Author: veithen
Date: Sat Jun 4 16:03:09 2016
New Revision: 1746842
URL: http://svn.apache.org/viewvc?rev=1746842&view=rev
Log:
AXIS2-4739: Protect the admin console against session fixation attacks.
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java?rev=1746842&r1=1746841&r2=1746842&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
Sat Jun 4 16:03:09 2016
@@ -60,6 +60,7 @@ final class AdminActions {
private static final Log log = LogFactory.getLog(AbstractAgent.class);
private static final String WELCOME = "welcome";
+ private static final String LOGOUT = "logout";
private static final String INDEX = "index";
private static final String UPLOAD = "upload";
private static final String LIST_SERVICES = "listServices";
@@ -116,11 +117,16 @@ final class AdminActions {
// supported web operations
@Action(name=WELCOME, authorizationRequired=false)
- public View welcome(HttpServletRequest req) {
- if ("true".equals(req.getParameter("failed"))) {
- req.setAttribute("errorMessage", "Invalid auth credentials!");
+ public ActionResult welcome(HttpServletRequest req) {
+ // Session fixation prevention: if there is an existing session, first
invalidate it.
+ if (req.getSession(false) != null) {
+ return new Redirect(LOGOUT);
+ } else {
+ if ("true".equals(req.getParameter("failed"))) {
+ req.setAttribute("errorMessage", "Invalid auth credentials!");
+ }
+ return new View(LOGIN_JSP_NAME);
}
- return new View(LOGIN_JSP_NAME);
}
@Action(name=UPLOAD)
@@ -186,6 +192,13 @@ final class AdminActions {
@Action(name="login", authorizationRequired=false, post=true,
sessionCreationAllowed=true)
public Redirect login(HttpServletRequest req) {
+ // Session fixation prevention: don't allow to login in an existing
session.
+ // Note that simply invalidating the session and creating a new one is
not sufficient
+ // because on some servlet containers, the new session will keep the
existing session ID.
+ if (req.getSession(false) != null) {
+ return new Redirect(WELCOME);
+ }
+
String username = req.getParameter("userName");
String password = req.getParameter("password");
@@ -395,7 +408,7 @@ final class AdminActions {
moduleName + " module engaged to the service group
successfully");
}
- @Action(name="logout")
+ @Action(name=LOGOUT)
public Redirect logout(HttpServletRequest req) {
req.getSession().invalidate();
return new Redirect(WELCOME);
Modified:
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java?rev=1746842&r1=1746841&r2=1746842&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
(original)
+++
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
Sat Jun 4 16:03:09 2016
@@ -18,6 +18,9 @@
*/
package org.apache.axis2.webapp;
+import static com.google.common.truth.Truth.assertThat;
+
+import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
@@ -25,13 +28,33 @@ public class AxisAdminServletITCase {
@Rule
public Axis2WebTester tester = new Axis2WebTester();
- @Test
- public void test() {
+ @Before
+ public void setUp() {
tester.beginAt("/axis2-admin/");
tester.setTextField("userName", "admin");
tester.setTextField("password", "axis2");
tester.submit();
+ }
+
+ @Test
+ public void testAvailableServices() {
tester.clickLinkWithText("Available Services");
tester.assertMatch("Service EPR :
http://localhost:[0-9]+/axis2/services/Version";);
}
+
+ /**
+ * Tests that the admin console is not vulnerable to session fixation
attacks. This tests
+ * attempts to log in with an existing session. This should result in a
new session with a
+ * different session ID.
+ */
+ @Test
+ public void loginInvalidatesExistingSession() {
+ String sessionId = tester.getSessionId();
+ assertThat(sessionId).isNotNull();
+ tester.gotoPage("/axis2-admin/welcome");
+ tester.setTextField("userName", "admin");
+ tester.setTextField("password", "axis2");
+ tester.submit();
+ assertThat(tester.getSessionId()).isNotEqualTo(sessionId);
+ }
}
