Enabling CSRF tests for the spring plugins
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/aa66ed45 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/aa66ed45 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/aa66ed45 Branch: refs/heads/1.3.x-fixes Commit: aa66ed45339d2e21069183b3b03c2b8aae10f584 Parents: f368c47 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Dec 19 13:21:05 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon Dec 19 14:02:42 2016 +0000 ---------------------------------------------------------------------- .../apache/cxf/fediz/integrationtests/Spring2Test.java | 8 ++++++++ .../apache/cxf/fediz/integrationtests/SpringTest.java | 8 ++++++++ .../apache/cxf/fediz/integrationtests/AbstractTests.java | 11 ++++++----- 3 files changed, 22 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aa66ed45/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java ---------------------------------------------------------------------- diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java index f9754ba..cd68992 100644 --- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java +++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/Spring2Test.java @@ -250,4 +250,12 @@ public class Spring2Test extends AbstractTests { } + @Override + @org.junit.Test + public void testCSRFAttack() throws Exception { + String url = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + + "/j_spring_fediz_security_check"; + csrfAttackTest(url); + } + } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aa66ed45/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java ---------------------------------------------------------------------- diff --git a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java index 036b189..93b4201 100644 --- a/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java +++ b/systests/spring/src/test/java/org/apache/cxf/fediz/integrationtests/SpringTest.java @@ -149,4 +149,12 @@ public class SpringTest extends AbstractTests { public void testConcurrentRequests() throws Exception { // super.testConcurrentRequests(); } + + @Override + @org.junit.Test + public void testCSRFAttack() throws Exception { + String url = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + + "/j_spring_fediz_security_check"; + csrfAttackTest(url); + } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/aa66ed45/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java ---------------------------------------------------------------------- diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java index 9104d64..5908db8 100644 --- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java +++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java @@ -736,6 +736,11 @@ public abstract class AbstractTests { @org.junit.Ignore public void testCSRFAttack() throws Exception { String url = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + csrfAttackTest(url); + } + + protected void csrfAttackTest(String rpURL) throws Exception { + String url = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; String user = "alice"; String password = "ecila"; @@ -774,7 +779,7 @@ public abstract class AbstractTests { // 3. Now instead of clicking on the form, send the form via alice's WebClient instead // Send with context... - WebRequest request = new WebRequest(new URL(url), HttpMethod.POST); + WebRequest request = new WebRequest(new URL(rpURL), HttpMethod.POST); request.setRequestParameters(new ArrayList<NameValuePair>()); DomNodeList<DomElement> results = idpPage2.getElementsByTagName("input"); @@ -796,10 +801,6 @@ public abstract class AbstractTests { Assert.fail("Failure expected on a CSRF attack"); } catch (FailingHttpStatusCodeException ex) { // expected - Assert.assertTrue(ex.getMessage().contains("401 Unauthorized") - || ex.getMessage().contains("401 Authentication Failed") - || ex.getMessage().contains("403 Forbidden") - || ex.getMessage().contains("408 Request Timeout")); } // webClient.close();
