Author: veithen
Date: Sat Jun 4 12:59:53 2016
New Revision: 1746813
URL: http://svn.apache.org/viewvc?rev=1746813&view=rev
Log:
AXIS2-4739: Avoid creating HTTP sessions in pages that don't require login, as
this may be used in session fixation attacks.
Added:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
(with props)
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
(with props)
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
- copied, changed from r1746485,
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/WebappITCase.java
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
(with props)
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
(with props)
Removed:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/WebappITCase.java
Modified:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/index.jsp
axis/axis2/java/core/trunk/systests/webapp-tests/pom.xml
Modified:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
(original)
+++
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
Sat Jun 4 12:59:53 2016
@@ -152,9 +152,9 @@ public class AbstractAgent {
}
}
- protected void populateSessionInformation(HttpServletRequest req) {
+ protected void populateRequestAttributes(HttpServletRequest req) {
HashMap services = configContext.getAxisConfiguration().getServices();
- req.getSession().setAttribute(Constants.SERVICE_MAP, services);
- req.getSession().setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
+ req.setAttribute(Constants.SERVICE_MAP, services);
+ req.setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
}
}
Added:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java?rev=1746813&view=auto
==============================================================================
---
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
(added)
+++
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
Sat Jun 4 12:59:53 2016
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis2.transport.http;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpSession;
+
+public class ForbidSessionCreationWrapper extends HttpServletRequestWrapper {
+ public ForbidSessionCreationWrapper(HttpServletRequest request) {
+ super(request);
+ }
+
+ @Override
+ public HttpSession getSession() {
+ return getSession(true);
+ }
+
+ @Override
+ public HttpSession getSession(boolean create) {
+ HttpSession session = super.getSession(false);
+ if (create && session == null) {
+ throw new IllegalStateException("Session creation forbidden");
+ } else {
+ return session;
+ }
+ }
+}
Propchange:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
(original)
+++
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
Sat Jun 4 12:59:53 2016
@@ -67,7 +67,7 @@ public class ListingAgent extends Abstra
public void handle(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse)
throws IOException, ServletException {
-
+ httpServletRequest = new
ForbidSessionCreationWrapper(httpServletRequest);
String query = httpServletRequest.getQueryString();
if (query != null) {
if (HttpUtils.indexOfIngnoreCase(query , "wsdl2") > 0 ||
HttpUtils.indexOfIngnoreCase(query, "wsdl") > 0 ||
@@ -86,7 +86,7 @@ public class ListingAgent extends Abstra
String serviceName = req.getParameter("serviceName");
if (serviceName != null) {
AxisService service =
configContext.getAxisConfiguration().getService(serviceName);
- req.getSession().setAttribute(Constants.SINGLE_SERVICE, service);
+ req.setAttribute(Constants.SINGLE_SERVICE, service);
}
renderView(LIST_FAULTY_SERVICES_JSP_NAME, req, res);
}
@@ -379,9 +379,9 @@ public class ListingAgent extends Abstra
if(listServiceDisabled()){
return;
}
- populateSessionInformation(req);
- req.getSession().setAttribute(Constants.ERROR_SERVICE_MAP,
-
configContext.getAxisConfiguration().getFaultyServices());
+ populateRequestAttributes(req);
+ req.setAttribute(Constants.ERROR_SERVICE_MAP,
+ configContext.getAxisConfiguration().getFaultyServices());
renderView(LIST_MULTIPLE_SERVICE_JSP_NAME, req, res);
}
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
Sat Jun 4 12:59:53 2016
@@ -29,4 +29,5 @@ import java.lang.annotation.Target;
String name();
boolean authorizationRequired() default true;
boolean post() default false;
+ boolean sessionCreationAllowed() default false;
}
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
Sat Jun 4 12:59:53 2016
@@ -24,6 +24,7 @@ import java.lang.reflect.Method;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
import org.apache.axis2.Constants;
@@ -32,12 +33,15 @@ final class ActionHandler {
private final Method method;
private final boolean authorizationRequired;
private final boolean post;
+ private final boolean sessionCreationAllowed;
- ActionHandler(Object target, Method method, boolean authorizationRequired,
boolean post) {
+ ActionHandler(Object target, Method method, boolean authorizationRequired,
boolean post,
+ boolean sessionCreationAllowed) {
this.target = target;
this.method = method;
this.authorizationRequired = authorizationRequired;
this.post = post;
+ this.sessionCreationAllowed = sessionCreationAllowed;
}
boolean isMethodAllowed(String method) {
@@ -48,8 +52,13 @@ final class ActionHandler {
return post && authorizationRequired;
}
+ boolean isSessionCreationAllowed() {
+ return sessionCreationAllowed;
+ }
+
ActionResult handle(HttpServletRequest request, boolean securityEnabled)
throws IOException, ServletException {
- if (securityEnabled && authorizationRequired &&
request.getSession().getAttribute(Constants.LOGGED) == null) {
+ HttpSession session = request.getSession(false);
+ if (securityEnabled && authorizationRequired && (session == null ||
session.getAttribute(Constants.LOGGED) == null)) {
return new Redirect("welcome");
} else {
try {
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
Sat Jun 4 12:59:53 2016
@@ -184,7 +184,7 @@ final class AdminActions {
throw new ServletException("Invalid request");
}
- @Action(name="login", authorizationRequired=false, post=true)
+ @Action(name="login", authorizationRequired=false, post=true,
sessionCreationAllowed=true)
public Redirect login(HttpServletRequest req) {
String username = req.getParameter("userName");
String password = req.getParameter("password");
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
Sat Jun 4 12:59:53 2016
@@ -23,6 +23,7 @@ import org.apache.axis2.Constants;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.transport.http.AxisServlet;
+import org.apache.axis2.transport.http.ForbidSessionCreationWrapper;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
@@ -69,32 +70,43 @@ public class AxisAdminServlet extends Ax
ActionHandler actionHandler = actionHandlers.get(action);
if (actionHandler != null) {
if (actionHandler.isMethodAllowed(request.getMethod())) {
- HttpSession session = request.getSession();
- CSRFTokenCache tokenCache =
(CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
- if (tokenCache == null) {
- tokenCache = new CSRFTokenCache();
- session.setAttribute(CSRFTokenCache.class.getName(),
tokenCache);
+ if (!actionHandler.isSessionCreationAllowed()) {
+ request = new ForbidSessionCreationWrapper(request);
}
+ HttpSession session = request.getSession(false);
if (actionHandler.isCSRFTokenRequired()) {
- String token = request.getParameter("token");
- if (token == null || !tokenCache.isValid(token)) {
+ boolean tokenValid;
+ if (session == null) {
+ tokenValid = false;
+ } else {
+ CSRFTokenCache tokenCache =
(CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
+ if (tokenCache == null) {
+ tokenValid = false;
+ } else {
+ String token = request.getParameter("token");
+ tokenValid = token != null &&
tokenCache.isValid(token);
+ }
+ }
+ if (!tokenValid) {
response.sendError(HttpServletResponse.SC_FORBIDDEN,
"No valid CSRF token found in request");
return;
}
}
- session.setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
- String statusKey = request.getParameter("status");
- if (statusKey != null) {
- StatusCache statusCache =
(StatusCache)session.getAttribute(StatusCache.class.getName());
- if (statusCache != null) {
- Status status = statusCache.get(statusKey);
- if (status != null) {
- request.setAttribute("status", status);
+ request.setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
+ if (session != null) {
+ String statusKey = request.getParameter("status");
+ if (statusKey != null) {
+ StatusCache statusCache =
(StatusCache)session.getAttribute(StatusCache.class.getName());
+ if (statusCache != null) {
+ Status status = statusCache.get(statusKey);
+ if (status != null) {
+ request.setAttribute("status", status);
+ }
}
}
}
ActionResult result = actionHandler.handle(request,
axisSecurityEnabled());
- result.process(request, new
CSRFPreventionResponseWrapper(response, actionHandlers, tokenCache, random));
+ result.process(request, new
CSRFPreventionResponseWrapper(request, response, actionHandlers, random));
} else {
response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
}
@@ -123,7 +135,7 @@ public class AxisAdminServlet extends Ax
actionHandlers.put(
actionAnnotation.name(),
new ActionHandler(actions, method,
actionAnnotation.authorizationRequired(),
- actionAnnotation.post()));
+ actionAnnotation.post(),
actionAnnotation.sessionCreationAllowed()));
}
}
this.servletConfig = config;
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
Sat Jun 4 12:59:53 2016
@@ -21,8 +21,10 @@ package org.apache.axis2.webapp;
import java.util.Map;
import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -30,20 +32,32 @@ import org.apache.commons.logging.LogFac
final class CSRFPreventionResponseWrapper extends HttpServletResponseWrapper {
private static final Log log =
LogFactory.getLog(CSRFPreventionResponseWrapper.class);
+ private final HttpServletRequest request;
private final Map<String,ActionHandler> actionHandlers;
- private final CSRFTokenCache tokenCache;
private final Random random;
private String token;
- CSRFPreventionResponseWrapper(HttpServletResponse response,
Map<String,ActionHandler> actionHandlers, CSRFTokenCache tokenCache, Random
random) {
+ CSRFPreventionResponseWrapper(HttpServletRequest request,
HttpServletResponse response, Map<String,ActionHandler> actionHandlers, Random
random) {
super(response);
+ this.request = request;
this.actionHandlers = actionHandlers;
- this.tokenCache = tokenCache;
this.random = random;
}
protected String getToken() {
if (token == null) {
+ HttpSession session = request.getSession(false);
+ if (session == null) {
+ throw new IllegalStateException();
+ }
+ CSRFTokenCache tokenCache;
+ synchronized (session) {
+ tokenCache =
(CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
+ if (tokenCache == null) {
+ tokenCache = new CSRFTokenCache();
+ session.setAttribute(CSRFTokenCache.class.getName(),
tokenCache);
+ }
+ }
byte[] bytes = new byte[16];
StringBuilder buffer = new StringBuilder();
random.nextBytes(bytes);
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
Sat Jun 4 12:59:53 2016
@@ -17,6 +17,7 @@
~ under the License.
--%>
+<%@ page session="false" %>
<%@ page import="org.apache.axis2.Constants" %>
<%@ page import="org.apache.axis2.context.ConfigurationContext" %>
<%@ page import="org.apache.axis2.description.Parameter" %>
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
Sat Jun 4 12:59:53 2016
@@ -57,6 +57,7 @@
~ specific language governing permissions and limitations
~ under the License.
--%>
+<%@ page session="false" %>
<table summary="back home table"width="100%">
<tr><td>
<table summary="embedded back home table">
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
Sat Jun 4 12:59:53 2016
@@ -17,7 +17,7 @@
~ under the License.
--%>
-<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%@ page contentType="text/html;charset=UTF-8" language="java" session="false"
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html>
<head>
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
Sat Jun 4 12:59:53 2016
@@ -36,7 +36,7 @@
<h1>Available Services</h1>
<t:status/>
-<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) + "/";
%>
<%
HashMap serviceMap = (HashMap)
request.getSession().getAttribute(Constants.SERVICE_MAP);
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
Sat Jun 4 12:59:53 2016
@@ -29,7 +29,7 @@
<jsp:include page="/WEB-INF/include/adminheader.jsp"/>
<h1>List Single Service</h1>
<%
- String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+ String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) + "/";
%>
<%
String isFault = (String)
request.getSession().getAttribute(Constants.IS_FAULTY);
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
Sat Jun 4 12:59:53 2016
@@ -17,6 +17,7 @@
~ under the License.
--%>
+<%@ page session="false" %>
<%@ page import="org.apache.axis2.Constants,
org.apache.axis2.description.AxisOperation"%>
<%@ page import="org.apache.axis2.description.AxisService"%>
@@ -33,13 +34,13 @@
<jsp:include page="/WEB-INF/include/header.inc"/>
<jsp:include page="/WEB-INF/include/link-footer.jsp"/>
<%
- String prifix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) +"services/";
+ String prifix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) +"services/";
%>
<%
- String isFault =
(String)request.getSession().getAttribute(Constants.IS_FAULTY);
+ String isFault = (String)request.getAttribute(Constants.IS_FAULTY);
String servicName = request.getParameter("serviceName");
if(Constants.IS_FAULTY.equals(isFault)){
- Hashtable errornessservices
=(Hashtable)request.getSession().getAttribute(Constants.ERROR_SERVICE_MAP);
+ Hashtable errornessservices
=(Hashtable)request.getAttribute(Constants.ERROR_SERVICE_MAP);
%>
<h3>This Web axisService has deployment faults</h3><%
%><p
style="color:red"><%=(String)errornessservices.get(servicName) %></p>
@@ -48,7 +49,7 @@
}else {
AxisService axisService =
- (AxisService)
request.getSession().getAttribute(Constants.SINGLE_SERVICE);
+ (AxisService)
request.getAttribute(Constants.SINGLE_SERVICE);
if(axisService!=null){
Iterator opItr = axisService.getOperations();
//operationsList = operations.values();
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
Sat Jun 4 12:59:53 2016
@@ -17,6 +17,7 @@
~ under the License.
--%>
+<%@ page session="false" %>
<%@ page import="org.apache.axis2.Constants,
org.apache.axis2.description.AxisOperation" %>
<%@ page import="org.apache.axis2.description.AxisService" %>
@@ -42,12 +43,11 @@
<jsp:include page="/WEB-INF/include/header.inc"/>
<jsp:include page="/WEB-INF/include/link-footer.jsp"/>
<h1>Available services</h1>
-<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) + "/";
%>
<%
- HashMap serviceMap = (HashMap)
request.getSession().getAttribute(Constants.SERVICE_MAP);
- request.getSession().setAttribute(Constants.SERVICE_MAP, null);
- Hashtable errornessservice = (Hashtable)
request.getSession().getAttribute(Constants.ERROR_SERVICE_MAP);
+ HashMap serviceMap = (HashMap) request.getAttribute(Constants.SERVICE_MAP);
+ Hashtable errornessservice = (Hashtable)
request.getAttribute(Constants.ERROR_SERVICE_MAP);
boolean status = false;
if (serviceMap != null && !serviceMap.isEmpty()) {
Iterator opItr;
@@ -111,7 +111,7 @@
}
if (errornessservice != null) {
if (errornessservice.size() > 0) {
- request.getSession().setAttribute(Constants.IS_FAULTY,
Constants.IS_FAULTY);
+ request.setAttribute(Constants.IS_FAULTY, Constants.IS_FAULTY);
%>
<hr>
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/index.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/index.jsp?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/index.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/index.jsp
Sat Jun 4 12:59:53 2016
@@ -17,7 +17,7 @@
~ under the License.
--%>
-<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%@ page contentType="text/html;charset=UTF-8" language="java" session="false"
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html>
<head>
Modified: axis/axis2/java/core/trunk/systests/webapp-tests/pom.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/systests/webapp-tests/pom.xml?rev=1746813&r1=1746812&r2=1746813&view=diff
==============================================================================
--- axis/axis2/java/core/trunk/systests/webapp-tests/pom.xml (original)
+++ axis/axis2/java/core/trunk/systests/webapp-tests/pom.xml Sat Jun 4
12:59:53 2016
@@ -35,6 +35,11 @@
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>com.google.truth</groupId>
+ <artifactId>truth</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>net.sourceforge.jwebunit</groupId>
<artifactId>jwebunit-htmlunit-plugin</artifactId>
<version>3.3</version>
Added:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java?rev=1746813&view=auto
==============================================================================
---
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
(added)
+++
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
Sat Jun 4 12:59:53 2016
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis2.webapp;
+
+import java.util.Iterator;
+import java.util.List;
+
+import javax.servlet.http.Cookie;
+
+import org.junit.rules.TestRule;
+import org.junit.runner.Description;
+import org.junit.runners.model.Statement;
+
+import net.sourceforge.jwebunit.junit.WebTester;
+
+public class Axis2WebTester extends WebTester implements TestRule {
+ public Statement apply(final Statement base, Description description) {
+ return new Statement() {
+ @Override
+ public void evaluate() throws Throwable {
+ setBaseUrl("http://localhost:"; +
System.getProperty("jetty.httpPort", "8080") + "/axis2");
+ base.evaluate();
+ }
+ };
+ }
+
+ public String getSessionId() {
+ List<?> cookies = getTestingEngine().getCookies();
+ for (Iterator<?> i = cookies.iterator(); i.hasNext();) {
+ Cookie cookie = (Cookie)i.next();
+ if (cookie.getName().equals("JSESSIONID")) {
+ return cookie.getValue();
+ }
+ }
+ String path = getTestingEngine().getPageURL().getPath();
+ int idx = path.lastIndexOf(";jsessionid=");
+ return idx == -1 ? null : path.substring(idx+12);
+ }
+}
Propchange:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
------------------------------------------------------------------------------
svn:eol-style = native
Copied:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
(from r1746485,
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/WebappITCase.java)
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java?p2=axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java&p1=axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/WebappITCase.java&r1=1746485&r2=1746813&rev=1746813&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/WebappITCase.java
(original)
+++
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
Sat Jun 4 12:59:53 2016
@@ -18,19 +18,20 @@
*/
package org.apache.axis2.webapp;
-import static net.sourceforge.jwebunit.junit.JWebUnit.*;
-
+import org.junit.Rule;
import org.junit.Test;
-public class WebappITCase {
+public class AxisAdminServletITCase {
+ @Rule
+ public Axis2WebTester tester = new Axis2WebTester();
+
@Test
public void test() {
- setBaseUrl("http://localhost:"; + System.getProperty("jetty.httpPort",
"8080") + "/axis2/axis2-admin");
- beginAt("/");
- setTextField("userName", "admin");
- setTextField("password", "axis2");
- submit();
- clickLinkWithText("Available Services");
- assertMatch("Service EPR :
http://localhost:[0-9]+/axis2/services/Version";);
+ tester.beginAt("/axis2-admin/");
+ tester.setTextField("userName", "admin");
+ tester.setTextField("password", "axis2");
+ tester.submit();
+ tester.clickLinkWithText("Available Services");
+ tester.assertMatch("Service EPR :
http://localhost:[0-9]+/axis2/services/Version";);
}
}
Added:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java?rev=1746813&view=auto
==============================================================================
---
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
(added)
+++
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
Sat Jun 4 12:59:53 2016
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis2.webapp;
+
+import org.junit.Rule;
+import org.junit.Test;
+
+public class AxisServletITCase {
+ @Rule
+ public Axis2WebTester tester = new Axis2WebTester();
+
+ @Test
+ public void testListServices() {
+ tester.beginAt("/");
+ tester.clickLinkWithExactText("Services");
+ tester.assertLinkPresentWithExactText("Version");
+ }
+}
Propchange:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java?rev=1746813&view=auto
==============================================================================
---
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
(added)
+++
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
Sat Jun 4 12:59:53 2016
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis2.webapp;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+import org.junit.runners.Parameterized.Parameters;
+
+/**
+ * Test that pages that don't require login don't create HTTP sessions. Pages
that create HTTP
+ * sessions without the user being logged in may be exploited in session
fixation attacks.
+ */
+@RunWith(Parameterized.class)
+public class NoSessionITCase {
+ @Parameters(name = "{0}")
+ public static Collection<Object[]> data() {
+ return Arrays.asList(new Object[][] {
+ { "/" },
+ { "/services/listServices" },
+ { "/services/ListFaultyServices" },
+ { "/axis2-web/HappyAxis.jsp" },
+ { "/axis2-admin/" } });
+ }
+
+ @Parameter
+ public String page;
+
+ @Rule
+ public Axis2WebTester tester = new Axis2WebTester();
+
+ @Test
+ public void test() {
+ tester.beginAt(page);
+ assertThat(tester.getSessionId()).isNull();
+ }
+}
Propchange:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
------------------------------------------------------------------------------
svn:eol-style = native
