Add a warning about the security hole :-(

[raven/abandoned/asp.git] / Test.asp

<!DOCTYPE html>\r
<html>\r
<head>\r
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">\r
<!--#include file="Ucam_Webauth.vbs"-->\r
</head>\r
<%\r
\r
Sub Main\r
\r
	' Examine the 'UcamWebAuthTestingClient' cookie.\r
	' This cookie is used to store the index number of \r
	' the LAST test and the outcome of that test. This \r
	' cookie is only updated when an authentication \r
	' cycle is complete (which could be due to an \r
	' error) so we use the cookie to determine the \r
	' index of the CURRENT test. \r
	' \r
	' NOTE: This cookie is completely separate \r
	' from the 'Authentication cookie' and is \r
	' purely used for testing.\r
	'\r
	' The actual value of the cookie consists of \r
	' three elements delimited by '!': \r
	'\r
	' 'index!status_code!status_message'\r
                 \r
	testing_client_cookie_name = "UcamWebAuthTestingClient"\r
	testing_client_cookie_index = 1\r
	\r
	If (Request.Cookies(testing_client_cookie_name) <> "") Then\r
		testing_client_cookie_value = Request.Cookies(testing_client_cookie_name)\r
		testing_client_cookie_array = Split(testing_client_cookie_value, "!")\r
		testing_client_cookie_index = CInt(testing_client_cookie_array(0))\r
		testing_client_cookie_index = testing_client_cookie_index + 1\r
	End If\r
		\r
	' Create 'Scripting.Dictionary' object \r
	' to hold the arguments we will supply \r
	' to the 'Ucam_Webauth' object.\r
	\r
	Set args = CreateObject("Scripting.Dictionary")\r
	\r
	' Add the different arguments to the 'args' \r
	' associative array as name/value pairs.\r
	' Both name and value must be strings \r
	' so integers must be added as "x", eg. "60".\r
\r
	' 'auth_service' is the WLS authentication server.\r
	' The following line gives the the demo Raven testing server:\r
\r
	' args.Add "auth_service", "https://demo.raven.cam.ac.uk/auth/authenticate.html"\r
\r
	' We're testing with our Dummy Raven WLS server so use that:\r
	args.Add "auth_service", "http://www2.careers.cam.ac.uk:11812"        \r
\r
	' 'hostname' must be a domain name and perhaps a \r
	' port but nothing more.\r
	\r
	args.Add "hostname", "localhost:81"\r
\r
	' 'log_file' is the location of the logfile \r
	' which must be read/writable by the webserver.\r
	\r
	args.Add "log_file", "C:/wamp/www/raven/vbscriptlog.txt"\r
\r
	' 'key_dir' is the directory holding the \r
	' public key certificate.\r
	\r
	args.Add "key_dir", "C:/wamp/www/raven"\r
\r
	' 'cookie_key' is the key used to generate \r
	' hash values of the authentication cookie. \r
	' Ideally it should be changed on a regular basis \r
	' but not during sessions.\r
	\r
	args.Add "cookie_key", "Random string"\r
\r
	' We add the current iteration of testing in \r
	' 'testing_client_cookie_index' as a parameter \r
	' to Ucam_Webauth which should then be \r
	' included as a parameter in the authentication \r
	' request to the WLS and the subsequent \r
	' authentication response back from the WLS.\r
	\r
	args.Add "authrequest_params", CStr(testing_client_cookie_index)\r
\r
\r
	' Create new instance of 'Ucam_Webauth' \r
	' and supply arguments.\r
	' We do not need to include 'Request' and 'Response' \r
	' variables (as in C# version), in order to get/set \r
	' cookies and server variables and perform redirects \r
	' as these variables are globally accessible to ASP class.\r
			       \r
	Set oUcam_Webauth = New Ucam_Webauth\r
	Call oUcam_Webauth(args)       \r
	\r
	' For the purposes of testing, we provide \r
	' a 'Logout' link that removes the local \r
	' authentication cookie and then displays \r
	' a link to easily logout the Raven WLS.\r
	' So we check to see if this 'Action=Logout' \r
	' link has been called and logout/display \r
	' link accordingly.\r
	 		\r
	If (Request.ServerVariables("QUERY_STRING") = "Action=Logout") Then\r
		oUcam_Webauth.ResetState()\r
		Response.Write("Logged out of Raven (local)<br/>")\r
		Response.Write("<a href='https://raven.cam.ac.uk/auth/logout.html'>Logout Raven (remote)</a><br/>" & _\r
	    		      "<a href='Default.asp'>Access Raven authenticated page</a>")            \r
		Exit Sub\r
	End If		\r
\r
	' When you first access this page \r
	' the 'Authenticate' function will be called. \r
	' This will typically be called three times \r
	' in total to successfully authenticate the \r
	' user. In the first two iterations of \r
	' 'Authenticate', it will return \r
	' 'AUTHENTICATE_INCOMPLETE' while it \r
	' redirects the user's browser first to \r
	' the Raven WLS and then back to this page.\r
	' On the third iteration of 'Authenticate', it \r
	' will return 'AUTHENTICATE_COMPLETE_AUTHENTICATED' \r
	' or 'AUTHENTICATE_COMPLETE_NOT_AUTHENTICATED' \r
	' if the authentication process has fully \r
	' completed without error.\r
		\r
	Select Case oUcam_Webauth.Authenticate()\r
		\r
		Case oUcam_Webauth.AUTHENTICATE_INCOMPLETE\r
\r
			' 'Authenticate' still redirecting pages \r
			' so don't do anything else.\r
			\r
			Exit Sub\r
\r
		Case oUcam_Webauth.AUTHENTICATE_COMPLETE_AUTHENTICATED		\r
\r
			' Success so display the 'principal', ie. the user id.\r
			\r
			Response.Write("SUCCESS. You are " & oUcam_Webauth.principal() & "<br/>")\r
			\r
			' Also display the 'ptags' parameter indicating \r
			' whether the user is 'current' or not.\r
			\r
			Response.Write("Ptags = " & oUcam_Webauth.ptags() & "<br/>")\r
			\r
			' Display any 'GET variables' to check they \r
			' have carried through from the original \r
			' page request.\r
			\r
			For Each item In Request.QueryString() \r
	    		Response.Write item & "=" & Request.QueryString()(item) & "<br/>"  \r
			Next 			\r
			\r
			' Display a 'Logout' link to make it easy to \r
			' test authentication repeatedly.\r
			\r
			Response.Write("<a href='Default.asp?Action=Logout'>Logout Raven (local)</a>")                \r
		\r
		Case Else\r
			\r
			' Either there was an error or a failed \r
			' authentication so print out the result either way.\r
\r
			Response.Write("FAIL - " & oUcam_Webauth.status() & ": " & oUcam_Webauth.msg())\r
\r
			' Also log the error for debugging purposes.\r
								\r
			oUcam_Webauth.write_log("FAIL - " & oUcam_Webauth.status() & ": " & oUcam_Webauth.msg())\r
					\r
	End Select\r
\r
	' We use a 'UcamWebAuthTestingClient' cookie \r
	' to store the return 'status' of the most recent  \r
	' authentication attempt. The Dummy WLS server \r
	' looks at the value of this cookie, compares \r
	' it with its most recent attempt to generate a \r
	' particular status and logs the results. \r
	' Ideally the status/error the Dummy WLS server \r
	' tried to generate should match the status/error \r
	' recorded here.\r
	'\r
	' NOTE: The Dummy WLS server only performs the \r
	' comparison of 'actual' and 'expected' when \r
	' it receives a subsequent authentication request.\r
	' ie. when testing is terminated, the final \r
	' authentication attempt comparison may be lost.\r
	      	\r
	' Store number of testing iteration, return status and status msg.\r
	' To make it a session cookie, we don't specify 'Expires'.\r
		\r
	Response.Cookies("UcamWebAuthTestingClient") = CStr(testing_client_cookie_index) & "!" & oUcam_Webauth.status() & "!" & oUcam_Webauth.msg()	\r
		\r
	' We intend to perform another authentication attempt\r
	' so reset the state of Ucam_Webauth, ie. remove \r
	' the authentication cookie.\r
	\r
	oUcam_Webauth.ResetState()                    \r
\r
		\r
End Sub\r
\r
Call Main\r
\r
%>\r
\r
<script language="javascript">\r
\r
    // Set a brief timeout before reloading this page again \r
    // and triggering off another authentication attempt cycle.\r
\r
    window.setTimeout(function () { window.location.href = "http://localhost:81/Test.asp?Test1=Value1&Test2=Value2&Test3=Value3+Value4"; }, 10);\r
\r
</script>\r
\r
</html>\r