sam
cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Repository: cxf-fediz
Updated Branches:
refs/heads/master b94137a45 -> 25dcd2754
FEDIZ-185 - Make one of passiveRequestorEndpoint or
passiveRequestorEndpointConstraint mandatory in the IDP
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/25dcd275
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/25dcd275
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/25dcd275
Branch: refs/heads/master
Commit: 25dcd275443d84e9927f7ad7c980f46463d03009
Parents: b94137a
Author: Colm O hEigeartaigh
Authored: Tue Dec 20 15:27:28 2016 +
Committer: Colm O hEigeartaigh
Committed: Tue Dec 20 15:27:28 2016 +
--
.../idp/beans/PassiveRequestorValidator.java| 34 +++---
.../idp/src/main/resources/entities-realmb.xml | 1 +
.../test/resources/realmb/entities-realmb.xml | 3 +-
.../test/resources/realmb/entities-realmb.xml | 1 +
.../apache/cxf/fediz/systests/idp/IdpTest.java | 113 +++
.../test/resources/realma/entities-realma.xml | 37 ++
6 files changed, 173 insertions(+), 16 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
--
diff --git
a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
index 0393d4f..3f5be36 100644
---
a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
+++
b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java
@@ -47,26 +47,30 @@ public class PassiveRequestorValidator {
Application serviceConfig = idpConfig.findApplication(realm);
if (serviceConfig == null) {
LOG.warn("No service config found for " + realm);
-return true;
+return false;
}
-// The endpointAddress address must match the passive endpoint
requestor constraint
-// (if it is specified)
-if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() ==
null) {
-LOG.warn("No passive requestor endpoint constraint is configured
for the application. "
-+ "This could lead to a malicious redirection attack");
-return true;
-}
-
-Matcher matcher =
-
serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
-if (!matcher.matches()) {
-LOG.error("The endpointAddress value of {} does not match any of
the passive requestor values",
+if (serviceConfig.getPassiveRequestorEndpoint() == null
+&& serviceConfig.getCompiledPassiveRequestorEndpointConstraint()
== null) {
+LOG.error("Either the 'passiveRequestorEndpoint' or the
'passiveRequestorEndpointConstraint' "
++ "configuration values must be specified for the
application");
+} else if (serviceConfig.getPassiveRequestorEndpoint() != null
+&&
serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress)) {
+LOG.debug("The supplied endpoint address {} matches the configured
passive requestor endpoint value",
endpointAddress);
-return false;
+return true;
+} else if
(serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) {
+Matcher matcher =
+
serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress);
+if (matcher.matches()) {
+return true;
+} else {
+LOG.error("The endpointAddress value of {} does not match any
of the passive requestor values",
+ endpointAddress);
+}
}
-return true;
+return false;
}
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/resources/entities-realmb.xml
--
diff --git a/services/idp/src/main/resources/entities-realmb.xml
b/services/idp/src/main/resources/entities-realmb.xml
index 02cd3ca..68fb3e8 100644
--- a/services/idp/src/main/resources/entities-realmb.xml
+++ b/services/idp/src/main/resources/entities-realmb.xml
@@ -85,6 +85,7 @@
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
/>
+https://localhost:?(\d)*/.*" />
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/federation/samlsso/src/t
