Skip to content

Commit

Permalink
Some improvements to the Spring plugins
Browse files Browse the repository at this point in the history
  • Loading branch information
coheigea committed Oct 6, 2017
1 parent c5d3cae commit 48dd9b6
Show file tree
Hide file tree
Showing 4 changed files with 73 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -128,14 +128,19 @@ private String getState(ServletRequest request) {

private void verifySavedState(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session != null) {
String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
String state = getState(request);
if (savedContext != null && !savedContext.equals(state)) {
logger.warn("The received state does not match the state saved in the context");
throw new BadCredentialsException("The received state does not match the state saved in the context");
}

if (session == null) {
logger.warn("The received state does not match the state saved in the context");
throw new BadCredentialsException("The received state does not match the state saved in the context");
}

String savedContext = (String)session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
String state = getState(request);
if (savedContext == null || !savedContext.equals(state)) {
logger.warn("The received state does not match the state saved in the context");
throw new BadCredentialsException("The received state does not match the state saved in the context");
}
session.removeAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -157,4 +157,12 @@ public void testCSRFAttack() throws Exception {
+ "/j_spring_fediz_security_check";
csrfAttackTest(url);
}

@Override
@org.junit.Test
public void testCSRFAttack2() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+ "/j_spring_fediz_security_check";
csrfAttackTest2(url);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -803,4 +803,56 @@ protected void csrfAttackTest(String rpURL) throws Exception {

}

@org.junit.Test
public void testCSRFAttack2() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
csrfAttackTest2(url);
}

protected void csrfAttackTest2(String rpURL) throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";

// 1. Log in as "bob" using another WebClient
WebClient webClient2 = new WebClient();
webClient2.getOptions().setUseInsecureSSL(true);
webClient2.getCredentialsProvider().setCredentials(
new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
new UsernamePasswordCredentials("bob", "bob"));

webClient2.getOptions().setJavaScriptEnabled(false);
final HtmlPage idpPage2 = webClient2.getPage(url);
webClient2.getOptions().setJavaScriptEnabled(true);
Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());

// 2. Now instead of clicking on the form, send the form via alice's WebClient instead

// Send with context...
WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST);
request.setRequestParameters(new ArrayList<NameValuePair>());

DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input");

for (DomElement result : results) {
if ("wresult".equals(result.getAttributeNS(null, "name"))
|| "wa".equals(result.getAttributeNS(null, "name"))
|| "wctx".equals(result.getAttributeNS(null, "name"))) {
String value = result.getAttributeNS(null, "value");
request.getRequestParameters().add(new NameValuePair(result.getAttributeNS(null, "name"), value));
}
}

WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);

try {
webClient.getPage(request);
Assert.fail("Failure expected on a CSRF attack");
} catch (FailingHttpStatusCodeException ex) {
// expected
}

// webClient.close();
// webClient2.close();

}
}
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ http://www.springframework.org/schema/context http://www.springframework.org/sch
<sec:intercept-url pattern="/index.html" access="permitAll"/>
<sec:intercept-url pattern="/FederationMetadata/**" access="isAuthenticated()"/>
<sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
<sec:intercept-url pattern="/secure/test.html" access="isAuthenticated()"/>
<sec:intercept-url pattern="/secure/manager/**" access="hasRole('ROLE_MANAGER')"/>
<sec:intercept-url pattern="/secure/admin/**" access="hasRole('ROLE_ADMIN')"/>
<sec:intercept-url pattern="/secure/user/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_MANAGER')"/>
Expand Down

0 comments on commit 48dd9b6

Please sign in to comment.