Author: sohil.shah(a)jboss.com
Date: 2009-04-17 17:46:06 -0400 (Fri, 17 Apr 2009)
New Revision: 13227
Modified:
modules/identity/trunk/sso/src/main/java/org/jboss/portal/identity/sso/josso/JOSSOLogoutValve.java
modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/identity/sso/JOSSOTestCase.java
Log:
JBEPP-33 - no validation for cookie value with SSO
Modified:
modules/identity/trunk/sso/src/main/java/org/jboss/portal/identity/sso/josso/JOSSOLogoutValve.java
===================================================================
---
modules/identity/trunk/sso/src/main/java/org/jboss/portal/identity/sso/josso/JOSSOLogoutValve.java 2009-04-17
06:02:23 UTC (rev 13226)
+++
modules/identity/trunk/sso/src/main/java/org/jboss/portal/identity/sso/josso/JOSSOLogoutValve.java 2009-04-17
21:46:06 UTC (rev 13227)
@@ -26,7 +26,6 @@
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.Cookie;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
@@ -47,77 +46,15 @@
{
HttpServletRequest httpRequest = (HttpServletRequest) request;
request.setAttribute("ssoEnabled", "true");
-
- Cookie jossoPortalCookie = this.findJOSSOPortalLogoutCookie(httpRequest);
- if(jossoPortalCookie != null)
- {
- String referer = jossoPortalCookie.getValue();
-
- if(referer != null && referer.trim().length() > 0)
- {
- //Delete this cookie
- jossoPortalCookie = new Cookie("JOSSO_PORTAL_LOGOUT",
"");
- jossoPortalCookie.setMaxAge(0); //setting the value to 0 should delete this
cookie from the browser
- response.addCookie(jossoPortalCookie);
-
- //This form of redirect is needed instead of sendRedirect
- //otherwise the JBOSS_PORTAL_LOGOUT cookie cleanup does not happen
- StringBuffer buffer = new StringBuffer();
- buffer.append("<html>"+"\n");
- buffer.append("<head>"+"\n");
- buffer.append("</head>"+"\n");
- buffer.append("<body
onload=\"setTimeout('document.form1.submit()',1000);\">"+"\n");
- buffer.append("<form name=\"form1\"
action=\""+referer+"\"
method=\"post\">"+"\n");
- buffer.append("</form>"+"\n");
- buffer.append("</body>"+"\n");
- buffer.append("</html>"+"\n");
-
- response.getOutputStream().write(buffer.toString().getBytes());
- response.getOutputStream().flush();
-
- return;
- }
- }
-
- // continue processing the request
+
+ //Logout not activated, Continue processing the request through the system
this.getNext().invoke(request, response);
+ //Check if Logout was activated...If so, perform a JOSSO logout
if(request.getAttribute("org.jboss.portal.logout") != null)
{
- String jossoLogout = httpRequest.getContextPath() + "/josso_logout/";
-
- Cookie cookie = new
Cookie("JOSSO_PORTAL_LOGOUT",httpRequest.getHeader("Referer"));
- cookie.setMaxAge(-1); //setting the value so that cookie expires when broser is
closed
- response.addCookie(cookie);
-
+ String jossoLogout = httpRequest.getContextPath() + "/josso_logout/";
response.sendRedirect(jossoLogout);
}
- }
-
- /**
- *
- * @param request
- * @return
- */
- private Cookie findJOSSOPortalLogoutCookie(HttpServletRequest request)
- {
- Cookie cookie = null;
-
- Cookie[] cookies = request.getCookies();
- if(cookies != null)
- {
- for(int i=0; i<cookies.length; i++)
- {
- Cookie cour = cookies[i];
-
- if(cour.getName().equals("JOSSO_PORTAL_LOGOUT"))
- {
- cookie = cour;
- break;
- }
- }
- }
-
- return cookie;
- }
+ }
}
Modified:
modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/identity/sso/JOSSOTestCase.java
===================================================================
---
modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/identity/sso/JOSSOTestCase.java 2009-04-17
06:02:23 UTC (rev 13226)
+++
modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/identity/sso/JOSSOTestCase.java 2009-04-17
21:46:06 UTC (rev 13227)
@@ -32,7 +32,6 @@
import org.apache.commons.httpclient.NameValuePair;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.methods.PostMethod;
-import org.apache.commons.httpclient.protocol.Protocol;
import junit.framework.TestCase;
@@ -58,13 +57,10 @@
*
*/
protected void setUp() throws Exception
- {
- //SSL setup
- Protocol.registerProtocol("https",new Protocol("https", new
EasySSLProtocolSocketFactory(), 443));
-
- this.firstPortal = "http://josso-01/portal";
- this.secondPortal = "http://josso-02/portal";
- this.sameHostSecondPortal = "http://josso-01/portal2";
+ {
+ this.firstPortal = "http://josso-01:8080/portal";
+ this.secondPortal = "http://josso-02:8080/portal";
+ this.sameHostSecondPortal = "http://josso-01:8080/portal2";
this.jossoServer = "josso-01";
this.userLoggedInIndicator = "Logged in as:";
this.username = "user";
@@ -203,7 +199,7 @@
{
this.sameHostSecondPortal = sameHostSecondPortal;
}
-
+
//-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
/**
* This tests the scenario when the two portals are deployed on separate
hosts/servers
*
@@ -211,29 +207,28 @@
*/
public void testMultiHostDeployment() throws Exception
{
- Cookie ssoCookie = null;
String firstPortalFinalResponse = null;
String secondPortalFinalResponse = null;
//Load the main portal page on firstPortalContext
String firstContextPortalUrl = this.firstPortal;
- WebConversation portalConversation =
this.startConversation(firstContextPortalUrl);
- TestCase.assertFalse(this.isUserLoggedIn(portalConversation.getResponse()));
+ WebConversation firstPortalConversation =
this.startConversation(firstContextPortalUrl);
+ TestCase.assertFalse(this.isUserLoggedIn(firstPortalConversation.getResponse()));
//Click the Login link on the firstPortalContext
String firstContextLoginUrl = firstContextPortalUrl +
"/auth/portal/default/default";
- this.sendGet(firstContextLoginUrl, portalConversation);
+ this.sendGet(firstContextLoginUrl, firstPortalConversation, false);
//Navigate to a secured resource on the portal
- TestCase.assertNotNull(portalConversation.getRedirectLocation());
- TestCase.assertEquals(portalConversation.getStatusCode(), 302);
- String portalToJOSSO = portalConversation.getRedirectLocation();
- this.sendGet(portalToJOSSO, portalConversation);
+ TestCase.assertNotNull(firstPortalConversation.getRedirectLocation());
+ TestCase.assertEquals(firstPortalConversation.getStatusCode(), 302);
+ String portalToJOSSO = firstPortalConversation.getRedirectLocation();
+ this.sendGet(portalToJOSSO, firstPortalConversation, false);
//When authentication is triggered, move over to the JOSSO server establishing an
SSO session with JOSSO
- String jossoLocation = portalConversation.getRedirectLocation();
- WebConversation ssoConversation = this.startConversation(jossoLocation);
- String response = ssoConversation.getResponse();
+ String jossoLocation = firstPortalConversation.getRedirectLocation();
+ WebConversation gatewayConversation = this.startConversation(jossoLocation);
+ String response = gatewayConversation.getResponse();
//Extract the josso post action value
int searchIndex = response.indexOf("action=\"")+9;
@@ -245,43 +240,46 @@
postParams.put("josso_username", this.username);
postParams.put("josso_password", this.password);
postParams.put("josso_cmd", "login");
- this.sendPost("http:"+ this.jossoServer +"/"+action,postParams,
ssoConversation);
-
- //Go back to the Portal since login has succeeded, starting with assertion on the
JOSSO Agent installed on the Portal
- String assertUrl = ssoConversation.getRedirectLocation();
- this.sendGet(assertUrl, portalConversation);
-
+ this.sendPost("http://"+ this.jossoServer
+":8080/"+action,postParams, gatewayConversation);
+ String assertUrl = gatewayConversation.getRedirectLocation();
+ this.sendGet(assertUrl, firstPortalConversation, false);
+
//Now go back to the original Portal resource requested. This time user should have
an authenticated session established
- TestCase.assertNotNull(portalConversation.getRedirectLocation());
- TestCase.assertEquals(portalConversation.getStatusCode(), 302);
-
TestCase.assertTrue(portalConversation.getRedirectLocation().indexOf(firstContextLoginUrl)
!= -1);
- TestCase.assertNotNull(portalConversation.getSSOCookie());
- String goBack = portalConversation.getRedirectLocation();
- ssoCookie = ssoConversation.getSSOCookie();
- this.sendGet(goBack, portalConversation);
- firstPortalFinalResponse = portalConversation.getResponse();
+ TestCase.assertNotNull(firstPortalConversation.getRedirectLocation());
+ TestCase.assertEquals(firstPortalConversation.getStatusCode(), 302);
+
TestCase.assertTrue(firstPortalConversation.getRedirectLocation().indexOf(firstContextLoginUrl)
!= -1);
+ TestCase.assertNotNull(firstPortalConversation.getSSOCookie());
+ String goBack = firstPortalConversation.getRedirectLocation();
+ this.sendGet(goBack, firstPortalConversation, false);
+ firstPortalFinalResponse = firstPortalConversation.getResponse();
TestCase.assertTrue(this.isUserLoggedIn(firstPortalFinalResponse));
+
//Load the main portal page on secondPortalContext
String secondContextPortalUrl = this.secondPortal;
- portalConversation = this.startConversation(secondContextPortalUrl);
+ WebConversation secondPortalConversation =
this.startConversation(secondContextPortalUrl);
//Click the Login Link on the secondPortalContext
String secondContextLoginUrl = secondContextPortalUrl +
"/auth/portal/default/default";
- this.sendGet(secondContextLoginUrl, portalConversation);
+ this.sendGet(secondContextLoginUrl, secondPortalConversation, false);
//Perform re-direct to the JOSSO Server but this time sending in the JOSSO cookie
- TestCase.assertNotNull(portalConversation.getRedirectLocation());
- TestCase.assertEquals(portalConversation.getStatusCode(), 302);
- portalToJOSSO = portalConversation.getRedirectLocation();
- this.sendGet(portalToJOSSO, portalConversation);
+ TestCase.assertNotNull(secondPortalConversation.getRedirectLocation());
+ TestCase.assertEquals(secondPortalConversation.getStatusCode(), 302);
+ portalToJOSSO = secondPortalConversation.getRedirectLocation();
+ this.sendGet(portalToJOSSO, secondPortalConversation, false);
//Assert the redirect and it should be to the JOSSO Server, but this time
//It should end up with an Authenticated session back to the secondPortalContext
- jossoLocation = portalConversation.getRedirectLocation();
- ssoConversation = this.startConversation(jossoLocation,ssoCookie);
- secondPortalFinalResponse = ssoConversation.getResponse();
+ jossoLocation = secondPortalConversation.getRedirectLocation();
+ this.sendGet(jossoLocation, gatewayConversation, false);
+ assertUrl = gatewayConversation.getRedirectLocation();
+ this.sendGet(assertUrl, secondPortalConversation, true);
+
+
+ //Assert that automatic login occurred
+ secondPortalFinalResponse = secondPortalConversation.getResponse();
TestCase.assertTrue(this.isUserLoggedIn(secondPortalFinalResponse));
//Assert and make sure its the same user logged into both Portals
@@ -380,13 +378,7 @@
TestCase.assertEquals(secondPortalUser, this.username);
TestCase.assertEquals(firstPortalUser, secondPortalUser);
}*/
-
- /**
- *
- * @param portalUrl
- * @return
- * @throws Exception
- */
+
//-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
private WebConversation startConversation(String portalUrl) throws Exception
{
WebConversation conversation = null;
@@ -405,7 +397,7 @@
{
if(cookies[i].getName().equals("JSESSIONID"))
{
- conversation.setSessionId(cookies[i].getValue());
+ conversation.setSessionCookie(cookies[i]);
}
}
@@ -422,67 +414,14 @@
}
return conversation;
- }
-
- /**
- *
- * @param portalUrl
- * @return
- * @throws Exception
- */
- private WebConversation startConversation(String portalUrl, Cookie ssoCookie) throws
Exception
+ }
+
+ private void sendGet(String portalUrl,WebConversation conversation, boolean
followRedirects) throws Exception
{
- WebConversation conversation = null;
-
- HttpClient httpClient = new HttpClient();
- GetMethod getMethod = new GetMethod(portalUrl);
-
- //Set ssoCookie to be sent in
-
getMethod.setRequestHeader("Cookie",ssoCookie.getName()+"="+ssoCookie.getValue());
-
- try
- {
- conversation = new WebConversation();
-
- int statusCode = httpClient.executeMethod(getMethod);
- String response = getMethod.getResponseBodyAsString();
-
- Cookie[] cookies = httpClient.getState().getCookies();
- for(int i=0;i<cookies.length;i++)
- {
- if(cookies[i].getName().equals("JSESSIONID"))
- {
- conversation.setSessionId(cookies[i].getValue());
- }
- }
-
- conversation.setClient(httpClient);
- conversation.setStatusCode(statusCode);
- conversation.setResponse(response);
- }
- finally
- {
- if(getMethod != null)
- {
- getMethod.releaseConnection();
- }
- }
-
- return conversation;
- }
-
- /**
- *
- * @param portalUrl
- * @param conversation
- * @throws Exception
- */
- private void sendGet(String portalUrl,WebConversation conversation) throws Exception
- {
HttpClient httpClient = conversation.getClient();
GetMethod getMethod = new GetMethod(portalUrl);
- getMethod.setFollowRedirects(false);
+ getMethod.setFollowRedirects(followRedirects);
try
{
int statusCode = httpClient.executeMethod(getMethod);
@@ -494,7 +433,7 @@
{
if(cookies[i].getName().equals("JSESSIONID"))
{
- conversation.setSessionId(cookies[i].getValue());
+ conversation.setSessionCookie(cookies[i]);
}
if(cookies[i].getName().equals("JOSSO_SESSIONID"))
{
@@ -520,15 +459,7 @@
}
}
}
-
-
- /**
- *
- * @param url
- * @param parameters
- * @param conversation
- * @throws Exception
- */
+
private void sendPost(String url,Map parameters,WebConversation conversation) throws
Exception
{
HttpClient httpClient = conversation.getClient();
@@ -557,7 +488,7 @@
{
if(cookies[i].getName().equals("JSESSIONID"))
{
- conversation.setSessionId(cookies[i].getValue());
+ conversation.setSessionCookie(cookies[i]);
}
if(cookies[i].getName().equals("JOSSO_SESSIONID"))
{
@@ -583,12 +514,7 @@
}
}
}
-
- /**
- *
- * @param response
- * @return
- */
+
private boolean isUserLoggedIn(String response)
{
boolean isUserLoggedIn = false;
@@ -597,12 +523,7 @@
return isUserLoggedIn;
}
-
- /**
- *
- * @param response
- * @return
- */
+
private String extractLoggedInUser(String response)
{
String loggedInUser = null;
@@ -614,23 +535,18 @@
return loggedInUser;
}
-
- /**
- *
- * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
- *
- */
+
private static class WebConversation
{
/**
*
*/
- private HttpClient client = null;
- private String sessionId = null;
+ private HttpClient client = null;
private int statusCode = 0;
private String response = null;
private String redirectLocation = null;
private Cookie ssoCookie = null;
+ private Cookie sessionCookie = null;
/**
*
@@ -679,16 +595,6 @@
this.statusCode = statusCode;
}
- public String getSessionId()
- {
- return sessionId;
- }
-
- public void setSessionId(String sessionId)
- {
- this.sessionId = sessionId;
- }
-
public String getRedirectLocation()
{
return redirectLocation;
@@ -708,5 +614,20 @@
{
this.ssoCookie = ssoCookie;
}
+
+ public String getSessionId()
+ {
+ return this.sessionCookie.getValue();
+ }
+
+ public void setSessionCookie(Cookie sessionCookie)
+ {
+ this.sessionCookie = sessionCookie;
+ }
+
+ public Cookie getSessionCookie()
+ {
+ return this.sessionCookie;
+ }
}
}