* ============LICENSE_START==========================================
* ONAP Portal
* ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
* ===================================================================
*
* Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the “License”);
+ * under the Apache License, Version 2.0 (the "License");
* you may not use this software except in compliance with the License.
* You may obtain a copy of the License at
*
* limitations under the License.
*
* Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
* you may not use this documentation except in compliance with the License.
* You may obtain a copy of the License at
*
*
* ECOMP is a trademark and service mark of AT&T Intellectual Property.
*/
-package org.openecomp.portalapp.controller;
+package org.onap.portalapp.controller;
import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.net.URLDecoder;
import java.util.Enumeration;
import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringUtils;
import org.json.JSONObject;
-import org.openecomp.portalapp.command.EPLoginBean;
-import org.openecomp.portalapp.portal.domain.SharedContext;
-import org.openecomp.portalapp.portal.service.EPLoginService;
-import org.openecomp.portalapp.portal.service.EPRoleFunctionService;
-import org.openecomp.portalapp.portal.service.SharedContextService;
-import org.openecomp.portalapp.portal.utils.EPSystemProperties;
-import org.openecomp.portalapp.util.EPUserUtils;
-import org.openecomp.portalapp.util.SessionCookieUtil;
-import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.openecomp.portalsdk.core.menu.MenuProperties;
-import org.openecomp.portalsdk.core.onboarding.util.CipherUtil;
-import org.openecomp.portalsdk.core.util.SystemProperties;
+import org.onap.portalapp.command.EPLoginBean;
+import org.onap.portalapp.controller.EPUnRestrictedBaseController;
+import org.onap.portalapp.portal.domain.SharedContext;
+import org.onap.portalapp.portal.service.EPLoginService;
+import org.onap.portalapp.portal.service.EPRoleFunctionService;
+import org.onap.portalapp.portal.service.SharedContextService;
+import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
+import org.onap.portalapp.portal.utils.EPSystemProperties;
+import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.util.SessionCookieUtil;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.menu.MenuProperties;
+import org.onap.portalsdk.core.onboarding.util.CipherUtil;
+import org.onap.portalsdk.core.util.SystemProperties;
import org.slf4j.MDC;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
logger.info(EELFLoggerDelegate.debugLogger, "processSingleSignOn: begins with orgUserId {}", orgUserId);
StringBuilder sbAdditionalInfo = new StringBuilder();
+ validateDomain(request);
if (orgUserId == null || orgUserId.length() == 0) {
model.put(ERROR_MESSAGE_KEY, SystemProperties.MESSAGE_KEY_LOGIN_ERROR_COOKIE_EMPTY);
if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) {
sbAdditionalInfo.append(String.format(
"But the Login-Id: %s doesn't exist in the Database. Created a Guest Session. Request-URL: %s",
orgUserId, fullURL));
+ validateDomain(request);
if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) {
return new ModelAndView(REDIRECT_COLON + DEFAULT_FAILURE_VIEW + ".htm" + "?redirectUrl="
+ request.getParameter(REDIRECT_URL));
commandBean.getUser().getOrgUserId() + " exists in the the system.");
// get redirectUrl from URL parameter
+ validateDomain(request);
if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) {
String forwardUrl = URLDecoder.decode(request.getParameter(REDIRECT_URL), "UTF-8");
// clean cookie
return new ModelAndView(REDIRECT_COLON + SystemProperties.getProperty(EPSystemProperties.FE_URL));
}
+ private void validateDomain(HttpServletRequest request) throws MalformedURLException {
+ final String returnToAppUrl = request.getParameter(REDIRECT_URL);
+ if (StringUtils.isNotBlank(returnToAppUrl)) {
+ String hostName = new URL(returnToAppUrl).getHost();
+ if (StringUtils.isNotBlank(hostName)
+ && !hostName.endsWith(EPSystemProperties.getProperty(EPCommonSystemProperties.COOKIE_DOMAIN))) {
+ logger.debug(EELFLoggerDelegate.debugLogger,
+ "processSingleSignOn () accessing Unauthorized url :" + hostName);
+ throw new SecurityException("accessing Unauthorized url : " + hostName);
+ }
+ }
+ }
+
private String getFullURL(HttpServletRequest request) {
if (request != null) {
String requestURL = request.getRequestURL().toString();