Code Review / portal.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Security/ Package Name changes
[portal.git] / ecomp-portal-BE-os / src / main / java / org / onap / portalapp / controller / LoginController.java
diff --git a/ecomp-portal-BE-os/src/main/java/org/openecomp/portalapp/controller/LoginController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
similarity index 89%
rename from ecomp-portal-BE-os/src/main/java/org/openecomp/portalapp/controller/LoginController.java
rename to ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
index ce6cc53..273a0b1 100644 (file)
--- a/ecomp-portal-BE-os/src/main/java/org/openecomp/portalapp/controller/LoginController.java
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java
@@ -2,11 +2,11 @@
  * ============LICENSE_START==========================================
  * ONAP Portal
  * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
  * ===================================================================
  *
  * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the “License”);
+ * under the Apache License, Version 2.0 (the "License");
  * you may not use this software except in compliance with the License.
  * You may obtain a copy of the License at
  *
@@ -19,7 +19,7 @@
  * limitations under the License.
  *
  * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
  * you may not use this documentation except in compliance with the License.
  * You may obtain a copy of the License at
  *
@@ -35,10 +35,12 @@
  *
  * ECOMP is a trademark and service mark of AT&T Intellectual Property.
  */
-package org.openecomp.portalapp.controller;
+package org.onap.portalapp.controller;
 
 import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.net.URLDecoder;
 import java.util.Enumeration;
 import java.util.HashMap;
@@ -50,19 +52,22 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringUtils;
 import org.json.JSONObject;
-import org.openecomp.portalapp.command.EPLoginBean;
-import org.openecomp.portalapp.portal.domain.SharedContext;
-import org.openecomp.portalapp.portal.service.EPLoginService;
-import org.openecomp.portalapp.portal.service.EPRoleFunctionService;
-import org.openecomp.portalapp.portal.service.SharedContextService;
-import org.openecomp.portalapp.portal.utils.EPSystemProperties;
-import org.openecomp.portalapp.util.EPUserUtils;
-import org.openecomp.portalapp.util.SessionCookieUtil;
-import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.openecomp.portalsdk.core.menu.MenuProperties;
-import org.openecomp.portalsdk.core.onboarding.util.CipherUtil;
-import org.openecomp.portalsdk.core.util.SystemProperties;
+import org.onap.portalapp.command.EPLoginBean;
+import org.onap.portalapp.controller.EPUnRestrictedBaseController;
+import org.onap.portalapp.portal.domain.SharedContext;
+import org.onap.portalapp.portal.service.EPLoginService;
+import org.onap.portalapp.portal.service.EPRoleFunctionService;
+import org.onap.portalapp.portal.service.SharedContextService;
+import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
+import org.onap.portalapp.portal.utils.EPSystemProperties;
+import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.util.SessionCookieUtil;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.menu.MenuProperties;
+import org.onap.portalsdk.core.onboarding.util.CipherUtil;
+import org.onap.portalsdk.core.util.SystemProperties;
 import org.slf4j.MDC;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
@@ -200,6 +205,7 @@ public class LoginController extends EPUnRestrictedBaseController implements Log
                logger.info(EELFLoggerDelegate.debugLogger, "processSingleSignOn: begins with orgUserId {}", orgUserId);
 
                StringBuilder sbAdditionalInfo = new StringBuilder();
+               validateDomain(request);
                if (orgUserId == null || orgUserId.length() == 0) {
                        model.put(ERROR_MESSAGE_KEY, SystemProperties.MESSAGE_KEY_LOGIN_ERROR_COOKIE_EMPTY);
                        if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) {
@@ -242,6 +248,7 @@ public class LoginController extends EPUnRestrictedBaseController implements Log
                                sbAdditionalInfo.append(String.format(
                                                "But the Login-Id: %s doesn't exist in the Database. Created a Guest Session. Request-URL: %s",
                                                orgUserId, fullURL));
+                               validateDomain(request);
                                if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) {
                                        return new ModelAndView(REDIRECT_COLON + DEFAULT_FAILURE_VIEW + ".htm" + "?redirectUrl="
                                                        + request.getParameter(REDIRECT_URL));
@@ -292,6 +299,7 @@ public class LoginController extends EPUnRestrictedBaseController implements Log
                                                commandBean.getUser().getOrgUserId() + " exists in the the system.");
 
                                // get redirectUrl from URL parameter
+                               validateDomain(request);
                                if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) {
                                        String forwardUrl = URLDecoder.decode(request.getParameter(REDIRECT_URL), "UTF-8");
                                        // clean cookie
@@ -327,6 +335,19 @@ public class LoginController extends EPUnRestrictedBaseController implements Log
                return new ModelAndView(REDIRECT_COLON + SystemProperties.getProperty(EPSystemProperties.FE_URL));
        }
 
+       private void validateDomain(HttpServletRequest request) throws MalformedURLException {
+               final String returnToAppUrl = request.getParameter(REDIRECT_URL);
+               if (StringUtils.isNotBlank(returnToAppUrl)) {
+                       String hostName = new URL(returnToAppUrl).getHost();
+                       if (StringUtils.isNotBlank(hostName)
+                                       && !hostName.endsWith(EPSystemProperties.getProperty(EPCommonSystemProperties.COOKIE_DOMAIN))) {
+                               logger.debug(EELFLoggerDelegate.debugLogger,
+                                               "processSingleSignOn ()  accessing Unauthorized url  :" + hostName);
+                               throw new SecurityException("accessing Unauthorized url : " + hostName);
+                       }
+               }
+       }
+
        private String getFullURL(HttpServletRequest request) {
                if (request != null) {
                        String requestURL = request.getRequestURL().toString();
ARCHIVED- 2022-02-15 at the request of the project