cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Repository: cxf-fediz Updated Branches: refs/heads/1.2.x-fixes f1aef3778 -> 1d5b956ed FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/1d5b956e Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/1d5b956e Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/1d5b956e Branch: refs/heads/1.2.x-fixes Commit: 1d5b956edf26f621532c917b19827d7b3ffc72ad Parents: f1aef37 Author: Colm O hEigeartaigh Authored: Tue Dec 20 15:27:28 2016 + Committer: Colm O hEigeartaigh Committed: Tue Dec 20 16:41:47 2016 + -- .../service/idp/beans/STSClientAction.java | 29 +++-- .../idp/src/main/resources/entities-realmb.xml | 1 + .../test/resources/realmb/entities-realmb.xml | 1 + .../apache/cxf/fediz/systests/idp/IdpTest.java | 105 +++ .../test/resources/realma/entities-realma.xml | 37 +++ 5 files changed, 162 insertions(+), 11 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java -- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java index ca87991..e99ea43 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/STSClientAction.java @@ -320,20 +320,27 @@ public class STSClientAction { throw new ProcessingException(TYPE.BAD_REQUEST); } -if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { -LOG.warn("No passive requestor endpoint constraint is configured for the application. " - + "This could lead to a malicious redirection attack"); -return; -} - -if (wreply != null) { -Matcher matcher = serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply); -if (!matcher.matches()) { -LOG.error("The wreply value of {} does not match any of the passive requestor values", +if (serviceConfig.getPassiveRequestorEndpoint() == null +&& serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { +LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint' " ++ "configuration values must be specified for the application"); +} else if (serviceConfig.getPassiveRequestorEndpoint() != null +&& serviceConfig.getPassiveRequestorEndpoint().equals(wreply)) { +LOG.debug("The supplied endpoint address {} matches the configured passive requestor endpoint value", wreply); -throw new ProcessingException(TYPE.BAD_REQUEST); +return; +} else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) { +Matcher matcher = + serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(wreply); +if (matcher.matches()) { +return; +} else { +LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", + wreply); } } + +throw new ProcessingException(TYPE.BAD_REQUEST); } private String getIdFromToken(String token) throws XMLStreamException { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/services/idp/src/main/resources/entities-realmb.xml -- diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml index 152ff52..0018c37 100644 --- a/services/idp/src/main/resources/entities-realmb.xml +++ b/services/idp/src/main/resources/entities-realmb.xml @@ -85,6 +85,7 @@ http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> +https://localhost:?(\d)*/.*" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1d5b956e/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml -- diff --git a/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml b/systests/federation/wsfed/src/test/resources/realmb/entities-realmb.xml index fc203fb..26b58c5 100644 --
[1/2] cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Repository: cxf-fediz Updated Branches: refs/heads/1.3.x-fixes aaeea60c7 -> 483e6a349 FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f26a20c2 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f26a20c2 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f26a20c2 Branch: refs/heads/1.3.x-fixes Commit: f26a20c2584460aea2fbf00845d1b37a0b212d07 Parents: aaeea60 Author: Colm O hEigeartaigh Authored: Tue Dec 20 15:27:28 2016 + Committer: Colm O hEigeartaigh Committed: Tue Dec 20 15:28:34 2016 + -- .../idp/beans/PassiveRequestorValidator.java| 34 +++--- .../idp/src/main/resources/entities-realmb.xml | 1 + .../test/resources/realmb/entities-realmb.xml | 3 +- .../test/resources/realmb/entities-realmb.xml | 2 + .../apache/cxf/fediz/systests/idp/IdpTest.java | 113 +++ .../test/resources/realma/entities-realma.xml | 37 ++ 6 files changed, 174 insertions(+), 16 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java -- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java index 0393d4f..3f5be36 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java @@ -47,26 +47,30 @@ public class PassiveRequestorValidator { Application serviceConfig = idpConfig.findApplication(realm); if (serviceConfig == null) { LOG.warn("No service config found for " + realm); -return true; +return false; } -// The endpointAddress address must match the passive endpoint requestor constraint -// (if it is specified) -if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { -LOG.warn("No passive requestor endpoint constraint is configured for the application. " -+ "This could lead to a malicious redirection attack"); -return true; -} - -Matcher matcher = - serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress); -if (!matcher.matches()) { -LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", +if (serviceConfig.getPassiveRequestorEndpoint() == null +&& serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { +LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint' " ++ "configuration values must be specified for the application"); +} else if (serviceConfig.getPassiveRequestorEndpoint() != null +&& serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress)) { +LOG.debug("The supplied endpoint address {} matches the configured passive requestor endpoint value", endpointAddress); -return false; +return true; +} else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) { +Matcher matcher = + serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress); +if (matcher.matches()) { +return true; +} else { +LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", + endpointAddress); +} } -return true; +return false; } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/services/idp/src/main/resources/entities-realmb.xml -- diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml index 592a605..3f2cd92 100644 --- a/services/idp/src/main/resources/entities-realmb.xml +++ b/services/idp/src/main/resources/entities-realmb.xml @@ -85,6 +85,7 @@ http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> +https://localhost:?(\d)*/.*" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f26a20c2/systests/federation/sam
cxf-fediz git commit: FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
Repository: cxf-fediz Updated Branches: refs/heads/master b94137a45 -> 25dcd2754 FEDIZ-185 - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/25dcd275 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/25dcd275 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/25dcd275 Branch: refs/heads/master Commit: 25dcd275443d84e9927f7ad7c980f46463d03009 Parents: b94137a Author: Colm O hEigeartaigh Authored: Tue Dec 20 15:27:28 2016 + Committer: Colm O hEigeartaigh Committed: Tue Dec 20 15:27:28 2016 + -- .../idp/beans/PassiveRequestorValidator.java| 34 +++--- .../idp/src/main/resources/entities-realmb.xml | 1 + .../test/resources/realmb/entities-realmb.xml | 3 +- .../test/resources/realmb/entities-realmb.xml | 1 + .../apache/cxf/fediz/systests/idp/IdpTest.java | 113 +++ .../test/resources/realma/entities-realma.xml | 37 ++ 6 files changed, 173 insertions(+), 16 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java -- diff --git a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java index 0393d4f..3f5be36 100644 --- a/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java +++ b/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/beans/PassiveRequestorValidator.java @@ -47,26 +47,30 @@ public class PassiveRequestorValidator { Application serviceConfig = idpConfig.findApplication(realm); if (serviceConfig == null) { LOG.warn("No service config found for " + realm); -return true; +return false; } -// The endpointAddress address must match the passive endpoint requestor constraint -// (if it is specified) -if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { -LOG.warn("No passive requestor endpoint constraint is configured for the application. " -+ "This could lead to a malicious redirection attack"); -return true; -} - -Matcher matcher = - serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress); -if (!matcher.matches()) { -LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", +if (serviceConfig.getPassiveRequestorEndpoint() == null +&& serviceConfig.getCompiledPassiveRequestorEndpointConstraint() == null) { +LOG.error("Either the 'passiveRequestorEndpoint' or the 'passiveRequestorEndpointConstraint' " ++ "configuration values must be specified for the application"); +} else if (serviceConfig.getPassiveRequestorEndpoint() != null +&& serviceConfig.getPassiveRequestorEndpoint().equals(endpointAddress)) { +LOG.debug("The supplied endpoint address {} matches the configured passive requestor endpoint value", endpointAddress); -return false; +return true; +} else if (serviceConfig.getCompiledPassiveRequestorEndpointConstraint() != null) { +Matcher matcher = + serviceConfig.getCompiledPassiveRequestorEndpointConstraint().matcher(endpointAddress); +if (matcher.matches()) { +return true; +} else { +LOG.error("The endpointAddress value of {} does not match any of the passive requestor values", + endpointAddress); +} } -return true; +return false; } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/services/idp/src/main/resources/entities-realmb.xml -- diff --git a/services/idp/src/main/resources/entities-realmb.xml b/services/idp/src/main/resources/entities-realmb.xml index 02cd3ca..68fb3e8 100644 --- a/services/idp/src/main/resources/entities-realmb.xml +++ b/services/idp/src/main/resources/entities-realmb.xml @@ -85,6 +85,7 @@ http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> +https://localhost:?(\d)*/.*" /> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/25dcd275/systests/federation/samlsso/src/t