Author: veithen
Date: Sat Jun 4 20:46:07 2016
New Revision: 1746850
URL: http://svn.apache.org/viewvc?rev=1746850&view=rev
Log:
AXIS2-4739: Merge recent webapp changes to the 1.7 branch to protect the admin
console against session fixation attacks.
Added:
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
- copied unchanged from r1746813,
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
- copied, changed from r1746787,
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
- copied, changed from r1746787,
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
- copied unchanged from r1746813,
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
- copied, changed from r1746813,
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
- copied unchanged from r1746813,
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
- copied unchanged from r1746813,
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java
Removed:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/listFaultyService.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/listServices.jsp
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/WebappITCase.java
Modified:
axis/axis2/java/core/branches/1_7/ (props changed)
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/index.jsp
axis/axis2/java/core/branches/1_7/systests/webapp-tests/pom.xml
Propchange: axis/axis2/java/core/branches/1_7/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Jun 4 20:46:07 2016
@@ -1,4 +1,4 @@
/axis/axis2/java/core/branches/1_6:1295540
/axis/axis2/java/core/branches/AXIOM-420:1334386-1336397
/axis/axis2/java/core/branches/AXIS2-4318:1230452,1295542,1324772,1327468,1329571,1332141,1335355,1335357,1340985
-/axis/axis2/java/core/trunk:1726494,1726509,1726513,1727171,1727174,1727177,1727180,1729891,1730095,1730139,1730180,1730186,1730195,1730197,1730222,1730300,1730308,1730310,1730317,1730322,1730335,1730369,1730427,1730618,1731425,1731441,1731446,1731448,1732354,1733137,1733663,1733713,1733766,1733770,1733773,1733850,1734176,1735331,1735795,1736512,1736543,1737030,1737567,1739001,1739186,1739343,1739346,1739348,1739493,1739592,1739594,1739815,1739826,1740693-1740694,1743824,1745826,1745860,1745869,1745875,1745912,1745924,1745929,1745941,1746001,1746028,1746109
+/axis/axis2/java/core/trunk:1726494,1726509,1726513,1727171,1727174,1727177,1727180,1729891,1730095,1730139,1730180,1730186,1730195,1730197,1730222,1730300,1730308,1730310,1730317,1730322,1730335,1730369,1730427,1730618,1731425,1731441,1731446,1731448,1732354,1733137,1733663,1733713,1733766,1733770,1733773,1733850,1734176,1735331,1735795,1736512,1736543,1737030,1737567,1739001,1739186,1739343,1739346,1739348,1739493,1739592,1739594,1739815,1739826,1740693-1740694,1743824,1745826,1745860,1745869,1745875,1745912,1745924,1745929,1745941,1746001,1746028,1746109,1746782,1746784,1746787,1746813,1746842
Modified:
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
Sat Jun 4 20:46:07 2016
@@ -117,7 +117,7 @@ public class AbstractAgent {
HttpServletResponse httpServletResponse)
throws IOException, ServletException {
httpServletResponse.setContentType("text/html");
-
httpServletRequest.getRequestDispatcher(Constants.AXIS_WEB_CONTENT_ROOT +
jspName)
+ httpServletRequest.getRequestDispatcher("/WEB-INF/views/" + jspName)
.include(httpServletRequest, httpServletResponse);
}
@@ -152,9 +152,9 @@ public class AbstractAgent {
}
}
- protected void populateSessionInformation(HttpServletRequest req) {
+ protected void populateRequestAttributes(HttpServletRequest req) {
HashMap services = configContext.getAxisConfiguration().getServices();
- req.getSession().setAttribute(Constants.SERVICE_MAP, services);
- req.getSession().setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
+ req.setAttribute(Constants.SERVICE_MAP, services);
+ req.setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
}
}
Modified:
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
Sat Jun 4 20:46:07 2016
@@ -58,8 +58,6 @@ public class ListingAgent extends Abstra
private static final String LIST_MULTIPLE_SERVICE_JSP_NAME =
"listServices.jsp";
- private static final String LIST_SINGLE_SERVICE_JSP_NAME =
- "listSingleService.jsp";
private static final String LIST_FAULTY_SERVICES_JSP_NAME =
"listFaultyService.jsp";
public ListingAgent(ConfigurationContext aConfigContext) {
@@ -69,7 +67,7 @@ public class ListingAgent extends Abstra
public void handle(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse)
throws IOException, ServletException {
-
+ httpServletRequest = new
ForbidSessionCreationWrapper(httpServletRequest);
String query = httpServletRequest.getQueryString();
if (query != null) {
if (HttpUtils.indexOfIngnoreCase(query , "wsdl2") > 0 ||
HttpUtils.indexOfIngnoreCase(query, "wsdl") > 0 ||
@@ -88,7 +86,7 @@ public class ListingAgent extends Abstra
String serviceName = req.getParameter("serviceName");
if (serviceName != null) {
AxisService service =
configContext.getAxisConfiguration().getService(serviceName);
- req.getSession().setAttribute(Constants.SINGLE_SERVICE, service);
+ req.setAttribute(Constants.SINGLE_SERVICE, service);
}
renderView(LIST_FAULTY_SERVICES_JSP_NAME, req, res);
}
@@ -192,16 +190,10 @@ public class ListingAgent extends Abstra
} else if (policy >= 0) {
handlePolicyRequest(req, res, serviceName, axisService);
return;
- } else {
- req.getSession().setAttribute(Constants.SINGLE_SERVICE,
axisService);
}
- } else {
- req.getSession().setAttribute(Constants.SINGLE_SERVICE, null);
- res.sendError(HttpServletResponse.SC_NOT_FOUND, url);
}
}
-
- renderView(LIST_SINGLE_SERVICE_JSP_NAME, req, res);
+ res.sendError(HttpServletResponse.SC_NOT_FOUND, url);
}
private void handlePolicyRequest(HttpServletRequest req,
@@ -387,9 +379,9 @@ public class ListingAgent extends Abstra
if(listServiceDisabled()){
return;
}
- populateSessionInformation(req);
- req.getSession().setAttribute(Constants.ERROR_SERVICE_MAP,
-
configContext.getAxisConfiguration().getFaultyServices());
+ populateRequestAttributes(req);
+ req.setAttribute(Constants.ERROR_SERVICE_MAP,
+ configContext.getAxisConfiguration().getFaultyServices());
renderView(LIST_MULTIPLE_SERVICE_JSP_NAME, req, res);
}
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
Sat Jun 4 20:46:07 2016
@@ -29,4 +29,5 @@ import java.lang.annotation.Target;
String name();
boolean authorizationRequired() default true;
boolean post() default false;
+ boolean sessionCreationAllowed() default false;
}
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
Sat Jun 4 20:46:07 2016
@@ -24,6 +24,7 @@ import java.lang.reflect.Method;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
import org.apache.axis2.Constants;
@@ -32,12 +33,15 @@ final class ActionHandler {
private final Method method;
private final boolean authorizationRequired;
private final boolean post;
+ private final boolean sessionCreationAllowed;
- ActionHandler(Object target, Method method, boolean authorizationRequired,
boolean post) {
+ ActionHandler(Object target, Method method, boolean authorizationRequired,
boolean post,
+ boolean sessionCreationAllowed) {
this.target = target;
this.method = method;
this.authorizationRequired = authorizationRequired;
this.post = post;
+ this.sessionCreationAllowed = sessionCreationAllowed;
}
boolean isMethodAllowed(String method) {
@@ -48,8 +52,13 @@ final class ActionHandler {
return post && authorizationRequired;
}
+ boolean isSessionCreationAllowed() {
+ return sessionCreationAllowed;
+ }
+
ActionResult handle(HttpServletRequest request, boolean securityEnabled)
throws IOException, ServletException {
- if (securityEnabled && authorizationRequired &&
request.getSession().getAttribute(Constants.LOGGED) == null) {
+ HttpSession session = request.getSession(false);
+ if (securityEnabled && authorizationRequired && (session == null ||
session.getAttribute(Constants.LOGGED) == null)) {
return new Redirect("welcome");
} else {
try {
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
Sat Jun 4 20:46:07 2016
@@ -60,6 +60,7 @@ final class AdminActions {
private static final Log log = LogFactory.getLog(AbstractAgent.class);
private static final String WELCOME = "welcome";
+ private static final String LOGOUT = "logout";
private static final String INDEX = "index";
private static final String UPLOAD = "upload";
private static final String LIST_SERVICES = "listServices";
@@ -116,11 +117,16 @@ final class AdminActions {
// supported web operations
@Action(name=WELCOME, authorizationRequired=false)
- public View welcome(HttpServletRequest req) {
- if ("true".equals(req.getParameter("failed"))) {
- req.setAttribute("errorMessage", "Invalid auth credentials!");
+ public ActionResult welcome(HttpServletRequest req) {
+ // Session fixation prevention: if there is an existing session, first
invalidate it.
+ if (req.getSession(false) != null) {
+ return new Redirect(LOGOUT);
+ } else {
+ if ("true".equals(req.getParameter("failed"))) {
+ req.setAttribute("errorMessage", "Invalid auth credentials!");
+ }
+ return new View(LOGIN_JSP_NAME);
}
- return new View(LOGIN_JSP_NAME);
}
@Action(name=UPLOAD)
@@ -184,8 +190,15 @@ final class AdminActions {
throw new ServletException("Invalid request");
}
- @Action(name="login", authorizationRequired=false, post=true)
+ @Action(name="login", authorizationRequired=false, post=true,
sessionCreationAllowed=true)
public Redirect login(HttpServletRequest req) {
+ // Session fixation prevention: don't allow to login in an existing
session.
+ // Note that simply invalidating the session and creating a new one is
not sufficient
+ // because on some servlet containers, the new session will keep the
existing session ID.
+ if (req.getSession(false) != null) {
+ return new Redirect(WELCOME);
+ }
+
String username = req.getParameter("userName");
String password = req.getParameter("password");
@@ -395,7 +408,7 @@ final class AdminActions {
moduleName + " module engaged to the service group
successfully");
}
- @Action(name="logout")
+ @Action(name=LOGOUT)
public Redirect logout(HttpServletRequest req) {
req.getSession().invalidate();
return new Redirect(WELCOME);
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
Sat Jun 4 20:46:07 2016
@@ -23,6 +23,7 @@ import org.apache.axis2.Constants;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.transport.http.AxisServlet;
+import org.apache.axis2.transport.http.ForbidSessionCreationWrapper;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
@@ -69,32 +70,43 @@ public class AxisAdminServlet extends Ax
ActionHandler actionHandler = actionHandlers.get(action);
if (actionHandler != null) {
if (actionHandler.isMethodAllowed(request.getMethod())) {
- HttpSession session = request.getSession();
- CSRFTokenCache tokenCache =
(CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
- if (tokenCache == null) {
- tokenCache = new CSRFTokenCache();
- session.setAttribute(CSRFTokenCache.class.getName(),
tokenCache);
+ if (!actionHandler.isSessionCreationAllowed()) {
+ request = new ForbidSessionCreationWrapper(request);
}
+ HttpSession session = request.getSession(false);
if (actionHandler.isCSRFTokenRequired()) {
- String token = request.getParameter("token");
- if (token == null || !tokenCache.isValid(token)) {
+ boolean tokenValid;
+ if (session == null) {
+ tokenValid = false;
+ } else {
+ CSRFTokenCache tokenCache =
(CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
+ if (tokenCache == null) {
+ tokenValid = false;
+ } else {
+ String token = request.getParameter("token");
+ tokenValid = token != null &&
tokenCache.isValid(token);
+ }
+ }
+ if (!tokenValid) {
response.sendError(HttpServletResponse.SC_FORBIDDEN,
"No valid CSRF token found in request");
return;
}
}
- session.setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
- String statusKey = request.getParameter("status");
- if (statusKey != null) {
- StatusCache statusCache =
(StatusCache)session.getAttribute(StatusCache.class.getName());
- if (statusCache != null) {
- Status status = statusCache.get(statusKey);
- if (status != null) {
- request.setAttribute("status", status);
+ request.setAttribute(Constants.SERVICE_PATH,
configContext.getServicePath());
+ if (session != null) {
+ String statusKey = request.getParameter("status");
+ if (statusKey != null) {
+ StatusCache statusCache =
(StatusCache)session.getAttribute(StatusCache.class.getName());
+ if (statusCache != null) {
+ Status status = statusCache.get(statusKey);
+ if (status != null) {
+ request.setAttribute("status", status);
+ }
}
}
}
ActionResult result = actionHandler.handle(request,
axisSecurityEnabled());
- result.process(request, new
CSRFPreventionResponseWrapper(response, actionHandlers, tokenCache, random));
+ result.process(request, new
CSRFPreventionResponseWrapper(request, response, actionHandlers, random));
} else {
response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
}
@@ -123,7 +135,7 @@ public class AxisAdminServlet extends Ax
actionHandlers.put(
actionAnnotation.name(),
new ActionHandler(actions, method,
actionAnnotation.authorizationRequired(),
- actionAnnotation.post()));
+ actionAnnotation.post(),
actionAnnotation.sessionCreationAllowed()));
}
}
this.servletConfig = config;
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
Sat Jun 4 20:46:07 2016
@@ -21,8 +21,10 @@ package org.apache.axis2.webapp;
import java.util.Map;
import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -30,20 +32,32 @@ import org.apache.commons.logging.LogFac
final class CSRFPreventionResponseWrapper extends HttpServletResponseWrapper {
private static final Log log =
LogFactory.getLog(CSRFPreventionResponseWrapper.class);
+ private final HttpServletRequest request;
private final Map<String,ActionHandler> actionHandlers;
- private final CSRFTokenCache tokenCache;
private final Random random;
private String token;
- CSRFPreventionResponseWrapper(HttpServletResponse response,
Map<String,ActionHandler> actionHandlers, CSRFTokenCache tokenCache, Random
random) {
+ CSRFPreventionResponseWrapper(HttpServletRequest request,
HttpServletResponse response, Map<String,ActionHandler> actionHandlers, Random
random) {
super(response);
+ this.request = request;
this.actionHandlers = actionHandlers;
- this.tokenCache = tokenCache;
this.random = random;
}
protected String getToken() {
if (token == null) {
+ HttpSession session = request.getSession(false);
+ if (session == null) {
+ throw new IllegalStateException();
+ }
+ CSRFTokenCache tokenCache;
+ synchronized (session) {
+ tokenCache =
(CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
+ if (tokenCache == null) {
+ tokenCache = new CSRFTokenCache();
+ session.setAttribute(CSRFTokenCache.class.getName(),
tokenCache);
+ }
+ }
byte[] bytes = new byte[16];
StringBuilder buffer = new StringBuilder();
random.nextBytes(bytes);
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
Sat Jun 4 20:46:07 2016
@@ -17,6 +17,7 @@
~ under the License.
--%>
+<%@ page session="false" %>
<%@ page import="org.apache.axis2.Constants" %>
<%@ page import="org.apache.axis2.context.ConfigurationContext" %>
<%@ page import="org.apache.axis2.description.Parameter" %>
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
Sat Jun 4 20:46:07 2016
@@ -57,6 +57,7 @@
~ specific language governing permissions and limitations
~ under the License.
--%>
+<%@ page session="false" %>
<table summary="back home table"width="100%">
<tr><td>
<table summary="embedded back home table">
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
Sat Jun 4 20:46:07 2016
@@ -17,7 +17,7 @@
~ under the License.
--%>
-<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%@ page contentType="text/html;charset=UTF-8" language="java" session="false"
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html>
<head>
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
Sat Jun 4 20:46:07 2016
@@ -36,7 +36,7 @@
<h1>Available Services</h1>
<t:status/>
-<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) + "/";
%>
<%
HashMap serviceMap = (HashMap)
request.getSession().getAttribute(Constants.SERVICE_MAP);
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
Sat Jun 4 20:46:07 2016
@@ -29,7 +29,7 @@
<jsp:include page="/WEB-INF/include/adminheader.jsp"/>
<h1>List Single Service</h1>
<%
- String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+ String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) + "/";
%>
<%
String isFault = (String)
request.getSession().getAttribute(Constants.IS_FAULTY);
Copied:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
(from r1746787,
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp)
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp?p2=axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp&p1=axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp&r1=1746787&r2=1746850&rev=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
Sat Jun 4 20:46:07 2016
@@ -17,6 +17,7 @@
~ under the License.
--%>
+<%@ page session="false" %>
<%@ page import="org.apache.axis2.Constants,
org.apache.axis2.description.AxisOperation"%>
<%@ page import="org.apache.axis2.description.AxisService"%>
@@ -33,13 +34,13 @@
<jsp:include page="/WEB-INF/include/header.inc"/>
<jsp:include page="/WEB-INF/include/link-footer.jsp"/>
<%
- String prifix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) +"services/";
+ String prifix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) +"services/";
%>
<%
- String isFault =
(String)request.getSession().getAttribute(Constants.IS_FAULTY);
+ String isFault = (String)request.getAttribute(Constants.IS_FAULTY);
String servicName = request.getParameter("serviceName");
if(Constants.IS_FAULTY.equals(isFault)){
- Hashtable errornessservices
=(Hashtable)request.getSession().getAttribute(Constants.ERROR_SERVICE_MAP);
+ Hashtable errornessservices
=(Hashtable)request.getAttribute(Constants.ERROR_SERVICE_MAP);
%>
<h3>This Web axisService has deployment faults</h3><%
%><p
style="color:red"><%=(String)errornessservices.get(servicName) %></p>
@@ -48,7 +49,7 @@
}else {
AxisService axisService =
- (AxisService)
request.getSession().getAttribute(Constants.SINGLE_SERVICE);
+ (AxisService)
request.getAttribute(Constants.SINGLE_SERVICE);
if(axisService!=null){
Iterator opItr = axisService.getOperations();
//operationsList = operations.values();
Copied:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
(from r1746787,
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp)
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp?p2=axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp&p1=axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp&r1=1746787&r2=1746850&rev=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
Sat Jun 4 20:46:07 2016
@@ -17,6 +17,7 @@
~ under the License.
--%>
+<%@ page session="false" %>
<%@ page import="org.apache.axis2.Constants,
org.apache.axis2.description.AxisOperation" %>
<%@ page import="org.apache.axis2.description.AxisService" %>
@@ -42,12 +43,11 @@
<jsp:include page="/WEB-INF/include/header.inc"/>
<jsp:include page="/WEB-INF/include/link-footer.jsp"/>
<h1>Available services</h1>
-<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+<% String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getAttribute(Constants.SERVICE_PATH) + "/";
%>
<%
- HashMap serviceMap = (HashMap)
request.getSession().getAttribute(Constants.SERVICE_MAP);
- request.getSession().setAttribute(Constants.SERVICE_MAP, null);
- Hashtable errornessservice = (Hashtable)
request.getSession().getAttribute(Constants.ERROR_SERVICE_MAP);
+ HashMap serviceMap = (HashMap) request.getAttribute(Constants.SERVICE_MAP);
+ Hashtable errornessservice = (Hashtable)
request.getAttribute(Constants.ERROR_SERVICE_MAP);
boolean status = false;
if (serviceMap != null && !serviceMap.isEmpty()) {
Iterator opItr;
@@ -111,7 +111,7 @@
}
if (errornessservice != null) {
if (errornessservice.size() > 0) {
- request.getSession().setAttribute(Constants.IS_FAULTY,
Constants.IS_FAULTY);
+ request.setAttribute(Constants.IS_FAULTY, Constants.IS_FAULTY);
%>
<hr>
Modified:
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/index.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/index.jsp?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/index.jsp
(original)
+++
axis/axis2/java/core/branches/1_7/modules/webapp/src/main/webapp/axis2-web/index.jsp
Sat Jun 4 20:46:07 2016
@@ -17,7 +17,7 @@
~ under the License.
--%>
-<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%@ page contentType="text/html;charset=UTF-8" language="java" session="false"
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html>
<head>
Modified: axis/axis2/java/core/branches/1_7/systests/webapp-tests/pom.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/systests/webapp-tests/pom.xml?rev=1746850&r1=1746849&r2=1746850&view=diff
==============================================================================
--- axis/axis2/java/core/branches/1_7/systests/webapp-tests/pom.xml (original)
+++ axis/axis2/java/core/branches/1_7/systests/webapp-tests/pom.xml Sat Jun 4
20:46:07 2016
@@ -35,6 +35,11 @@
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>com.google.truth</groupId>
+ <artifactId>truth</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>net.sourceforge.jwebunit</groupId>
<artifactId>jwebunit-htmlunit-plugin</artifactId>
<version>3.3</version>
Copied:
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
(from r1746813,
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java)
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java?p2=axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java&p1=axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java&r1=1746813&r2=1746850&rev=1746850&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
(original)
+++
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
Sat Jun 4 20:46:07 2016
@@ -18,6 +18,9 @@
*/
package org.apache.axis2.webapp;
+import static com.google.common.truth.Truth.assertThat;
+
+import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
@@ -25,13 +28,33 @@ public class AxisAdminServletITCase {
@Rule
public Axis2WebTester tester = new Axis2WebTester();
- @Test
- public void test() {
+ @Before
+ public void setUp() {
tester.beginAt("/axis2-admin/");
tester.setTextField("userName", "admin");
tester.setTextField("password", "axis2");
tester.submit();
+ }
+
+ @Test
+ public void testAvailableServices() {
tester.clickLinkWithText("Available Services");
tester.assertMatch("Service EPR :
http://localhost:[0-9]+/axis2/services/Version";);
}
+
+ /**
+ * Tests that the admin console is not vulnerable to session fixation
attacks. This tests
+ * attempts to log in with an existing session. This should result in a
new session with a
+ * different session ID.
+ */
+ @Test
+ public void loginInvalidatesExistingSession() {
+ String sessionId = tester.getSessionId();
+ assertThat(sessionId).isNotNull();
+ tester.gotoPage("/axis2-admin/welcome");
+ tester.setTextField("userName", "admin");
+ tester.setTextField("password", "axis2");
+ tester.submit();
+ assertThat(tester.getSessionId()).isNotEqualTo(sessionId);
+ }
}
