summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-common/src
diff options
context:
space:
mode:
authorChristopher Lott (cl778h) <clott@research.att.com>2017-10-27 20:25:51 -0400
committerChristopher Lott (cl778h) <clott@research.att.com>2017-10-27 20:27:15 -0400
commit6f2918cc2a4f67b692f91e4e5a40c122a75ed402 (patch)
treef8a02864a37413a512e9d00c9575ec112539cae3 /ecomp-portal-BE-common/src
parent2b39251bbfdb1f2240bad8a293cb1f7c72137b6c (diff)
Enhance authentication to fix a vulnerability
Issue: PORTAL-137 Change-Id: I7e2a5544653ac2067da7231d878009b260dc740f Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-portal-BE-common/src')
-rw-r--r--ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java76
-rw-r--r--ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml19
2 files changed, 51 insertions, 44 deletions
diff --git a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java
index f4710478..a06d89ac 100644
--- a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java
@@ -41,25 +41,25 @@ import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
+import java.util.Map;
import java.util.Set;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.EnableAspectJAutoProxy;
-import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
-
-import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.openecomp.portalsdk.core.menu.MenuBuilder;
-import org.openecomp.portalsdk.core.service.DataAccessService;
-import org.openecomp.portalsdk.core.service.support.FusionService;
-import org.openecomp.portalsdk.core.util.SystemProperties;
-import org.openecomp.portalsdk.core.web.support.AppUtils;
import org.openecomp.portalapp.command.EPLoginBean;
import org.openecomp.portalapp.portal.domain.EPUser;
import org.openecomp.portalapp.portal.logging.aop.EPMetricsLog;
import org.openecomp.portalapp.portal.logging.format.EPAppMessagesEnum;
import org.openecomp.portalapp.portal.logging.logic.EPLogUtil;
import org.openecomp.portalapp.util.EPUserUtils;
+import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.openecomp.portalsdk.core.menu.MenuBuilder;
+import org.openecomp.portalsdk.core.service.DataAccessService;
+import org.openecomp.portalsdk.core.service.support.FusionService;
+import org.openecomp.portalsdk.core.util.SystemProperties;
+import org.openecomp.portalsdk.core.web.support.AppUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
@Service("eploginService")
@Transactional
@@ -179,43 +179,33 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService
* @param password
* @return EPUser object; null on error or if no match.
*/
+ @SuppressWarnings("rawtypes")
private EPUser findUser(String loginId, String password) {
- List<?> list = null;
-
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password)
- .append("'");
-
+ Map<String, String> params = new HashMap<>();
+ params.put("login_id", loginId);
+ params.put("login_pwd", password);
+ List list = null;
try {
- list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null);
+ list = dataAccessService.executeNamedQuery("getEPUserByLoginIdLoginPwd", params, new HashMap());
} catch (Exception e) {
EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
- logger.error(EELFLoggerDelegate.errorLogger, "findUser(String) failed on " + loginId, e);
+ logger.error(EELFLoggerDelegate.errorLogger, "findUser failed on " + loginId, e);
}
-
- return (list == null || list.size() == 0) ? null : (EPUser) list.get(0);
+ return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0);
}
- /*
- * (non-Javadoc)
- * @see org.openecomp.portalapp.portal.service.EPLoginService#findUserWithoutPwd(java.lang.String)
- */
- @Override
+ @SuppressWarnings("rawtypes")
public EPUser findUserWithoutPwd(String loginId) {
- List<?> list = null;
-
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where login_id = '").append(loginId).append("'");
-
+ Map<String, String> params = new HashMap<>();
+ params.put("login_id", loginId);
+ List list = null;
try {
- list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null);
+ list = dataAccessService.executeNamedQuery("getEPUserByLoginId", params, new HashMap());
} catch (Exception e) {
EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
- String message = "findUserWithoutPwd failed on " + loginId;
- logger.error(EELFLoggerDelegate.errorLogger, message, e);
+ logger.error(EELFLoggerDelegate.errorLogger, "findUserWithoutPwd failed on " + loginId, e);
}
-
- return (list == null || list.size() == 0) ? null : (EPUser) list.get(0);
+ return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0);
}
/**
@@ -225,20 +215,18 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService
* @param bean
* @return EPUser object; null on error or if no match.
*/
+ @SuppressWarnings("rawtypes")
private EPUser findUser(EPLoginBean bean) {
- List<?> list = null;
-
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where orgUserId = '").append(bean.getOrgUserId()).append("'");
-
+ Map<String, String> params = new HashMap<>();
+ params.put("org_user_id", bean.getOrgUserId());
+ List list = null;
try {
- list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null);
+ list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap());
} catch (Exception e) {
EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e);
logger.error(EELFLoggerDelegate.errorLogger, "findUser(EPLoginBean) failed", e);
}
-
- return (list == null || list.size() == 0) ? null : (EPUser) list.get(0);
+ return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0);
}
public DataAccessService getDataAccessService() {
diff --git a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml
index 8fa11e01..8fe369fa 100644
--- a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml
+++ b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml
@@ -1961,4 +1961,23 @@ where fn_role.app_id = fn_app.app_id and fn_app.enabled='Y' and fn_role.active_y
;
]]>
</sql-query>
+
+ <query name="getEPUserByOrgUserId">
+ <![CDATA[
+ FROM EPUser WHERE orgUserId = :org_user_id
+ ]]>
+ </query>
+
+ <query name="getEPUserByLoginId">
+ <![CDATA[
+ FROM EPUser WHERE loginId = :login_id
+ ]]>
+ </query>
+
+ <query name="getEPUserByLoginIdLoginPwd">
+ <![CDATA[
+ FROM EPUser WHERE loginId = :login_id and loginPwd = :login_pwd
+ ]]>
+ </query>
+
</hibernate-mapping>