From 6f2918cc2a4f67b692f91e4e5a40c122a75ed402 Mon Sep 17 00:00:00 2001 From: "Christopher Lott (cl778h)" Date: Fri, 27 Oct 2017 20:25:51 -0400 Subject: Enhance authentication to fix a vulnerability Issue: PORTAL-137 Change-Id: I7e2a5544653ac2067da7231d878009b260dc740f Signed-off-by: Christopher Lott (cl778h) --- .../portal/service/EPLoginServiceImpl.java | 76 +++++++++------------- .../src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml | 19 ++++++ 2 files changed, 51 insertions(+), 44 deletions(-) diff --git a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java index f4710478..a06d89ac 100644 --- a/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java +++ b/ecomp-portal-BE-common/src/main/java/org/openecomp/portalapp/portal/service/EPLoginServiceImpl.java @@ -41,25 +41,25 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.EnableAspectJAutoProxy; -import org.springframework.stereotype.Service; -import org.springframework.transaction.annotation.Transactional; - -import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.openecomp.portalsdk.core.menu.MenuBuilder; -import org.openecomp.portalsdk.core.service.DataAccessService; -import org.openecomp.portalsdk.core.service.support.FusionService; -import org.openecomp.portalsdk.core.util.SystemProperties; -import org.openecomp.portalsdk.core.web.support.AppUtils; import org.openecomp.portalapp.command.EPLoginBean; import org.openecomp.portalapp.portal.domain.EPUser; import org.openecomp.portalapp.portal.logging.aop.EPMetricsLog; import org.openecomp.portalapp.portal.logging.format.EPAppMessagesEnum; import org.openecomp.portalapp.portal.logging.logic.EPLogUtil; import org.openecomp.portalapp.util.EPUserUtils; +import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.openecomp.portalsdk.core.menu.MenuBuilder; +import org.openecomp.portalsdk.core.service.DataAccessService; +import org.openecomp.portalsdk.core.service.support.FusionService; +import org.openecomp.portalsdk.core.util.SystemProperties; +import org.openecomp.portalsdk.core.web.support.AppUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.EnableAspectJAutoProxy; +import org.springframework.stereotype.Service; +import org.springframework.transaction.annotation.Transactional; @Service("eploginService") @Transactional @@ -179,43 +179,33 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService * @param password * @return EPUser object; null on error or if no match. */ + @SuppressWarnings("rawtypes") private EPUser findUser(String loginId, String password) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password) - .append("'"); - + Map params = new HashMap<>(); + params.put("login_id", loginId); + params.put("login_pwd", password); + List list = null; try { - list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null); + list = dataAccessService.executeNamedQuery("getEPUserByLoginIdLoginPwd", params, new HashMap()); } catch (Exception e) { EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e); - logger.error(EELFLoggerDelegate.errorLogger, "findUser(String) failed on " + loginId, e); + logger.error(EELFLoggerDelegate.errorLogger, "findUser failed on " + loginId, e); } - - return (list == null || list.size() == 0) ? null : (EPUser) list.get(0); + return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0); } - /* - * (non-Javadoc) - * @see org.openecomp.portalapp.portal.service.EPLoginService#findUserWithoutPwd(java.lang.String) - */ - @Override + @SuppressWarnings("rawtypes") public EPUser findUserWithoutPwd(String loginId) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'"); - + Map params = new HashMap<>(); + params.put("login_id", loginId); + List list = null; try { - list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null); + list = dataAccessService.executeNamedQuery("getEPUserByLoginId", params, new HashMap()); } catch (Exception e) { EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e); - String message = "findUserWithoutPwd failed on " + loginId; - logger.error(EELFLoggerDelegate.errorLogger, message, e); + logger.error(EELFLoggerDelegate.errorLogger, "findUserWithoutPwd failed on " + loginId, e); } - - return (list == null || list.size() == 0) ? null : (EPUser) list.get(0); + return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0); } /** @@ -225,20 +215,18 @@ public class EPLoginServiceImpl extends FusionService implements EPLoginService * @param bean * @return EPUser object; null on error or if no match. */ + @SuppressWarnings("rawtypes") private EPUser findUser(EPLoginBean bean) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where orgUserId = '").append(bean.getOrgUserId()).append("'"); - + Map params = new HashMap<>(); + params.put("org_user_id", bean.getOrgUserId()); + List list = null; try { - list = getDataAccessService().getList(EPUser.class, criteria.toString(), null, null); + list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap()); } catch (Exception e) { EPLogUtil.logEcompError(logger, EPAppMessagesEnum.BeDaoSystemError, e); logger.error(EELFLoggerDelegate.errorLogger, "findUser(EPLoginBean) failed", e); } - - return (list == null || list.size() == 0) ? null : (EPUser) list.get(0); + return (list == null || list.isEmpty()) ? null : (EPUser) list.get(0); } public DataAccessService getDataAccessService() { diff --git a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml index 8fa11e01..8fe369fa 100644 --- a/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml +++ b/ecomp-portal-BE-common/src/main/webapp/WEB-INF/fusion/orm/EP.hbm.xml @@ -1961,4 +1961,23 @@ where fn_role.app_id = fn_app.app_id and fn_app.enabled='Y' and fn_role.active_y ; ]]> + + + + + + + + + + + + + -- cgit 1.2.3-korg