diff options
author | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:22:19 -0400 |
---|---|---|
committer | Christopher Lott (cl778h) <clott@research.att.com> | 2017-10-20 08:44:33 -0400 |
commit | e3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch) | |
tree | 07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-app-os | |
parent | ddd8720d597fc9053a455b10445fb253adbc4bf7 (diff) |
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.
Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-os')
-rw-r--r-- | ecomp-sdk/epsdk-app-os/README.md | 2 | ||||
-rw-r--r-- | ecomp-sdk/epsdk-app-os/pom.xml | 130 | ||||
-rw-r--r-- | ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | 130 | ||||
-rw-r--r-- | ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml | 10 |
4 files changed, 153 insertions, 119 deletions
diff --git a/ecomp-sdk/epsdk-app-os/README.md b/ecomp-sdk/epsdk-app-os/README.md index 1ac4a142..d9d7fb68 100644 --- a/ecomp-sdk/epsdk-app-os/README.md +++ b/ecomp-sdk/epsdk-app-os/README.md @@ -21,7 +21,7 @@ Version 1.4.0, <?day> <?month> 2017 - PORTAL-90 Use approved ONAP license text - Portal-86 Remove application specific usages from tests and other files (rework) - Portal-104 Replaced the sql connector to maria db - +- Portal-127 Remove GreenSock license code from b2b library * Put new entries here * Version 1.3.0, 28 August 2017 diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml index 54bb65eb..469cf37a 100644 --- a/ecomp-sdk/epsdk-app-os/pom.xml +++ b/ecomp-sdk/epsdk-app-os/pom.xml @@ -4,142 +4,38 @@ <!-- This is the Maven project object model (POM) file for the open-source SDK web app. This is NOT the Portal - but it is developed and supported by the Portal team. --> - <groupId>org.onap.portal.sdk</groupId> + + <parent> + <groupId>org.onap.portal.sdk</groupId> + <artifactId>epsdk-project</artifactId> + <version>1.4.0-SNAPSHOT</version> + </parent> + + <!-- GroupId is inherited from parent --> <artifactId>epsdk-app-os</artifactId> - <version>1.4.0-SNAPSHOT</version> + <!-- Version is inherited from parent --> <packaging>war</packaging> <name>ONAP Portal SDK Webapp for OpenSource</name> <description>ONAP Portal SDK Web Application for public release</description> - <!-- OParent provides license audit, code audit, distribution management, - etc. But jenkins build fails, so comment out for now. - <parent> - <groupId>org.onap.oparent</groupId> - <artifactId>oparent</artifactId> - <version>0.1.0</version> - <relativePath/> - </parent> - --> - <properties> - <encoding>UTF-8</encoding> - <epsdk.version>1.4.0-SNAPSHOT</epsdk.version> - <springframework.version>4.2.0.RELEASE</springframework.version> - <hibernate.version>4.3.11.Final</hibernate.version> + <!-- This determines the EPSDK library versions, helpful for testing --> + <epsdk.version>${project.version}</epsdk.version> <!-- Skip assembling the zip; assemble via mvn -Dskipassembly=false .. --> <skipassembly>true</skipassembly> <!-- Tests usually require some setup that maven cannot do, so skip. --> <skiptests>true</skiptests> </properties> - <repositories> - <repository> - <id>onap-releases</id> - <name>ONAP - Release Repository</name> - <url>https://nexus.onap.org/content/repositories/releases</url> - </repository> - <repository> - <id>onap-staging</id> - <name>ONAP - Staging Repository</name> - <url>https://nexus.onap.org/content/repositories/staging</url> - </repository> - <repository> - <id>onap-snapshots</id> - <name>ONAP - Snapshot Repository</name> - <url>https://nexus.onap.org/content/repositories/snapshots</url> - </repository> - <repository> - <id>onap-public</id> - <name>ONAP public Repository</name> - <url>https://nexus.onap.org/content/groups/public</url> - </repository> - </repositories> - <pluginRepositories> - <pluginRepository> - <id>releases</id> - <name>ONAP - Release Repository</name> - <url>https://nexus.onap.org/content/repositories/releases</url> - </pluginRepository> - <pluginRepository> - <id>staging</id> - <name>ONAP - Staging Repository</name> - <url>https://nexus.onap.org/content/repositories/staging</url> - </pluginRepository> - <pluginRepository> - <id>snapshots</id> - <name>ONAP - Snapshot Repository</name> - <url>https://nexus.onap.org/content/repositories/snapshots</url> - </pluginRepository> - </pluginRepositories> + <!-- repositories are inherited from parent --> - <profiles> - <!-- disable doclint, a new feature in Java 8, when generating javadoc --> - <profile> - <id>doclint-java8-disable</id> - <activation> - <jdk>[1.8,)</jdk> - </activation> - <build> - <plugins> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-javadoc-plugin</artifactId> - <version>2.10.4</version> - <configuration> - <additionalparam>-Xdoclint:none</additionalparam> - </configuration> - </plugin> - </plugins> - </build> - </profile> - </profiles> + <!-- profiles are inherited from parent --> <build> <!-- The war file name carries no version number --> <finalName>${project.artifactId}</finalName> - <pluginManagement> - <plugins> - <!-- Silence Eclipse/m2e complaints about checkstyle plugin brought in by OParent --> - <plugin> - <groupId>org.eclipse.m2e</groupId> - <artifactId>lifecycle-mapping</artifactId> - <version>1.0.0</version> - <configuration> - <lifecycleMappingMetadata> - <pluginExecutions> - <pluginExecution> - <pluginExecutionFilter> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-checkstyle-plugin</artifactId> - <versionRange>2.17,)</versionRange> - <goals> - <goal>check</goal> - </goals> - </pluginExecutionFilter> - <action> - <ignore /> - </action> - </pluginExecution> - </pluginExecutions> - </lifecycleMappingMetadata> - </configuration> - </plugin> - </plugins> - </pluginManagement> - <plugins> - <!-- Compile to Java 1.8 class output format --> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-compiler-plugin</artifactId> - <version>3.1</version> - <configuration> - <source>1.8</source> - <target>1.8</target> - </configuration> - </plugin> - <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-surefire-plugin</artifactId> diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java new file mode 100644 index 00000000..b3ebed73 --- /dev/null +++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -0,0 +1,130 @@ + +/*- + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalapp.filter; + +import java.io.IOException; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; + +import org.apache.commons.lang.StringUtils; +import org.onap.portalapp.util.SecurityXssValidator; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; + +public class SecurityXssFilter implements Filter { + + private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); + + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); + + class SecurityRequestWrapper extends HttpServletRequestWrapper { + + public SecurityRequestWrapper(HttpServletRequest servletRequest) { + super(servletRequest); + } + + @Override + public String[] getParameterValues(String parameter) { + String[] values = super.getParameterValues(parameter); + + if (values == null) { + return null; + } + + int count = values.length; + String[] encodedValues = new String[count]; + for (int i = 0; i < count; i++) { + encodedValues[i] = stripXss(values[i]); + + } + + return encodedValues; + } + + private String stripXss(String value) { + + + return validator.stripXSS(value); + } + + @Override + public String getParameter(String parameter) { + String value = super.getParameter(parameter); + if (StringUtils.isNotBlank(value)) { + value = stripXss(value); + } + return value; + } + + @Override + public String getHeader(String name) { + String value = super.getHeader(name); + if (StringUtils.isNotBlank(value)) { + value = stripXss(value); + } + return value; + } + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + } + + @Override + public void destroy() { + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + + try { + + chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response); + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e); + } + } + +} diff --git a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml index 0290f1fc..7441508a 100644 --- a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml +++ b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml @@ -10,8 +10,16 @@ <distributable /> <session-config> - <session-timeout>7</session-timeout> + <session-timeout>30</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config> + <filter> + <filter-name>SecurityXssFilter</filter-name> + <filter-class>org.onap.portalapp.filtersss.SecurityXssFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>SecurityXssFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> </web-app>
\ No newline at end of file |