From portal-commits at lists.jboss.org Fri Apr 17 17:46:07 2009
Content-Type: multipart/mixed; boundary="===============4061167337570141315=="
MIME-Version: 1.0
From: portal-commits at lists.jboss.org
To: portal-commits at lists.jboss.org
Subject: [portal-commits] JBoss Portal SVN: r13227 - in
 modules/identity/trunk/sso/src: test/java/org/jboss/portal/test/identity/sso
 and 1 other directory.
Date: Fri, 17 Apr 2009 17:46:07 -0400
Message-ID: <E1Luvst-0001dk-4X@committer01.frg.pub.inap.atl.jboss.com>

--===============4061167337570141315==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Author: sohil.shah(a)jboss.com
Date: 2009-04-17 17:46:06 -0400 (Fri, 17 Apr 2009)
New Revision: 13227

Modified:
   modules/identity/trunk/sso/src/main/java/org/jboss/portal/identity/sso/j=
osso/JOSSOLogoutValve.java
   modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/identity/=
sso/JOSSOTestCase.java
Log:
JBEPP-33 - no validation for cookie value with SSO

Modified: modules/identity/trunk/sso/src/main/java/org/jboss/portal/identit=
y/sso/josso/JOSSOLogoutValve.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- modules/identity/trunk/sso/src/main/java/org/jboss/portal/identity/sso/=
josso/JOSSOLogoutValve.java	2009-04-17 06:02:23 UTC (rev 13226)
+++ modules/identity/trunk/sso/src/main/java/org/jboss/portal/identity/sso/=
josso/JOSSOLogoutValve.java	2009-04-17 21:46:06 UTC (rev 13227)
@@ -26,7 +26,6 @@
 =

 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.Cookie;
 =

 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
@@ -47,77 +46,15 @@
    {
       HttpServletRequest httpRequest =3D (HttpServletRequest) request;
       request.setAttribute("ssoEnabled", "true");
-            =

-      Cookie jossoPortalCookie =3D this.findJOSSOPortalLogoutCookie(httpRe=
quest);
-      if(jossoPortalCookie !=3D null)
-      {
-         String referer =3D jossoPortalCookie.getValue();
-         =

-         if(referer !=3D null && referer.trim().length() > 0)
-         {
-            //Delete this cookie
-            jossoPortalCookie =3D new Cookie("JOSSO_PORTAL_LOGOUT", "");
-            jossoPortalCookie.setMaxAge(0); //setting the value to 0 shoul=
d delete this cookie from the browser
-            response.addCookie(jossoPortalCookie);
-            =

-            //This form of redirect is needed instead of sendRedirect
-            //otherwise the JBOSS_PORTAL_LOGOUT cookie cleanup does not ha=
ppen
-            StringBuffer buffer =3D new StringBuffer();
-            buffer.append("<html>"+"\n");
-            buffer.append("<head>"+"\n");
-            buffer.append("</head>"+"\n");
-            buffer.append("<body onload=3D\"setTimeout('document.form1.sub=
mit()',1000);\">"+"\n");
-            buffer.append("<form name=3D\"form1\" action=3D\""+referer+"\"=
 method=3D\"post\">"+"\n");            =

-            buffer.append("</form>"+"\n");
-            buffer.append("</body>"+"\n");
-            buffer.append("</html>"+"\n");
-            =

-            response.getOutputStream().write(buffer.toString().getBytes());
-            response.getOutputStream().flush();
-            =

-            return;
-         }
-      }
-      =

-      // continue processing the request
+                        =

+      //Logout not activated, Continue processing the request through the =
system
       this.getNext().invoke(request, response);
       =

+      //Check if Logout was activated...If so, perform a JOSSO logout
       if(request.getAttribute("org.jboss.portal.logout") !=3D null)
       {    =

-    	  String jossoLogout =3D httpRequest.getContextPath() + "/josso_logou=
t/";
-         =

-         Cookie cookie =3D new Cookie("JOSSO_PORTAL_LOGOUT",httpRequest.ge=
tHeader("Referer"));
-         cookie.setMaxAge(-1); //setting the value so that cookie expires =
when broser is closed
-         response.addCookie(cookie);
-         =

+    	 String jossoLogout =3D httpRequest.getContextPath() + "/josso_logout=
/";                           =

          response.sendRedirect(jossoLogout);
       }            =

-   }   =

-   =

-   /**
-    * =

-    * @param request
-    * @return
-    */
-   private Cookie findJOSSOPortalLogoutCookie(HttpServletRequest request)
-   {
-      Cookie cookie =3D null;
-      =

-      Cookie[] cookies =3D request.getCookies();
-      if(cookies !=3D null)
-      {
-         for(int i=3D0; i<cookies.length; i++)
-         {
-            Cookie cour =3D cookies[i];
-            =

-            if(cour.getName().equals("JOSSO_PORTAL_LOGOUT"))
-            {
-               cookie =3D cour;
-               break;
-            }
-         }
-      }
-      =

-      return cookie;
-   }
+   }         =

 }

Modified: modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/id=
entity/sso/JOSSOTestCase.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/identity=
/sso/JOSSOTestCase.java	2009-04-17 06:02:23 UTC (rev 13226)
+++ modules/identity/trunk/sso/src/test/java/org/jboss/portal/test/identity=
/sso/JOSSOTestCase.java	2009-04-17 21:46:06 UTC (rev 13227)
@@ -32,7 +32,6 @@
 import org.apache.commons.httpclient.NameValuePair;
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.httpclient.methods.PostMethod;
-import org.apache.commons.httpclient.protocol.Protocol;
 =

 import junit.framework.TestCase;
 =

@@ -58,13 +57,10 @@
     *
     */
    protected void setUp() throws Exception
-   {
-      //SSL setup
-      Protocol.registerProtocol("https",new Protocol("https", new EasySSLP=
rotocolSocketFactory(), 443));
-      =

-      this.firstPortal =3D "http://josso-01/portal";
-      this.secondPortal =3D "http://josso-02/portal";
-      this.sameHostSecondPortal =3D "http://josso-01/portal2";
+   {      =

+      this.firstPortal =3D "http://josso-01:8080/portal";
+      this.secondPortal =3D "http://josso-02:8080/portal";
+      this.sameHostSecondPortal =3D "http://josso-01:8080/portal2";
       this.jossoServer =3D "josso-01";
       this.userLoggedInIndicator =3D "Logged in as:";
       this.username =3D "user";
@@ -203,7 +199,7 @@
    {
       this.sameHostSecondPortal =3D sameHostSecondPortal;
    }
-
+   //---------------------------------------------------------------------=
---------------------------------------------------------------------------=
-----------------------
    /**
     * This tests the scenario when the two portals are deployed on separat=
e hosts/servers
     *
@@ -211,29 +207,28 @@
     */
    public void testMultiHostDeployment() throws Exception
    {
-      Cookie ssoCookie =3D null;
       String firstPortalFinalResponse =3D null;
       String secondPortalFinalResponse =3D null;
 =

       //Load the main portal page on firstPortalContext
       String firstContextPortalUrl =3D this.firstPortal;
-      WebConversation portalConversation =3D this.startConversation(firstC=
ontextPortalUrl);
-      TestCase.assertFalse(this.isUserLoggedIn(portalConversation.getRespo=
nse()));
+      WebConversation firstPortalConversation =3D this.startConversation(f=
irstContextPortalUrl);
+      TestCase.assertFalse(this.isUserLoggedIn(firstPortalConversation.get=
Response()));
 =

       //Click the Login link on the firstPortalContext
       String firstContextLoginUrl =3D firstContextPortalUrl + "/auth/porta=
l/default/default";
-      this.sendGet(firstContextLoginUrl, portalConversation);
+      this.sendGet(firstContextLoginUrl, firstPortalConversation, false);
 =

       //Navigate to a secured resource on the portal
-      TestCase.assertNotNull(portalConversation.getRedirectLocation());
-      TestCase.assertEquals(portalConversation.getStatusCode(), 302);
-      String portalToJOSSO =3D portalConversation.getRedirectLocation();
-      this.sendGet(portalToJOSSO, portalConversation);
+      TestCase.assertNotNull(firstPortalConversation.getRedirectLocation()=
);
+      TestCase.assertEquals(firstPortalConversation.getStatusCode(), 302);
+      String portalToJOSSO =3D firstPortalConversation.getRedirectLocation=
();
+      this.sendGet(portalToJOSSO, firstPortalConversation, false);
 =

       //When authentication is triggered, move over to the JOSSO server es=
tablishing an SSO session with JOSSO
-      String jossoLocation =3D portalConversation.getRedirectLocation();
-      WebConversation ssoConversation =3D this.startConversation(jossoLoca=
tion);
-      String response =3D ssoConversation.getResponse();
+      String jossoLocation =3D firstPortalConversation.getRedirectLocation=
();
+      WebConversation gatewayConversation =3D this.startConversation(josso=
Location);
+      String response =3D gatewayConversation.getResponse();
 =

       //Extract the josso post action value
       int searchIndex =3D response.indexOf("action=3D\"")+9;
@@ -245,43 +240,46 @@
       postParams.put("josso_username", this.username);
       postParams.put("josso_password", this.password);
       postParams.put("josso_cmd", "login");
-      this.sendPost("http:"+ this.jossoServer +"/"+action,postParams, ssoC=
onversation);
-
-      //Go back to the Portal since login has succeeded, starting with ass=
ertion on the JOSSO Agent installed on the Portal
-      String assertUrl =3D ssoConversation.getRedirectLocation();
-      this.sendGet(assertUrl, portalConversation);
-
+      this.sendPost("http://"+ this.jossoServer +":8080/"+action,postParam=
s, gatewayConversation);      =

+      String assertUrl =3D gatewayConversation.getRedirectLocation();
+      this.sendGet(assertUrl, firstPortalConversation, false);
+      =

       //Now go back to the original Portal resource requested. This time u=
ser should have an authenticated session established
-      TestCase.assertNotNull(portalConversation.getRedirectLocation());
-      TestCase.assertEquals(portalConversation.getStatusCode(), 302);
-      TestCase.assertTrue(portalConversation.getRedirectLocation().indexOf=
(firstContextLoginUrl) !=3D -1);
-      TestCase.assertNotNull(portalConversation.getSSOCookie());
-      String goBack =3D portalConversation.getRedirectLocation();
-      ssoCookie =3D ssoConversation.getSSOCookie();
-      this.sendGet(goBack, portalConversation);
-      firstPortalFinalResponse =3D portalConversation.getResponse();
+      TestCase.assertNotNull(firstPortalConversation.getRedirectLocation()=
);
+      TestCase.assertEquals(firstPortalConversation.getStatusCode(), 302);
+      TestCase.assertTrue(firstPortalConversation.getRedirectLocation().in=
dexOf(firstContextLoginUrl) !=3D -1);
+      TestCase.assertNotNull(firstPortalConversation.getSSOCookie());
+      String goBack =3D firstPortalConversation.getRedirectLocation();    =
  =

+      this.sendGet(goBack, firstPortalConversation, false);
+      firstPortalFinalResponse =3D firstPortalConversation.getResponse();
       TestCase.assertTrue(this.isUserLoggedIn(firstPortalFinalResponse));
+      =

 =

       //Load the main portal page on secondPortalContext
       String secondContextPortalUrl =3D this.secondPortal;
-      portalConversation =3D this.startConversation(secondContextPortalUrl=
);
+      WebConversation secondPortalConversation =3D this.startConversation(=
secondContextPortalUrl);
 =

       //Click the Login Link on the secondPortalContext
       String secondContextLoginUrl =3D secondContextPortalUrl + "/auth/por=
tal/default/default";
-      this.sendGet(secondContextLoginUrl, portalConversation);
+      this.sendGet(secondContextLoginUrl, secondPortalConversation, false);
 =

       //Perform re-direct to the JOSSO Server but this time sending in the=
 JOSSO cookie
-      TestCase.assertNotNull(portalConversation.getRedirectLocation());
-      TestCase.assertEquals(portalConversation.getStatusCode(), 302);
-      portalToJOSSO =3D portalConversation.getRedirectLocation();
-      this.sendGet(portalToJOSSO, portalConversation);
+      TestCase.assertNotNull(secondPortalConversation.getRedirectLocation(=
));
+      TestCase.assertEquals(secondPortalConversation.getStatusCode(), 302);
+      portalToJOSSO =3D secondPortalConversation.getRedirectLocation();
+      this.sendGet(portalToJOSSO, secondPortalConversation, false);
 =

 =

       //Assert the redirect and it should be to the JOSSO Server, but this=
 time
       //It should end up with an Authenticated session back to the secondP=
ortalContext
-      jossoLocation =3D portalConversation.getRedirectLocation();
-      ssoConversation =3D this.startConversation(jossoLocation,ssoCookie);
-      secondPortalFinalResponse =3D ssoConversation.getResponse();
+      jossoLocation =3D secondPortalConversation.getRedirectLocation();   =
   =

+      this.sendGet(jossoLocation, gatewayConversation, false);
+      assertUrl =3D gatewayConversation.getRedirectLocation();
+      this.sendGet(assertUrl, secondPortalConversation, true);
+      =

+      =

+      //Assert that automatic login occurred
+      secondPortalFinalResponse =3D secondPortalConversation.getResponse();
       TestCase.assertTrue(this.isUserLoggedIn(secondPortalFinalResponse));
 =

       //Assert and make sure its the same user logged into both Portals
@@ -380,13 +378,7 @@
       TestCase.assertEquals(secondPortalUser, this.username);
       TestCase.assertEquals(firstPortalUser, secondPortalUser);
    }*/
-
-   /**
-    *
-    * @param portalUrl
-    * @return
-    * @throws Exception
-    */
+   //---------------------------------------------------------------------=
---------------------------------------------------------------------------=
-----------------------   =

    private WebConversation startConversation(String portalUrl) throws Exce=
ption
    {
       WebConversation conversation =3D null;
@@ -405,7 +397,7 @@
          {
             if(cookies[i].getName().equals("JSESSIONID"))
             {
-               conversation.setSessionId(cookies[i].getValue());
+               conversation.setSessionCookie(cookies[i]);
             }
          }
 =

@@ -422,67 +414,14 @@
       }
 =

       return conversation;
-   }
-
-   /**
-    *
-    * @param portalUrl
-    * @return
-    * @throws Exception
-    */
-   private WebConversation startConversation(String portalUrl, Cookie ssoC=
ookie) throws Exception
+   }   =

+   =

+   private void sendGet(String portalUrl,WebConversation conversation, boo=
lean followRedirects) throws Exception
    {
-      WebConversation conversation =3D null;
-
-      HttpClient httpClient =3D new HttpClient();
-      GetMethod getMethod =3D new GetMethod(portalUrl);
-
-      //Set ssoCookie to be sent in
-      getMethod.setRequestHeader("Cookie",ssoCookie.getName()+"=3D"+ssoCoo=
kie.getValue());
-
-      try
-      {
-         conversation =3D new WebConversation();
-
-         int statusCode =3D httpClient.executeMethod(getMethod);
-         String response =3D getMethod.getResponseBodyAsString();
-
-         Cookie[] cookies =3D httpClient.getState().getCookies();
-         for(int i=3D0;i<cookies.length;i++)
-         {
-            if(cookies[i].getName().equals("JSESSIONID"))
-            {
-               conversation.setSessionId(cookies[i].getValue());
-            }
-         }
-
-         conversation.setClient(httpClient);
-         conversation.setStatusCode(statusCode);
-         conversation.setResponse(response);
-      }
-      finally
-      {
-         if(getMethod !=3D null)
-         {
-            getMethod.releaseConnection();
-         }
-      }
-
-      return conversation;
-   }
-
-   /**
-    *
-    * @param portalUrl
-    * @param conversation
-    * @throws Exception
-    */
-   private void sendGet(String portalUrl,WebConversation conversation) thr=
ows Exception
-   {
       HttpClient httpClient =3D conversation.getClient();
 =

       GetMethod getMethod =3D new GetMethod(portalUrl);
-      getMethod.setFollowRedirects(false);
+      getMethod.setFollowRedirects(followRedirects);
       try
       {
          int statusCode =3D httpClient.executeMethod(getMethod);
@@ -494,7 +433,7 @@
          {
             if(cookies[i].getName().equals("JSESSIONID"))
             {
-               conversation.setSessionId(cookies[i].getValue());
+               conversation.setSessionCookie(cookies[i]);
             }
             if(cookies[i].getName().equals("JOSSO_SESSIONID"))
             {
@@ -520,15 +459,7 @@
          }
       }
    }
-
-
-   /**
-    *
-    * @param url
-    * @param parameters
-    * @param conversation
-    * @throws Exception
-    */
+   =

    private void sendPost(String url,Map parameters,WebConversation convers=
ation) throws Exception
    {
       HttpClient httpClient =3D conversation.getClient();
@@ -557,7 +488,7 @@
          {
             if(cookies[i].getName().equals("JSESSIONID"))
             {
-               conversation.setSessionId(cookies[i].getValue());
+               conversation.setSessionCookie(cookies[i]);
             }
             if(cookies[i].getName().equals("JOSSO_SESSIONID"))
             {
@@ -583,12 +514,7 @@
          }
       }
    }
-
-   /**
-    *
-    * @param response
-    * @return
-    */
+   =

    private boolean isUserLoggedIn(String response)
    {
       boolean isUserLoggedIn =3D false;
@@ -597,12 +523,7 @@
 =

       return isUserLoggedIn;
    }
-
-   /**
-    *
-    * @param response
-    * @return
-    */
+   =

    private String extractLoggedInUser(String response)
    {
       String loggedInUser =3D null;
@@ -614,23 +535,18 @@
 =

       return loggedInUser;
    }
-
-   /**
-    *
-    * @author <a href=3D"mailto:sshah(a)redhat.com">Sohil Shah</a>
-    *
-    */
+   =

    private static class WebConversation
    {
       /**
        *
        */
-      private HttpClient client =3D null;
-      private String sessionId =3D null;
+      private HttpClient client =3D null;      =

       private int statusCode =3D 0;
       private String response =3D null;
       private String redirectLocation =3D null;
       private Cookie ssoCookie =3D null;
+      private Cookie sessionCookie =3D null;
 =

       /**
        *
@@ -679,16 +595,6 @@
          this.statusCode =3D statusCode;
       }
 =

-      public String getSessionId()
-      {
-         return sessionId;
-      }
-
-      public void setSessionId(String sessionId)
-      {
-         this.sessionId =3D sessionId;
-      }
-
       public String getRedirectLocation()
       {
          return redirectLocation;
@@ -708,5 +614,20 @@
       {
          this.ssoCookie =3D ssoCookie;
       }
+      =

+      public String getSessionId()
+      {
+         return this.sessionCookie.getValue();
+      }
+
+      public void setSessionCookie(Cookie sessionCookie)
+      {
+         this.sessionCookie =3D sessionCookie;
+      }
+      =

+      public Cookie getSessionCookie()
+      {
+         return this.sessionCookie;
+      }
    }
 }


--===============4061167337570141315==--