Add a warning about the security hole :-(
[raven/abandoned/asp.git] / Test.asp
... / ...
CommitLineData
1<!DOCTYPE html>\r
2<html>\r
3<head>\r
4<meta http-equiv="Content-Type" content="text/html; charset=utf-8">\r
5<!--#include file="Ucam_Webauth.vbs"-->\r
6</head>\r
7<%\r
8\r
9Sub Main\r
10\r
11 ' Examine the 'UcamWebAuthTestingClient' cookie.\r
12 ' This cookie is used to store the index number of \r
13 ' the LAST test and the outcome of that test. This \r
14 ' cookie is only updated when an authentication \r
15 ' cycle is complete (which could be due to an \r
16 ' error) so we use the cookie to determine the \r
17 ' index of the CURRENT test. \r
18 ' \r
19 ' NOTE: This cookie is completely separate \r
20 ' from the 'Authentication cookie' and is \r
21 ' purely used for testing.\r
22 '\r
23 ' The actual value of the cookie consists of \r
24 ' three elements delimited by '!': \r
25 '\r
26 ' 'index!status_code!status_message'\r
27 \r
28 testing_client_cookie_name = "UcamWebAuthTestingClient"\r
29 testing_client_cookie_index = 1\r
30 \r
31 If (Request.Cookies(testing_client_cookie_name) <> "") Then\r
32 testing_client_cookie_value = Request.Cookies(testing_client_cookie_name)\r
33 testing_client_cookie_array = Split(testing_client_cookie_value, "!")\r
34 testing_client_cookie_index = CInt(testing_client_cookie_array(0))\r
35 testing_client_cookie_index = testing_client_cookie_index + 1\r
36 End If\r
37 \r
38 ' Create 'Scripting.Dictionary' object \r
39 ' to hold the arguments we will supply \r
40 ' to the 'Ucam_Webauth' object.\r
41 \r
42 Set args = CreateObject("Scripting.Dictionary")\r
43 \r
44 ' Add the different arguments to the 'args' \r
45 ' associative array as name/value pairs.\r
46 ' Both name and value must be strings \r
47 ' so integers must be added as "x", eg. "60".\r
48\r
49 ' 'auth_service' is the WLS authentication server.\r
50 ' The following line gives the the demo Raven testing server:\r
51\r
52 ' args.Add "auth_service", "https://demo.raven.cam.ac.uk/auth/authenticate.html"\r
53\r
54 ' We're testing with our Dummy Raven WLS server so use that:\r
55 args.Add "auth_service", "http://www2.careers.cam.ac.uk:11812" \r
56\r
57 ' 'hostname' must be a domain name and perhaps a \r
58 ' port but nothing more.\r
59 \r
60 args.Add "hostname", "localhost:81"\r
61\r
62 ' 'log_file' is the location of the logfile \r
63 ' which must be read/writable by the webserver.\r
64 \r
65 args.Add "log_file", "C:/wamp/www/raven/vbscriptlog.txt"\r
66\r
67 ' 'key_dir' is the directory holding the \r
68 ' public key certificate.\r
69 \r
70 args.Add "key_dir", "C:/wamp/www/raven"\r
71\r
72 ' 'cookie_key' is the key used to generate \r
73 ' hash values of the authentication cookie. \r
74 ' Ideally it should be changed on a regular basis \r
75 ' but not during sessions.\r
76 \r
77 args.Add "cookie_key", "Random string"\r
78\r
79 ' We add the current iteration of testing in \r
80 ' 'testing_client_cookie_index' as a parameter \r
81 ' to Ucam_Webauth which should then be \r
82 ' included as a parameter in the authentication \r
83 ' request to the WLS and the subsequent \r
84 ' authentication response back from the WLS.\r
85 \r
86 args.Add "authrequest_params", CStr(testing_client_cookie_index)\r
87\r
88\r
89 ' Create new instance of 'Ucam_Webauth' \r
90 ' and supply arguments.\r
91 ' We do not need to include 'Request' and 'Response' \r
92 ' variables (as in C# version), in order to get/set \r
93 ' cookies and server variables and perform redirects \r
94 ' as these variables are globally accessible to ASP class.\r
95 \r
96 Set oUcam_Webauth = New Ucam_Webauth\r
97 Call oUcam_Webauth(args) \r
98 \r
99 ' For the purposes of testing, we provide \r
100 ' a 'Logout' link that removes the local \r
101 ' authentication cookie and then displays \r
102 ' a link to easily logout the Raven WLS.\r
103 ' So we check to see if this 'Action=Logout' \r
104 ' link has been called and logout/display \r
105 ' link accordingly.\r
106 \r
107 If (Request.ServerVariables("QUERY_STRING") = "Action=Logout") Then\r
108 oUcam_Webauth.ResetState()\r
109 Response.Write("Logged out of Raven (local)<br/>")\r
110 Response.Write("<a href='https://raven.cam.ac.uk/auth/logout.html'>Logout Raven (remote)</a><br/>" & _\r
111 "<a href='Default.asp'>Access Raven authenticated page</a>") \r
112 Exit Sub\r
113 End If \r
114\r
115 ' When you first access this page \r
116 ' the 'Authenticate' function will be called. \r
117 ' This will typically be called three times \r
118 ' in total to successfully authenticate the \r
119 ' user. In the first two iterations of \r
120 ' 'Authenticate', it will return \r
121 ' 'AUTHENTICATE_INCOMPLETE' while it \r
122 ' redirects the user's browser first to \r
123 ' the Raven WLS and then back to this page.\r
124 ' On the third iteration of 'Authenticate', it \r
125 ' will return 'AUTHENTICATE_COMPLETE_AUTHENTICATED' \r
126 ' or 'AUTHENTICATE_COMPLETE_NOT_AUTHENTICATED' \r
127 ' if the authentication process has fully \r
128 ' completed without error.\r
129 \r
130 Select Case oUcam_Webauth.Authenticate()\r
131 \r
132 Case oUcam_Webauth.AUTHENTICATE_INCOMPLETE\r
133\r
134 ' 'Authenticate' still redirecting pages \r
135 ' so don't do anything else.\r
136 \r
137 Exit Sub\r
138\r
139 Case oUcam_Webauth.AUTHENTICATE_COMPLETE_AUTHENTICATED \r
140\r
141 ' Success so display the 'principal', ie. the user id.\r
142 \r
143 Response.Write("SUCCESS. You are " & oUcam_Webauth.principal() & "<br/>")\r
144 \r
145 ' Also display the 'ptags' parameter indicating \r
146 ' whether the user is 'current' or not.\r
147 \r
148 Response.Write("Ptags = " & oUcam_Webauth.ptags() & "<br/>")\r
149 \r
150 ' Display any 'GET variables' to check they \r
151 ' have carried through from the original \r
152 ' page request.\r
153 \r
154 For Each item In Request.QueryString() \r
155 Response.Write item & "=" & Request.QueryString()(item) & "<br/>" \r
156 Next \r
157 \r
158 ' Display a 'Logout' link to make it easy to \r
159 ' test authentication repeatedly.\r
160 \r
161 Response.Write("<a href='Default.asp?Action=Logout'>Logout Raven (local)</a>") \r
162 \r
163 Case Else\r
164 \r
165 ' Either there was an error or a failed \r
166 ' authentication so print out the result either way.\r
167\r
168 Response.Write("FAIL - " & oUcam_Webauth.status() & ": " & oUcam_Webauth.msg())\r
169\r
170 ' Also log the error for debugging purposes.\r
171 \r
172 oUcam_Webauth.write_log("FAIL - " & oUcam_Webauth.status() & ": " & oUcam_Webauth.msg())\r
173 \r
174 End Select\r
175\r
176 ' We use a 'UcamWebAuthTestingClient' cookie \r
177 ' to store the return 'status' of the most recent \r
178 ' authentication attempt. The Dummy WLS server \r
179 ' looks at the value of this cookie, compares \r
180 ' it with its most recent attempt to generate a \r
181 ' particular status and logs the results. \r
182 ' Ideally the status/error the Dummy WLS server \r
183 ' tried to generate should match the status/error \r
184 ' recorded here.\r
185 '\r
186 ' NOTE: The Dummy WLS server only performs the \r
187 ' comparison of 'actual' and 'expected' when \r
188 ' it receives a subsequent authentication request.\r
189 ' ie. when testing is terminated, the final \r
190 ' authentication attempt comparison may be lost.\r
191 \r
192 ' Store number of testing iteration, return status and status msg.\r
193 ' To make it a session cookie, we don't specify 'Expires'.\r
194 \r
195 Response.Cookies("UcamWebAuthTestingClient") = CStr(testing_client_cookie_index) & "!" & oUcam_Webauth.status() & "!" & oUcam_Webauth.msg() \r
196 \r
197 ' We intend to perform another authentication attempt\r
198 ' so reset the state of Ucam_Webauth, ie. remove \r
199 ' the authentication cookie.\r
200 \r
201 oUcam_Webauth.ResetState() \r
202\r
203 \r
204End Sub\r
205\r
206Call Main\r
207\r
208%>\r
209\r
210<script language="javascript">\r
211\r
212 // Set a brief timeout before reloading this page again \r
213 // and triggering off another authentication attempt cycle.\r
214\r
215 window.setTimeout(function () { window.location.href = "http://localhost:81/Test.asp?Test1=Value1&Test2=Value2&Test3=Value3+Value4"; }, 10);\r
216\r
217</script>\r
218\r
219</html>\r