} else {
rep_name_sql = " AND UPPER(cr.title) LIKE UPPER('%%') ";
}
- sql = sql.replace("[fReportName]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),rep_name_sql));
+ sql = sql.replace("[fReportName]",rep_name_sql);
if (menuId.length() > 0){
/*sql += "AND INSTR('|'||cr.menu_id||'|', '|'||'" + menuId + "'||'|') > 0 "
- PORTAL-42 Use OParent as parent POM
- PORTAL-72 Address Sonar Scan code issues
- PORTAL-90 Use approved ONAP license text
-- Portal-86 Remove application specific usages from tests and other files
+- PORTAL-86 Remove application specific usages from tests and other files
- PORTAL-78 Fix SingleSignon by force session creation prior to redirection to portal
-
+- PORTAL-118 Missing Error page in Portal-SDK app when there is an exception happen in the backend.
Version 1.3.0, 28 August 2017
- Portal-19 Renaming the Group Id in the POM file to org.onap.portal.sdk
@Autowired
FnMenuService service;
-
+
@Autowired
FunctionalMenuListService functionalMenuListService;
logger.error(EELFLoggerDelegate.errorLogger, "getParentListFailed", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred in the getParentList () ");
}
}
logger.error(EELFLoggerDelegate.errorLogger, "getFunctionCDList", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred in the getFunctionCDList ()");
}
}
mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
JsonNode root = mapper.readTree(request.getReader());
Menu fnMenuItem = mapper.readValue(root.get("availableFnMenuItem").toString(), Menu.class);
-
service.saveFnMenu(fnMenuItem);
request.getSession()
.removeAttribute(SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_ATTRIBUTE_NAME));
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred in the updateFnMenu () ");
}
return null;
JsonNode root = mapper.readTree(request.getReader());
Menu fnMenuItem = mapper.readValue(root.get("fnMenuItem").toString(), Menu.class);
Menu fnMenuItemRow = service.getMenuItemRow(fnMenuItem.getId());
-
service.removeMenuItem(fnMenuItemRow);
-
response.setCharacterEncoding("UTF-8");
response.setContentType("application / json");
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred in the removeFnMenu ()");
}
return null;
response.setCharacterEncoding("UTF-8");
try {
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred in the saveProfile ()");
} catch (IOException e1) {
logger.error(EELFLoggerDelegate.errorLogger, "saveProfile: failed to write", e1);
}
logger.error(EELFLoggerDelegate.errorLogger, "removeRole failed", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred in the removeRole ()");
return null;
}
}
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred in the addNewRole ()");
return null;
}
logger.error(EELFLoggerDelegate.errorLogger, "removeRole failed", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred removeRole failed in the removeRoleFunction");
return null;
}
logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction failed", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred removeRoleFunction failed in the removeRoleFunction");
return null;
}
logger.error(EELFLoggerDelegate.errorLogger, "removeChildRole failed", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred removeChildRole failed in the removeChildRole()");
return null;
}
logger.error(EELFLoggerDelegate.errorLogger, "addChildRole failed", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred addChildRole failed in the addChildRole()");
return null;
}
logger.error(EELFLoggerDelegate.errorLogger, "toggleRole failed", e);
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred while saving Role in the toggleRole()");
return null;
}
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred while removing Role in the toggleRole()");
return null;
}
*/
package org.onap.portalapp.controller.core;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
+import org.apache.commons.lang.StringUtils;
import org.onap.portalsdk.core.auth.LoginStrategy;
import org.onap.portalsdk.core.command.LoginBean;
import org.onap.portalsdk.core.controller.UnRestrictedBaseController;
// both user and session are non-null.
logger.info(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: redirecting to the forwardURL {}",
forwardURL);
+ validateDomain(forwardURL);
return new ModelAndView("redirect:" + forwardURL);
}
// application can publish a base URL in system.properties
String appUrl = SystemProperties.getProperty(SystemProperties.APP_BASE_URL);
returnToAppUrl = appUrl + (appUrl.endsWith("/") ? "" : "/") + forwardURL;
+ validateDomain(returnToAppUrl);
logger.debug(EELFLoggerDelegate.debugLogger,
"singleSignOnLogin: using app base URL {} and redirectURL {}", appUrl, returnToAppUrl);
} else {
// should always find the specified token.
returnToAppUrl = request.getRequestURL().toString().replace("single_signon.htm",
forwardURL);
+ validateDomain(returnToAppUrl);
logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: computed redirectURL {}",
returnToAppUrl);
}
final String redirectUrl = portalUrl + "?uebAppKey=" + uebAppKey + "&redirectUrl=" + encodedReturnToAppUrl;
logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: portal-bound redirect URL is {}",
redirectUrl);
-
// this line may not be necessary but jsessionid coockie is not getting created in all cases;
// so force the cookie creation
request.getSession(true);
}
}
+ private void validateDomain(String forwardURL) throws MalformedURLException {
+ if (StringUtils.isNotBlank(forwardURL)) {
+ String hostName = new URL(forwardURL).getHost();
+ if (StringUtils.isNotBlank(hostName) && !hostName.endsWith(SystemProperties.getProperty(SystemProperties.COOKIE_DOMAIN))) {
+ logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: accessing Unauthorized url",
+ hostName);
+ throw new SecurityException("accessing Unauthorized url : " + hostName);
+ }
+ }
+ }
+
protected void initateSessionMgtHandler(HttpServletRequest request) {
String portalJSessionId = getPortalJSessionId(request);
String jSessionId = getJessionId(request);
import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
+import org.onap.portalapp.util.SecurityXssValidator;
import org.onap.portalsdk.core.controller.RestrictedBaseController;
import org.onap.portalsdk.core.domain.BroadcastMessage;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.service.BroadcastService;
import org.onap.portalsdk.core.util.SystemProperties;
import org.onap.portalsdk.core.web.support.AppUtils;
@RequestMapping("/")
public class BroadcastController extends RestrictedBaseController {
+ private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(BroadcastController.class);
+
@Autowired
private BroadcastService broadcastService;
model.put("broadcastMessage", mapper.writeValueAsString(broadcastService.getBroadcastMessage(request)));
model.put("broadcastSites", mapper.writeValueAsString(referenceData(request).get("broadcastSites")));
} catch (Exception e) {
- e.printStackTrace();
+ logger.error(EELFLoggerDelegate.errorLogger, "broadcast() failed", e);
}
return new ModelAndView(getViewName(), model);
}
response.getWriter().write(j.toString());
} catch (Exception e) {
- e.printStackTrace();
+ logger.error(EELFLoggerDelegate.errorLogger, "getBroadcast() failed", e);
}
}
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred while saving the BroadcastMessage in the save () mapping-/broadcast/save ");
+ logger.error(EELFLoggerDelegate.errorLogger, "save() failed", e);
return null;
}
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred while removing the BroadcastMessage in the remove ()");
logger.error(EELFLoggerDelegate.errorLogger, "remove() failed", e);
return null;
}
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred while saving the BroadcastMessage in the toggleActive () ");
logger.error(EELFLoggerDelegate.errorLogger, "toggleActive() failed", e);
return null;
}
private static final String MYSQL_DB = "mysql";
private static final String ORACLE_DB = "oracle";
private static final String MARIA_DB = "mariadb";
+ private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
static SecurityXssValidator validator = null;
private static Codec instance;
private SecurityXssValidator() {
// Avoid anything between script tags
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
// avoid iframes
- XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
// Avoid anything in a src='...' type of expression
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
// Remove any lonesome </script> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
// Remove any lonesome <script ...> tag
- XSS_INPUT_PATTERNS
- .add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
// Avoid eval(...) expressions
- XSS_INPUT_PATTERNS
- .add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
// Avoid expression(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
// Avoid javascript:... expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", Pattern.CASE_INSENSITIVE));
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
// Avoid onload= expressions
- XSS_INPUT_PATTERNS.add(
- Pattern.compile(".*(onload(.*?)=).*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
}
private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
- PORTAL-72 Address Sonar Scan code issues
- PORTAL-79 remove unwanted SDK left menu under Report-sample dashboard
- PORTAL-90 Use approved ONAP license text
-- Portal-86 Remove application specific usages from tests and other files (rework)
-- Portal-104 Replaced the sql connector to maria db
-- Portal-127 Remove GreenSock license code from b2b library
+- PORTAL-86 Remove application specific usages from tests and other files (rework)
+- PORTAL-104 Replaced the sql connector to maria db
+- PORTAL-127 Remove GreenSock license code from b2b library
+- PORTAL-118 Missing Error page in Portal-SDK app when there is an exception happen in the backend.
+
* Put new entries here *
Version 1.3.0, 28 August 2017
-- fn_user_role
Insert into fn_user_role (USER_ID,ROLE_ID,PRIORITY,APP_ID) values (1,1,null,1);
+-- fn_restricted_url
+insert into fn_restricted_url values('admin','menu_admin');
+insert into fn_restricted_url values('get_role','menu_admin');
+insert into fn_restricted_url values('get_role_functions','menu_admin');
+insert into fn_restricted_url values('role_list/*','menu_admin');
+insert into fn_restricted_url values('role_function_list/*','menu_admin');
+insert into fn_restricted_url values('addRole','menu_admin');
+insert into fn_restricted_url values('addRoleFunction','menu_admin');
+insert into fn_restricted_url values('removeRole','menu_admin');
+insert into fn_restricted_url values('removeRoleFunction','menu_admin');
+insert into fn_restricted_url values('profile/*','menu_admin');
+
commit;
*/
package org.onap.portalapp.filter;
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
-import java.io.UnsupportedEncodingException;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
import javax.servlet.FilterChain;
+import javax.servlet.ReadListener;
import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.http.HttpStatus;
import org.onap.portalapp.util.SecurityXssValidator;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.springframework.web.filter.OncePerRequestFilter;
-import org.springframework.web.util.ContentCachingRequestWrapper;
-import org.springframework.web.util.ContentCachingResponseWrapper;
-import org.springframework.web.util.WebUtils;
public class SecurityXssFilter extends OncePerRequestFilter {
- private static final String BAD_REQUEST = "BAD_REQUEST";
+ private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+
+ private static final String APPLICATION_JSON = "application/json";
+
+ private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}";
private SecurityXssValidator validator = SecurityXssValidator.getInstance();
- private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
- String payload = null;
- ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
- if (wrapper != null) {
- byte[] buf = wrapper.getContentAsByteArray();
- if (buf.length > 0) {
- payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
- }
+ public class RequestWrapper extends HttpServletRequestWrapper {
+
+ private ByteArrayOutputStream cachedBytes;
+
+ public RequestWrapper(HttpServletRequest request) {
+ super(request);
}
- return payload;
- }
- private static String getResponseData(final HttpServletResponse response) throws IOException {
- String payload = null;
- ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
- ContentCachingResponseWrapper.class);
- if (wrapper != null) {
- byte[] buf = wrapper.getContentAsByteArray();
- if (buf.length > 0) {
- payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
- wrapper.copyBodyToResponse();
+ @Override
+ public ServletInputStream getInputStream() throws IOException {
+ if (cachedBytes == null)
+ cacheInputStream();
+
+ return new CachedServletInputStream();
+ }
+
+ @Override
+ public BufferedReader getReader() throws IOException {
+ return new BufferedReader(new InputStreamReader(getInputStream()));
+ }
+
+ private void cacheInputStream() throws IOException {
+ cachedBytes = new ByteArrayOutputStream();
+ IOUtils.copy(super.getInputStream(), cachedBytes);
+ }
+
+ public class CachedServletInputStream extends ServletInputStream {
+ private ByteArrayInputStream input;
+
+ public CachedServletInputStream() {
+ input = new ByteArrayInputStream(cachedBytes.toByteArray());
}
+
+ @Override
+ public int read() throws IOException {
+ return input.read();
+ }
+
+ public boolean isFinished() {
+ return false;
+ }
+
+ public boolean isReady() {
+ return false;
+ }
+
+ public void setReadListener(ReadListener readListener) {
+
+ }
+
}
- return payload;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
-
- if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
-
- HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
- HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
- filterChain.doFilter(requestToCache, responseToCache);
- String requestData = getRequestData(requestToCache);
- String responseData = getResponseData(responseToCache);
- if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
- throw new SecurityException(BAD_REQUEST);
+ if (validateRequestType(request)) {
+ request = new RequestWrapper(request);
+ String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
+ try {
+ if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
+ response.setContentType(APPLICATION_JSON);
+ response.setStatus(HttpStatus.SC_BAD_REQUEST);
+ response.getWriter().write(ERROR_BAD_REQUEST);
+ throw new SecurityException(ERROR_BAD_REQUEST);
+ }
+ } catch (Exception e) {
+ logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
+ response.getWriter().close();
+ return;
}
+ filterChain.doFilter(request, response);
} else {
filterChain.doFilter(request, response);
}
}
-}
+
+ private boolean validateRequestType(HttpServletRequest request) {
+ return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
+ || request.getMethod().equalsIgnoreCase("DELETE"));
+ }
+}
\ No newline at end of file
# app_base_url = https://www.openecomp.org/app_context/
#authenticate user server
-authenticate_user_server=http://todo_enter_auth_server_hostname:8383/openid-connect-server-webapp/allUsers
\ No newline at end of file
+authenticate_user_server=http://todo_enter_auth_server_hostname:8383/openid-connect-server-webapp/allUsers
+#cookie domain
+cookie_domain = onap.org
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee"
- xmlns:web="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
- version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee">
+ xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee" xmlns:web="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+ version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee">
<display-name>ecomp-sdk-app-os</display-name>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<filter>
- <filter-name>SecurityXssFilter</filter-name>
- <filter-class>org.onap.portalapp.filter.SecurityXssFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>SecurityXssFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
+ <filter-name>SecurityXssFilter</filter-name>
+ <filter-class>org.onap.portalapp.filter.SecurityXssFilter
+ </filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>SecurityXssFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <error-page>
+ <location>/WEB-INF/jsp/error.jsp</location>
+ </error-page>
</web-app>
\ No newline at end of file
# If you need to troubleshoot a properties related problem, turning this on may help.
# This is 'false' in the src/test/resources/.esapi version. It is 'true' by
# default for reasons of backward compatibility with earlier ESAPI versions.
-ESAPI.printProperties=true
+ESAPI.printProperties=false
# ESAPI is designed to be easily extensible. You can use the reference implementation
# or implement your own providers to take advantage of your enterprise's security
===================================================================
Unless otherwise specified, all software contained herein is licensed
- under the Apache License, Version 2.0 (the “License”);
+ under the Apache License, Version 2.0 (the "License");
you may not use this software except in compliance with the License.
You may obtain a copy of the License at
limitations under the License.
Unless otherwise specified, all documentation contained herein is licensed
- under the Creative Commons License, Attribution 4.0 Intl. (the â\80\9cLicenseâ\80\9d);
+ under the Creative Commons License, Attribution 4.0 Intl. (the "Â\80License"Â\80Â\9d);
you may not use this documentation except in compliance with the License.
You may obtain a copy of the License at
ECOMP is a trademark and service mark of AT&T Intellectual Property.
--%>
-${errMsg}
+<%@ page language="java" contentType="text/html;"
+ pageEncoding="US-ASCII" isErrorPage="true"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html;">
+ <title>Error Page</title>
+ </head>
+ <body>
+ <h1>Something went wrong. Please go back to the previous page or
+ try again later.</h1>
+
+ <h3>Please see the exception:</h3>
+
+ <table width="100%" border="1">
+ <tr valign="top">
+ <td width="40%"><b>Error:</b></td>
+ <td>${pageContext.exception}</td>
+ </tr>
+
+ <tr valign="top">
+ <td><b>URI:</b></td>
+ <td>${pageContext.errorData.requestURI}</td>
+ </tr>
+
+ <tr valign="top">
+ <td><b>Status code:</b></td>
+ <td>${pageContext.errorData.statusCode}</td>
+ </tr>
+ </table>
+
+ </body>
+</html>
\ No newline at end of file
style="height: 145px;">
<div class="field-group">
- Name <input id="textinputID-2a" ddh-reset ng-model="roleFun['name']"
+ <span ID="required" style="color: Red;" visible="false"> *</span>Name <input id="textinputID-2a" ddh-reset ng-model="roleFun['name']"
placeholder="Name" class="span12" type="text">
</div>
+ <div class="error-container"
+ ng-show="!roleFun['name']||roleFun['name']==0">
+ <small id="name-required" class="err-message">Name is Required</small>
+ </div>
+ <br>
<div class="field-group">
- Code <input id="textinputID-2a" ddh-reset ng-model="roleFun['code']"
+ <span ID="required" style="color: Red;" visible="false"> *</span>Code <input id="textinputID-2a" ddh-reset ng-model="roleFun['code']"
placeholder="Code" class="span12" type="text">
</div>
+ <div class="error-container"
+ ng-show="!roleFun['code']||roleFun['code']==0">
+ <small id="code-required" class="err-message">Code is Required</small>
+ </div>
+
</div>
+ <br>
<div class="b2b-modal-footer ng-scope ng-isolate-scope in">
<div class="cta-button-group in">
- <button class="btn btn-alt btn-medium" type="button"
+ <button class="btn btn-alt btn-medium" type="button" ng-disabled= "(!roleFun['name']||roleFun['name']==0)|| (!roleFun['code']||roleFun['code']==0)"
ng-click="save(roleFun);">Create</button>
<button class="btn btn-medium" type="button"
ng-click="$dismiss('cancel')">Cancel</button>
</div>
<div ng-hide="showLoader">
<div>
- <button type="submit" ng-click="addRoleFuncPopUp(rowData);" class="btn btn-alt btn-small" ng-if="isAppCentralized=='false'">Add New Role</button>
+ <button type="submit" onClick="window.location='admin#/role/0';" class="btn btn-alt btn-small" ng-if="isAppCentralized=='false'">Add New Role</button>
</div>
<h2 class="heading-small" ng-if="isAppCentralized=='false'">Click on a Role to view its details.</h2>
<table class="striped" ng-if="availableRoleFunctions" style="width: auto;">
max-height:300px;
overflow:auto;
display:block
+}
+.error-container {
+ position: absolute;
+ width: 220px;
+ display: block;
+ height: 12px;
+ line-height: 12px;
+}
+.err-message {
+ color: #cf2a2a;
+ font-size: 10px;
}
\ No newline at end of file
### ONAP Distributions
Version 2.1.0
-- PORTAL-19 Rename Java package base to org.onap
+- PORTAL-19 Rename Java package base to org.onap
+- PORTAL-145 Harden code to address penetration attacks
Version 1.4.0
- PORTAL-19 Rename Java package base to org.onap
*/
package org.onap.portalsdk.core.interceptor;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.net.URLEncoder;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import org.apache.commons.lang.StringUtils;
import org.onap.portalsdk.core.controller.FusionBaseController;
import org.onap.portalsdk.core.domain.User;
import org.onap.portalsdk.core.exception.SessionExpiredException;
import org.onap.portalsdk.core.listener.CollaborateListBindingListener;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SystemProperties;
import org.onap.portalsdk.core.web.support.AppUtils;
import org.onap.portalsdk.core.web.support.UserUtils;
import org.springframework.web.method.HandlerMethod;
public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SessionTimeoutInterceptor.class);
-
+
/**
* Checks all requests for valid session information. If not found, redirects to
* a controller that will establish a valid session.
// "/context/single_signon.htm"
final String redirectUrl = request.getContextPath() + singleSignonPrefix
+ "redirectToPortal=Yes&" + forwardUrlParm;
+ validateDomain(redirectUrl);
logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: session is expired, redirecting to {}",
redirectUrl);
response.sendRedirect(redirectUrl);
// Redirect to an absolute path in the webapp; e.g.,
// "/context/single_signon.htm"
final String redirectUrl = request.getContextPath() + singleSignonPrefix + forwardUrlParm;
+ validateDomain(redirectUrl);
logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: took exception {}, redirecting to {}",
ex.getMessage(), redirectUrl);
response.sendRedirect(redirectUrl);
return super.preHandle(request, response, handler);
}
+ private void validateDomain(final String redirectUrl) throws MalformedURLException {
+ if (StringUtils.isNotBlank(redirectUrl)) {
+ String hostName = new URL(redirectUrl).getHost();
+ if (StringUtils.isNotBlank(hostName)
+ && !hostName.endsWith(SystemProperties.getProperty(SystemProperties.COOKIE_DOMAIN))) {
+ logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: accessing Unauthorized url", hostName);
+ throw new SecurityException("accessing Unauthorized url : " + hostName);
+ }
+ }
+ }
+
}
package org.onap.portalsdk.core.logging.format;
public enum AlarmSeverityEnum {
- CRITICAL, MAJOR, MINOR, INFORMATIONAL, NONE,
+ CRITICAL("1"),
+ MAJOR("2"),
+ MINOR("3"),
+ INFORMATIONAL("4"),
+ NONE("0");
+
+ private final String severity;
+
+ AlarmSeverityEnum(String severity) {
+ this.severity = severity;
+ }
+
+ public String severity() {
+ return severity;
+ }
}
*/
package org.onap.portalsdk.core.service;
-import java.util.HashMap;
+import java.util.ArrayList;
import java.util.List;
-import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
+import org.hibernate.criterion.Criterion;
+import org.hibernate.criterion.Restrictions;
import org.onap.portalsdk.core.domain.UrlsAccessible;
import org.onap.portalsdk.core.web.support.UserUtils;
import org.springframework.beans.factory.annotation.Autowired;
@Override
public boolean isUrlAccessible(HttpServletRequest request, String currentUrl) {
boolean isAccessible = false;
- Map<String, String> params = new HashMap<>();
- params.put("current_url", currentUrl);
- List list = dataAccessService.executeNamedQuery("restrictedUrls", params, null);
+ List<?> list = getAccessUrlList(currentUrl);
// loop through the list of restricted URL's
if (list != null && !list.isEmpty()) {
for (int i = 0; i < list.size(); i++) {
- UrlsAccessible urlFunctions = (UrlsAccessible) list.get(i);
- String functionCd = urlFunctions.getFunctionCd();
+ UrlsAccessible urlFunction = (UrlsAccessible) list.get(i);
+ if (!matchPattern(currentUrl, urlFunction.getUrl()))
+ continue;
+ String functionCd = urlFunction.getFunctionCd();
if (UserUtils.isAccessible(request, functionCd)) {
isAccessible = true;
+ break;
}
}
return isAccessible;
return true;
}
+ /*
+ * This Method returns all the entries in the database that start with the
+ * first part of the currentUrl split at the "/" character.
+ *
+ * Example: if currentUrl
+ * is "xyz/abc/1", all the entries in the corresponding tables that match
+ * with "xyz" are returned
+ */
+ private List<?> getAccessUrlList(String currentUrl) {
+ List<?> list = null;
+
+ if (currentUrl != null) {
+ int indexOfSlash = currentUrl.indexOf("/");
+ String currentFirstUrl = (indexOfSlash > 0) ? currentUrl.substring(0, indexOfSlash) : currentUrl;
+
+ if (currentFirstUrl != null) {
+
+ List<Criterion> restrictionsList = new ArrayList<Criterion>();
+ Criterion criterion1 = Restrictions.like("urlsAccessibleKey.url", currentFirstUrl + "%");
+ restrictionsList.add(criterion1);
+ list = dataAccessService.getList(UrlsAccessible.class, null, restrictionsList, null);
+
+ }
+ }
+ return list;
+ }
+
+ /*
+ * This method compares the portalApiPath against the urlPattern; splits the
+ * portalApiPath by "/" and compares each part with that of the urlPattern.
+ *
+ * Example: "xyz/1/abc" matches with the pattern "xyz/* /abc" but not with
+ * "xyz/*"
+ *
+ */
+
+ private Boolean matchPattern(String portalApiPath, String urlPattern) {
+ String[] path = portalApiPath.split("/");
+ if (path.length > 1) {
+
+ String[] roleFunctionArray = urlPattern.split("/");
+ boolean match = true;
+ if (roleFunctionArray.length == path.length) {
+ for (int i = 0; i < roleFunctionArray.length; i++) {
+ if (match) {
+ if (!roleFunctionArray[i].equals("*")) {
+ Pattern p = Pattern.compile(path[i], Pattern.CASE_INSENSITIVE);
+ Matcher m = p.matcher(roleFunctionArray[i]);
+ match = m.matches();
+
+ }
+ }
+ }
+ if (match)
+ return match;
+ }
+ } else {
+ if (portalApiPath.matches(urlPattern))
+ return true;
+
+ }
+ return false;
+ }
+
}
// Left Menu
public static final String LEFT_MENU_PARENT = "parentList";
public static final String LEFT_MENU_CHILDREND = "childItemList";
+ public static final String COOKIE_DOMAIN = "cookie_domain";
+
public enum RESULT_ENUM {
SUCCESS, FAILURE
response.setCharacterEncoding("UTF-8");
request.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
- out.write(e.getMessage());
+ out.write("An error occurred while removing Role in the toggleRole()");
}
}
Code Review / portal / sdk.git / commitdiff