diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-27 18:29:04 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-27 18:29:32 -0400 |
commit | f11362ef34d550f8adff2067a136f660c1959e5e (patch) | |
tree | 9aa907d57f1aa2be733b567b25f4357ffd8b7f80 | |
parent | e22eec55bf0815dd1c303ac5fb1c6e6f211a70f0 (diff) |
Additional security fixes
Issue: PORTAL-135
Change-Id: I8574fbcd73d9a053e8a19d5a8e4219a4034b751e
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
3 files changed, 48 insertions, 75 deletions
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml index dc2e5df2..b2fa88f8 100644 --- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml +++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/fusion/orm/Fusion.hbm.xml @@ -385,12 +385,7 @@ <query name="getReportSecurityRoles"> select repId, orderNo, roleId, userId, readOnlyYn from ReportUserRole where repId = :report_id and roleId is not null - </query> - -<!-- <query name="insertReportSecurityUsers"> - insert into ReportUserRole (repId, roleId, userId, readOnlyYn) values (:report_id, :role_id, :user_id, :read_only_yn) - </query> --> - + </query> <query name="deleteReportSecurityUsers"> delete from ReportUserRole where repId = :report_id and userId =:user_id @@ -402,10 +397,22 @@ <query name="getUserByProfileId"> select orgUserId from User where id = :user_id - </query> + </query> <query name="getUserIdByorgUserId"> select id from User where orgUserId = :orgUserId - </query> + </query> + + <query name="getUserByOrgUserId"> + FROM User WHERE orgUserId = :org_user_id + </query> + + <query name="getUserByLoginId"> + FROM User WHERE loginId = :login_id + </query> + + <query name="getUserByLoginIdLoginPwd"> + FROM User WHERE loginId = :login_id and loginPwd = :login_pwd + </query> </hibernate-mapping> diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java index 749fdc38..54d1267a 100644 --- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java +++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceCentralizedImpl.java @@ -72,11 +72,8 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS @Autowired private UserService userService; - @SuppressWarnings("unused") - private MenuBuilder menuBuilder; - @Override - public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, Map additionalParams) throws IOException { + public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, @SuppressWarnings("rawtypes") Map additionalParams) throws IOException { return findUser(bean, menuPropertiesFilename, additionalParams, true); } @@ -122,12 +119,12 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS logger.error(EELFLoggerDelegate.errorLogger, "findUser failed", ex); } - User appuser = getUser(userCopy); + User appuser = findUserWithoutPwd(user.getLoginId()); appuser.setLastLoginDate(new Date()); // update the last logged in date for the user - getDataAccessService().saveDomainObject(appuser, additionalParams); + dataAccessService.saveDomainObject(appuser, additionalParams); // update the audit log of the user // Check for the client device type and set log attributes @@ -154,6 +151,7 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS private boolean userHasActiveRoles(User user) { boolean hasActiveRole = false; + @SuppressWarnings("rawtypes") Iterator roles = user.getRoles().iterator(); while (roles.hasNext()) { Role role = (Role) roles.next(); @@ -165,60 +163,43 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS return hasActiveRole; } - public User findUser(LoginBean bean) throws IOException { + private User findUser(LoginBean bean) throws IOException { String repsonse = restApiRequestBuilder.getViaREST("/user/" + bean.getUserid(), true, bean.getUserid()); User user = userService.userMapper(repsonse); user.setId(getUserIdByOrgUserId(user.getOrgUserId())); return user; } - public Long getUserIdByOrgUserId(String orgUserId) { + private Long getUserIdByOrgUserId(String orgUserId) { Map<String, String> params = new HashMap<>(); params.put("orgUserId", orgUserId); @SuppressWarnings("rawtypes") - List list = getDataAccessService().executeNamedQuery("getUserIdByorgUserId", params, null); + List list = dataAccessService.executeNamedQuery("getUserIdByorgUserId", params, null); Long userId = null; if (list != null && !list.isEmpty()) userId = (Long) list.get(0); return userId; } - public User findUser(String loginId, String password) { - StringBuilder criteria = new StringBuilder(); - criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password) - .append("'"); - List list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + @SuppressWarnings("rawtypes") + private User findUser(String loginId, String password) { + Map<String,String> params = new HashMap<>(); + params.put("login_id", loginId); + params.put("login_pwd", password); + List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap()); return (list == null || list.isEmpty()) ? null : (User) list.get(0); } + @SuppressWarnings("rawtypes") private User findUserWithoutPwd(String loginId) { - StringBuilder criteria = new StringBuilder(); - criteria.append(" where login_id = '").append(loginId).append("'"); - List list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + Map<String,String> params = new HashMap<>(); + params.put("login_id", loginId); + List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap()); return (list == null || list.isEmpty()) ? null : (User) list.get(0); } - public DataAccessService getDataAccessService() { - return dataAccessService; - } - - public void setDataAccessService(DataAccessService dataAccessService) { - this.dataAccessService = dataAccessService; - } - - public MenuBuilder getMenuBuilder() { + private MenuBuilder getMenuBuilder() { return new MenuBuilder(); } - public void setMenuBuilder(MenuBuilder menuBuilder) { - this.menuBuilder = menuBuilder; - } - - public User getUser(User user) { - StringBuilder criteria = new StringBuilder(); - criteria.append(" where login_id = '").append(user.getLoginId()).append("'"); - List list = getDataAccessService().getList(User.class, criteria.toString(), null, null); - return (list == null || list.isEmpty()) ? null : (User) list.get(0); - } - } diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java index 4d240972..d16a86d8 100644 --- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java +++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/LoginServiceImpl.java @@ -38,6 +38,7 @@ package org.onap.portalsdk.core.service; import java.util.Date; +import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; import java.util.List; @@ -61,9 +62,6 @@ public class LoginServiceImpl extends FusionService implements LoginService { private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceImpl.class); - @SuppressWarnings("unused") - private MenuBuilder menuBuilder; - @Autowired private DataAccessService dataAccessService; @@ -89,7 +87,6 @@ public class LoginServiceImpl extends FusionService implements LoginService { } if (user != null) { - // raise an error if the application is locked and the user does not have system // administrator privileges if (AppUtils.isApplicationLocked() @@ -120,7 +117,7 @@ public class LoginServiceImpl extends FusionService implements LoginService { // update the last logged in date for the user user.setLastLoginDate(new Date()); - getDataAccessService().saveDomainObject(user, additionalParams); + dataAccessService.saveDomainObject(user, additionalParams); // update the audit log of the user // Check for the client device type and set log attributes appropriately @@ -159,44 +156,32 @@ public class LoginServiceImpl extends FusionService implements LoginService { } @SuppressWarnings("rawtypes") - public User findUser(String loginId, String password) { - StringBuilder criteria = new StringBuilder(); - criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password) - .append("'"); - List list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + private User findUser(String loginId, String password) { + Map<String, String> params = new HashMap<>(); + params.put("login_id", loginId); + params.put("login_pwd", password); + List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap()); return (list == null || list.isEmpty()) ? null : (User) list.get(0); } @SuppressWarnings("rawtypes") private User findUserWithoutPwd(String loginId) { - StringBuilder criteria = new StringBuilder(); - criteria.append(" where login_id = '").append(loginId).append("'"); - List list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + Map<String, String> params = new HashMap<>(); + params.put("login_id", loginId); + List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap()); return (list == null || list.isEmpty()) ? null : (User) list.get(0); } @SuppressWarnings("rawtypes") - public User findUser(LoginBean bean) { - StringBuilder criteria = new StringBuilder(); - criteria.append(" where org_user_id = '").append(bean.getUserid()).append("'"); - List list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + private User findUser(LoginBean bean) { + Map<String, String> params = new HashMap<>(); + params.put("org_user_id", bean.getUserid()); + List list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap()); return (list == null || list.isEmpty()) ? null : (User) list.get(0); } - public MenuBuilder getMenuBuilder() { + private MenuBuilder getMenuBuilder() { return new MenuBuilder(); } - public void setMenuBuilder(MenuBuilder menuBuilder) { - this.menuBuilder = menuBuilder; - } - - public DataAccessService getDataAccessService() { - return dataAccessService; - } - - public void setDataAccessService(DataAccessService dataAccessService) { - this.dataAccessService = dataAccessService; - } - } |