Fix Security Hotspots issues

author vasraz <vasyl.razinkov@est.tech>

Tue, 19 Nov 2019 11:31:19 +0000 (11:31 +0000)

committer Ofir Sonsino <ofir.sonsino@intl.att.com>

Sun, 1 Dec 2019 15:26:46 +0000 (15:26 +0000)
author vasraz <vasyl.razinkov@est.tech>
Tue, 19 Nov 2019 11:31:19 +0000 (11:31 +0000)
committer Ofir Sonsino <ofir.sonsino@intl.att.com>
Sun, 1 Dec 2019 15:26:46 +0000 (15:26 +0000)
diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java

index 84e0226..d722683 100644 (file)
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
@@ -20,6 +20,7 @@
  
  package org.openecomp.sdc.fe.servlets;
  
+import org.onap.portalsdk.core.onboarding.exception.CipherUtilException;
  import org.onap.portalsdk.core.onboarding.util.CipherUtil;
  import org.openecomp.sdc.common.impl.MutableHttpServletRequest;
  import org.openecomp.sdc.fe.Constants;
@@ -59,6 +60,7 @@ public class PortalServlet extends HttpServlet {
       */
      @GET
      @Path("/portal")
+    @Override
      public void doGet(@Context final HttpServletRequest request, @Context final HttpServletResponse response) {
          try {
              addRequestHeadersUsingWebseal(request, response);
@@ -190,7 +192,9 @@ public class PortalServlet extends HttpServlet {
              String currHeader = headers[i];
              String headerValue = request.getHeader(currHeader);
              if (headerValue != null) {
-                response.addCookie(new Cookie(currHeader, headerValue));
+                final Cookie cookie = new Cookie(currHeader, headerValue);
+                cookie.setSecure(true);
+                response.addCookie(cookie);
              }
          }
      }
@@ -273,7 +277,7 @@ public class PortalServlet extends HttpServlet {
          return newHeaderIsSet;
      }
  
-    private static String getUserIdFromCookie(HttpServletRequest request) throws Exception {
+    private static String getUserIdFromCookie(HttpServletRequest request) throws CipherUtilException {
          String userId = "";
          Cookie[] cookies = request.getCookies();
          Cookie userIdcookie = null;
diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/AuthenticationCookieUtils.java b/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/AuthenticationCookieUtils.java

index cf22a3a..f0a33da 100644 (file)
--- a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/AuthenticationCookieUtils.java
+++ b/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/AuthenticationCookieUtils.java
@@ -31,6 +31,9 @@ public class AuthenticationCookieUtils {
  
      private static final Logger log = LoggerFactory.getLogger(SessionValidationFilter.class.getName());
  
+    private AuthenticationCookieUtils() {
+    }
+
      /**
       * Update given cookie session time value to current time
       *
@@ -58,6 +61,7 @@ public class AuthenticationCookieUtils {
       */
      public static Cookie createUpdatedCookie(Cookie cookie, String encryptedCookie, ISessionValidationCookieConfiguration cookieConfiguration) {
          Cookie updatedCookie = new Cookie(cookie.getName(), encryptedCookie );
+        updatedCookie.setSecure(true);
          updatedCookie.setPath(cookieConfiguration.getCookiePath());
          updatedCookie.setDomain(cookieConfiguration.getCookieDomain());
          updatedCookie.setHttpOnly(cookieConfiguration.isCookieHttpOnly());
@@ -116,12 +120,11 @@ public class AuthenticationCookieUtils {
       * @param filterConfiguration
       * @return
       */
-    public static boolean isSessionIdle(long sessionTimeValue, long currentTime, ISessionValidationFilterConfiguration filterConfiguration) {
+    private static boolean isSessionIdle(long sessionTimeValue, long currentTime, ISessionValidationFilterConfiguration filterConfiguration) {
          long currentIdleTime = currentTime - sessionTimeValue;
          long maxIdleTime = filterConfiguration.getSessionIdleTimeOut();
          log.debug("SessionValidationFilter: Checking if session idle: session time: {}, current idle time: {}, max idle time: {}", currentTime, currentIdleTime, maxIdleTime);
          return currentIdleTime >= maxIdleTime;
      }
  
-
  }
author	vasraz <vasyl.razinkov@est.tech>
	Tue, 19 Nov 2019 11:31:19 +0000 (11:31 +0000)
committer	Ofir Sonsino <ofir.sonsino@intl.att.com>
	Sun, 1 Dec 2019 15:26:46 +0000 (15:26 +0000)
catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java		patch \| blob \| history
openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/AuthenticationCookieUtils.java		patch \| blob \| history