From a70761c096192e38800bf38d6c7f61f52bf72007 Mon Sep 17 00:00:00 2001 From: hb123f Date: Wed, 20 Mar 2019 12:20:44 -0400 Subject: CADI AAF Integration and merging the code Issue-ID: PORTAL-319 CADI AAF Integration and code merge Change-Id: I6e44f3b2741858d8d403b77a49ec9a0153084801 Signed-off-by: hb123f --- .../org/onap/portalapp/conf/ExternalAppConfig.java | 16 +++++--- .../onap/portalapp/filter/SecurityXssFilter.java | 47 ++++++++++++++++------ 2 files changed, 44 insertions(+), 19 deletions(-) (limited to 'ecomp-portal-BE-os/src/main/java') diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/conf/ExternalAppConfig.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/conf/ExternalAppConfig.java index 862bf399..43449b38 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/conf/ExternalAppConfig.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/conf/ExternalAppConfig.java @@ -164,15 +164,15 @@ public class ExternalAppConfig extends AppConfig implements Configurable { MDC.put(MDC_ALERT_SEVERITY, AlarmSeverityEnum.INFORMATIONAL.severity()); MDC.put(MDC_INSTANCE_UUID, SystemProperties.getProperty(SystemProperties.INSTANCE_UUID)); - if("true".equalsIgnoreCase(remotecentralizedsystemaccess)){ - importFromExternalAuth(); - } + if("true".equalsIgnoreCase(remotecentralizedsystemaccess)){ + importFromExternalAuth(); + } } catch (Exception e) { logger.error(EELFLoggerDelegate.errorLogger, "init failed", e); } } - + private void importFromExternalAuth() throws Exception { JSONArray aafAppRoles = new JSONArray(); JSONArray aafUserList = new JSONArray(); @@ -189,8 +189,8 @@ public class ExternalAppConfig extends AppConfig implements Configurable { for(int j = 0; j < aafAppRoles.length(); j++){ ObjectMapper mapper = new ObjectMapper(); String name = aafAppRoles.getJSONObject(j).getString("name"); - //String desc = aafAppRoles.getJSONObject(j).getString("description"); - //ExternalRoleDescription externalRoleDescription = mapper.readValue(desc, ExternalRoleDescription.class); +// String desc = aafAppRoles.getJSONObject(j).getString("description"); +// ExternalRoleDescription externalRoleDescription = mapper.readValue(desc, ExternalRoleDescription.class); aafUserList = externalAccessRolesService.getAllUsersByRole(name); if(aafUserList != null && aafUserList.length() > 0){ for(int k = 0; k < aafUserList.length(); k++){ @@ -222,6 +222,10 @@ public class ExternalAppConfig extends AppConfig implements Configurable { } } + public DataAccessService dataAccessService() { + return super.dataAccessService(); + } + @Override public String[] tileDefinitions() { return super.tileDefinitions(); diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java index bf09c122..25eee828 100644 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -44,6 +44,7 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStreamReader; import java.nio.charset.StandardCharsets; +import java.util.Enumeration; import javax.servlet.FilterChain; import javax.servlet.ReadListener; @@ -128,31 +129,51 @@ public class SecurityXssFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { + StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString()); + String queryString = request.getQueryString(); + String requestUrl = ""; + if (queryString == null) { + requestUrl = requestURL.toString(); + } else { + requestUrl = requestURL.append('?').append(queryString).toString(); + } + validateRequest(requestUrl, response); + StringBuilder headerValues = new StringBuilder(); + Enumeration headerNames = request.getHeaderNames(); + while (headerNames.hasMoreElements()) { + String key = (String) headerNames.nextElement(); + String value = request.getHeader(key); + headerValues.append(value); + } + validateRequest(headerValues.toString(), response); if (validateRequestType(request)) { request = new RequestWrapper(request); String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString()); - try { - if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { - response.setContentType(APPLICATION_JSON); - response.setStatus(HttpStatus.SC_BAD_REQUEST); - response.getWriter().write(ERROR_BAD_REQUEST); - throw new SecurityException(ERROR_BAD_REQUEST); - } - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); - response.getWriter().close(); - return; - } + validateRequest(requestData, response); filterChain.doFilter(request, response); } else { filterChain.doFilter(request, response); } - } private boolean validateRequestType(HttpServletRequest request) { return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT") || request.getMethod().equalsIgnoreCase("DELETE")); } + + private void validateRequest(String text, HttpServletResponse response) throws IOException { + try { + if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) { + response.setContentType(APPLICATION_JSON); + response.setStatus(HttpStatus.SC_BAD_REQUEST); + response.getWriter().write(ERROR_BAD_REQUEST); + throw new SecurityException(ERROR_BAD_REQUEST); + } + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); + response.getWriter().close(); + return; + } + } } \ No newline at end of file -- cgit 1.2.3-korg