X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=ecomp-portal-BE-os%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fportalapp%2Fcontroller%2FLoginController.java;fp=ecomp-portal-BE-os%2Fsrc%2Fmain%2Fjava%2Forg%2Fopenecomp%2Fportalapp%2Fcontroller%2FLoginController.java;h=273a0b1ef23b2134e8b52f168a27cd4bb9dd6fd7;hb=21a8761f684745bb300e075c7e98ad897ace9eed;hp=ce6cc5303e36c4b2508d012dc7b01fa4efa2cdc8;hpb=3af8af1310d5a27cb58be29505573f0bbdc1717c;p=portal.git diff --git a/ecomp-portal-BE-os/src/main/java/org/openecomp/portalapp/controller/LoginController.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java similarity index 89% rename from ecomp-portal-BE-os/src/main/java/org/openecomp/portalapp/controller/LoginController.java rename to ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java index ce6cc530..273a0b1e 100644 --- a/ecomp-portal-BE-os/src/main/java/org/openecomp/portalapp/controller/LoginController.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/controller/LoginController.java @@ -2,11 +2,11 @@ * ============LICENSE_START========================================== * ONAP Portal * =================================================================== - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. * =================================================================== * * Unless otherwise specified, all software contained herein is licensed - * under the Apache License, Version 2.0 (the “License”); + * under the Apache License, Version 2.0 (the "License"); * you may not use this software except in compliance with the License. * You may obtain a copy of the License at * @@ -19,7 +19,7 @@ * limitations under the License. * * Unless otherwise specified, all documentation contained herein is licensed - * under the Creative Commons License, Attribution 4.0 Intl. (the “License”); + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); * you may not use this documentation except in compliance with the License. * You may obtain a copy of the License at * @@ -35,10 +35,12 @@ * * ECOMP is a trademark and service mark of AT&T Intellectual Property. */ -package org.openecomp.portalapp.controller; +package org.onap.portalapp.controller; import static com.att.eelf.configuration.Configuration.MDC_KEY_REQUEST_ID; +import java.net.MalformedURLException; +import java.net.URL; import java.net.URLDecoder; import java.util.Enumeration; import java.util.HashMap; @@ -50,19 +52,22 @@ import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringUtils; import org.json.JSONObject; -import org.openecomp.portalapp.command.EPLoginBean; -import org.openecomp.portalapp.portal.domain.SharedContext; -import org.openecomp.portalapp.portal.service.EPLoginService; -import org.openecomp.portalapp.portal.service.EPRoleFunctionService; -import org.openecomp.portalapp.portal.service.SharedContextService; -import org.openecomp.portalapp.portal.utils.EPSystemProperties; -import org.openecomp.portalapp.util.EPUserUtils; -import org.openecomp.portalapp.util.SessionCookieUtil; -import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.openecomp.portalsdk.core.menu.MenuProperties; -import org.openecomp.portalsdk.core.onboarding.util.CipherUtil; -import org.openecomp.portalsdk.core.util.SystemProperties; +import org.onap.portalapp.command.EPLoginBean; +import org.onap.portalapp.controller.EPUnRestrictedBaseController; +import org.onap.portalapp.portal.domain.SharedContext; +import org.onap.portalapp.portal.service.EPLoginService; +import org.onap.portalapp.portal.service.EPRoleFunctionService; +import org.onap.portalapp.portal.service.SharedContextService; +import org.onap.portalapp.portal.utils.EPCommonSystemProperties; +import org.onap.portalapp.portal.utils.EPSystemProperties; +import org.onap.portalapp.util.EPUserUtils; +import org.onap.portalapp.util.SessionCookieUtil; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.onap.portalsdk.core.menu.MenuProperties; +import org.onap.portalsdk.core.onboarding.util.CipherUtil; +import org.onap.portalsdk.core.util.SystemProperties; import org.slf4j.MDC; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; @@ -200,6 +205,7 @@ public class LoginController extends EPUnRestrictedBaseController implements Log logger.info(EELFLoggerDelegate.debugLogger, "processSingleSignOn: begins with orgUserId {}", orgUserId); StringBuilder sbAdditionalInfo = new StringBuilder(); + validateDomain(request); if (orgUserId == null || orgUserId.length() == 0) { model.put(ERROR_MESSAGE_KEY, SystemProperties.MESSAGE_KEY_LOGIN_ERROR_COOKIE_EMPTY); if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) { @@ -242,6 +248,7 @@ public class LoginController extends EPUnRestrictedBaseController implements Log sbAdditionalInfo.append(String.format( "But the Login-Id: %s doesn't exist in the Database. Created a Guest Session. Request-URL: %s", orgUserId, fullURL)); + validateDomain(request); if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) { return new ModelAndView(REDIRECT_COLON + DEFAULT_FAILURE_VIEW + ".htm" + "?redirectUrl=" + request.getParameter(REDIRECT_URL)); @@ -292,6 +299,7 @@ public class LoginController extends EPUnRestrictedBaseController implements Log commandBean.getUser().getOrgUserId() + " exists in the the system."); // get redirectUrl from URL parameter + validateDomain(request); if (request.getParameter(REDIRECT_URL) != null && request.getParameter(REDIRECT_URL).length() != 0) { String forwardUrl = URLDecoder.decode(request.getParameter(REDIRECT_URL), "UTF-8"); // clean cookie @@ -327,6 +335,19 @@ public class LoginController extends EPUnRestrictedBaseController implements Log return new ModelAndView(REDIRECT_COLON + SystemProperties.getProperty(EPSystemProperties.FE_URL)); } + private void validateDomain(HttpServletRequest request) throws MalformedURLException { + final String returnToAppUrl = request.getParameter(REDIRECT_URL); + if (StringUtils.isNotBlank(returnToAppUrl)) { + String hostName = new URL(returnToAppUrl).getHost(); + if (StringUtils.isNotBlank(hostName) + && !hostName.endsWith(EPSystemProperties.getProperty(EPCommonSystemProperties.COOKIE_DOMAIN))) { + logger.debug(EELFLoggerDelegate.debugLogger, + "processSingleSignOn () accessing Unauthorized url :" + hostName); + throw new SecurityException("accessing Unauthorized url : " + hostName); + } + } + } + private String getFullURL(HttpServletRequest request) { if (request != null) { String requestURL = request.getRequestURL().toString();