Fix 2 weak cryptography issues identified by SonarCloud scans.
Issue-ID: CCSDK-3196
Signed-off-by: Dan Timoney <dtimoney@att.com>
Change-Id: I0fee14e7a96badeac8a278de4d74ef244c24f06f
<artifactId>jest</artifactId>
<version>5.3.3</version>
</dependency>
+ <dependency>
+ <groupId>org.onap.ccsdk.sli.core</groupId>
+ <artifactId>utils-provider</artifactId>
+ <version>${ccsdk.sli.version}</version>
+ </dependency>
</dependencies>
<build>
import org.onap.ccsdk.apps.ms.neng.core.resource.model.GetConfigResponse;
import org.onap.ccsdk.apps.ms.neng.core.rs.interceptors.PolicyManagerAuthorizationInterceptor;
import org.onap.ccsdk.apps.ms.neng.extinf.props.PolicyManagerProps;
+import org.onap.ccsdk.sli.core.utils.common.AcceptIpAddressHostNameVerifier;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.web.client.RestTemplateBuilder;
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
.loadTrustMaterial(null, acceptingTrustStrategy).build();
- HostnameVerifier verifier = (String arg0, SSLSession arg1) -> true;
+ HostnameVerifier verifier = new AcceptIpAddressHostNameVerifier();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, verifier);
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
import org.springframework.security.config.http.SessionCreationPolicy;\r
import org.springframework.security.core.userdetails.User;\r
import org.springframework.security.core.userdetails.UserDetails;\r
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\r
import org.springframework.security.crypto.factory.PasswordEncoderFactories;\r
import org.springframework.security.crypto.password.PasswordEncoder;\r
import org.springframework.security.provisioning.InMemoryUserDetailsManager;\r
protected void configure(AuthenticationManagerBuilder auth) throws Exception {\r
List<UserDetails> userDetails = new ArrayList<>();\r
\r
- PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();\r
+ // Explicitly set bcrypt password encoder rather than using default\r
+ PasswordEncoder encoder = new BCryptPasswordEncoder();\r
final User.UserBuilder userBuilder = User.builder().passwordEncoder(encoder::encode);\r
\r
String authString = environment.getProperty("application.authToken");\r