Skip to content

Commit

Permalink
Check FormAuthentication location cookie
Browse files Browse the repository at this point in the history
  • Loading branch information
sberyozkin committed Mar 8, 2022
1 parent b2edb13 commit a2a3f8f
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ public void testFormBasedAuthSuccessLandingPage() {
}

@Test
public void testFormAuthFailure() {
public void testFormAuthFailureWrongPassword() {
CookieFilter cookies = new CookieFilter();
RestAssured
.given()
Expand All @@ -132,4 +132,20 @@ public void testFormAuthFailure() {
.header("location", containsString("/error"));

}

@Test
public void testFormAuthFailureWrongRedirect() {
CookieFilter cookies = new CookieFilter();
RestAssured
.given()
.filter(cookies)
.when()
.cookies("redirect-location", "http://localhost")
.formParam("username", "admin")
.formParam("password", "admin")
.post("/auth")
.then()
.assertThat()
.statusCode(401);
}
}
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package io.quarkus.vertx.http.runtime.security;

import java.net.URI;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Optional;
Expand All @@ -9,6 +10,7 @@
import org.jboss.logging.Logger;

import io.netty.handler.codec.http.HttpHeaderNames;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.credential.PasswordCredential;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
Expand Down Expand Up @@ -118,6 +120,7 @@ protected void handleRedirectBack(final RoutingContext exchange) {
Cookie redirect = exchange.getCookie(locationCookie);
String location;
if (redirect != null) {
verifyRedirectBackLocation(exchange.request().absoluteURI(), redirect.getValue());
redirect.setSecure(exchange.request().isSSL());
location = redirect.getValue();
exchange.response().addCookie(redirect.setMaxAge(0));
Expand All @@ -129,6 +132,16 @@ protected void handleRedirectBack(final RoutingContext exchange) {
exchange.response().end();
}

protected void verifyRedirectBackLocation(String requestURIString, String redirectUriString) {
URI requestUri = URI.create(requestURIString);
URI redirectUri = URI.create(redirectUriString);
if (!requestUri.getAuthority().equals(redirectUri.getAuthority()) || requestUri.getScheme() != redirectUri.getScheme()) {
log.errorf("Location cookie value %s does not match the current request URI %s's scheme, host or port", redirectUriString,
requestURIString);
throw new AuthenticationCompletionException();
}
}

protected void storeInitialLocation(final RoutingContext exchange) {
exchange.response().addCookie(Cookie.cookie(locationCookie, exchange.request().absoluteURI())
.setPath("/").setSecure(exchange.request().isSSL()));
Expand Down

0 comments on commit a2a3f8f

Please sign in to comment.