diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-27 20:25:51 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-27 20:27:15 -0400 |
commit | 6f2918cc2a4f67b692f91e4e5a40c122a75ed402 (patch) | |
tree | f8a02864a37413a512e9d00c9575ec112539cae3 /ecomp-portal-BE-common/src | |
parent | 2b39251bbfdb1f2240bad8a293cb1f7c72137b6c (diff) |
Enhance authentication to fix a vulnerability
Issue: PORTAL-137
Change-Id: I7e2a5544653ac2067da7231d878009b260dc740f
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-portal-BE-common/src')
-rw-r--r-- | ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java | 76 | ||||
-rw-r--r-- | ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml | 19 |
2 files changed, 51 insertions, 44 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java index f4710478..a06d89ac 100644 --- a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java @@ -41,25 +41,25 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.EnableAspectJAutoProxy; -import org.springframework.stereotype.Service; -import org.springframework.transaction.annotation.Transactional; - -import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.openecomp.portalsdk.core.menu.MenuBuilder; -import org.openecomp.portalsdk.core.service.DataAccessService; -import org.openecomp.portalsdk.core.service.support.FusionService; -import org.openecomp.portalsdk.core.util.SystemProperties; -import org.openecomp.portalsdk.core.web.support.AppUtils; import org.openecomp.portalapp.command.EPLoginBean; import org.openecomp.portalapp.portal.domain.EPUser; import org.openecomp.portalapp.portal.logging.aop.EPMetricsLog; import org.openecomp.portalapp.portal.logging.format.EPAppMessagesEnum; import org.openecomp.portalapp.portal.logging.logic.EPLogUtil; import org.openecomp.portalapp.util.EPUserUtils; +import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.openecomp.portalsdk.core.menu.MenuBuilder; +import org.openecomp.portalsdk.core.service.DataAccessService; +import org.openecomp.portalsdk.core.service.support.FusionService; +import org.openecomp.portalsdk.core.util.SystemProperties; +import org.openecomp.portalsdk.core.web.support.AppUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.EnableAspectJAutoProxy; +import org.springframework.stereotype.Service; +import org.springframework.transaction.annotation.Transactional; @Service("eploginService") @Transactional @@ -179,43 +179,33 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService * @param password * @return EPUser object; null on error or if no match. */ + @SuppressWarnings("rawtypes") private EPUser findUser(String loginId, String password) { - List<?> list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password) - .append("'"); - + Map<String, String> params = new HashMap<>(); + params.put("login_id", loginId); + params.put("login_pwd", password); + List list = null; try { - list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null); + list = dataAccessService.executeNamedQuery("getEPUserByLoginIdLoginPwd", params, new HashMap()); } catch (Exception e) { EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e); - logger.error(EELFLoggerDelegate.errorLogger, "findUser(String) failed on " + loginId, e); + logger.error(EELFLoggerDelegate.errorLogger, "findUser failed on " + loginId, e); } - - return (list == null || list.size() == 0) ? null : (EPUser) list.get(0); + return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0); } - /* - * (non-Javadoc) - * @see org.openecomp.portalapp.portal.service.EPLoginService#findUserWithoutPwd(java.lang.String) - */ - @Override + @SuppressWarnings("rawtypes") public EPUser findUserWithoutPwd(String loginId) { - List<?> list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'"); - + Map<String, String> params = new HashMap<>(); + params.put("login_id", loginId); + List list = null; try { - list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null); + list = dataAccessService.executeNamedQuery("getEPUserByLoginId", params, new HashMap()); } catch (Exception e) { EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e); - String message = "findUserWithoutPwd failed on " + loginId; - logger.error(EELFLoggerDelegate.errorLogger, message, e); + logger.error(EELFLoggerDelegate.errorLogger, "findUserWithoutPwd failed on " + loginId, e); } - - return (list == null || list.size() == 0) ? null : (EPUser) list.get(0); + return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0); } /** @@ -225,20 +215,18 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService * @param bean * @return EPUser object; null on error or if no match. */ + @SuppressWarnings("rawtypes") private EPUser findUser(EPLoginBean bean) { - List<?> list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where orgUserId = '").append(bean.getOrgUserId()).append("'"); - + Map<String, String> params = new HashMap<>(); + params.put("org_user_id", bean.getOrgUserId()); + List list = null; try { - list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null); + list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap()); } catch (Exception e) { EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e); logger.error(EELFLoggerDelegate.errorLogger, "findUser(EPLoginBean) failed", e); } - - return (list == null || list.size() == 0) ? null : (EPUser) list.get(0); + return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0); } public DataAccessService getDataAccessService() { diff --git a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml index 8fa11e01..8fe369fa 100644 --- a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml +++ b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml @@ -1961,4 +1961,23 @@ where fn_role.app_id = fn_app.app_id and fn_app.enabled='Y' and fn_role.active_y ; ]]> </sql-query> + + <query name="getEPUserByOrgUserId"> + <![CDATA[ + FROM EPUser WHERE orgUserId = :org_user_id + ]]> + </query> + + <query name="getEPUserByLoginId"> + <![CDATA[ + FROM EPUser WHERE loginId = :login_id + ]]> + </query> + + <query name="getEPUserByLoginIdLoginPwd"> + <![CDATA[ + FROM EPUser WHERE loginId = :login_id and loginPwd = :login_pwd + ]]> + </query> + </hibernate-mapping> |