summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-app-os
diff options
context:
space:
mode:
authorChristopher Lott (cl778h) <clott@research.att.com>2017-10-20 08:22:19 -0400
committerChristopher Lott (cl778h) <clott@research.att.com>2017-10-20 08:44:33 -0400
commite3982f6c2a13c903947a66d89e1af1ccbb161e5f (patch)
tree07db289541228dfaef258c267dd33635c33ebb34 /ecomp-sdk/epsdk-app-os
parentddd8720d597fc9053a455b10445fb253adbc4bf7 (diff)
Role management; security vulnerabilities.
Extend user/role management interface to allow role deletion. Add filters to defend against common web Javascript attacks. Drop Greensock code with unusable license. Use OParent in EPSDK web application. Issue: US324470, US342324, PORTAL-127 Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142 Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-os')
-rw-r--r--ecomp-sdk/epsdk-app-os/README.md2
-rw-r--r--ecomp-sdk/epsdk-app-os/pom.xml130
-rw-r--r--ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java130
-rw-r--r--ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml10
4 files changed, 153 insertions, 119 deletions
diff --git a/ecomp-sdk/epsdk-app-os/README.md b/ecomp-sdk/epsdk-app-os/README.md
index 1ac4a142..d9d7fb68 100644
--- a/ecomp-sdk/epsdk-app-os/README.md
+++ b/ecomp-sdk/epsdk-app-os/README.md
@@ -21,7 +21,7 @@ Version 1.4.0, <?day> <?month> 2017
- PORTAL-90 Use approved ONAP license text
- Portal-86 Remove application specific usages from tests and other files (rework)
- Portal-104 Replaced the sql connector to maria db
-
+- Portal-127 Remove GreenSock license code from b2b library
* Put new entries here *
Version 1.3.0, 28 August 2017
diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml
index 54bb65eb..469cf37a 100644
--- a/ecomp-sdk/epsdk-app-os/pom.xml
+++ b/ecomp-sdk/epsdk-app-os/pom.xml
@@ -4,142 +4,38 @@
<!-- This is the Maven project object model (POM) file for the open-source SDK web app.
This is NOT the Portal - but it is developed and supported by the Portal team. -->
- <groupId>org.onap.portal.sdk</groupId>
+
+ <parent>
+ <groupId>org.onap.portal.sdk</groupId>
+ <artifactId>epsdk-project</artifactId>
+ <version>1.4.0-SNAPSHOT</version>
+ </parent>
+
+ <!-- GroupId is inherited from parent -->
<artifactId>epsdk-app-os</artifactId>
- <version>1.4.0-SNAPSHOT</version>
+ <!-- Version is inherited from parent -->
<packaging>war</packaging>
<name>ONAP Portal SDK Webapp for OpenSource</name>
<description>ONAP Portal SDK Web Application for public release</description>
- <!-- OParent provides license audit, code audit, distribution management,
- etc. But jenkins build fails, so comment out for now.
- <parent>
- <groupId>org.onap.oparent</groupId>
- <artifactId>oparent</artifactId>
- <version>0.1.0</version>
- <relativePath/>
- </parent>
- -->
-
<properties>
- <encoding>UTF-8</encoding>
- <epsdk.version>1.4.0-SNAPSHOT</epsdk.version>
- <springframework.version>4.2.0.RELEASE</springframework.version>
- <hibernate.version>4.3.11.Final</hibernate.version>
+ <!-- This determines the EPSDK library versions, helpful for testing -->
+ <epsdk.version>${project.version}</epsdk.version>
<!-- Skip assembling the zip; assemble via mvn -Dskipassembly=false .. -->
<skipassembly>true</skipassembly>
<!-- Tests usually require some setup that maven cannot do, so skip. -->
<skiptests>true</skiptests>
</properties>
- <repositories>
- <repository>
- <id>onap-releases</id>
- <name>ONAP - Release Repository</name>
- <url>https://nexus.onap.org/content/repositories/releases</url>
- </repository>
- <repository>
- <id>onap-staging</id>
- <name>ONAP - Staging Repository</name>
- <url>https://nexus.onap.org/content/repositories/staging</url>
- </repository>
- <repository>
- <id>onap-snapshots</id>
- <name>ONAP - Snapshot Repository</name>
- <url>https://nexus.onap.org/content/repositories/snapshots</url>
- </repository>
- <repository>
- <id>onap-public</id>
- <name>ONAP public Repository</name>
- <url>https://nexus.onap.org/content/groups/public</url>
- </repository>
- </repositories>
- <pluginRepositories>
- <pluginRepository>
- <id>releases</id>
- <name>ONAP - Release Repository</name>
- <url>https://nexus.onap.org/content/repositories/releases</url>
- </pluginRepository>
- <pluginRepository>
- <id>staging</id>
- <name>ONAP - Staging Repository</name>
- <url>https://nexus.onap.org/content/repositories/staging</url>
- </pluginRepository>
- <pluginRepository>
- <id>snapshots</id>
- <name>ONAP - Snapshot Repository</name>
- <url>https://nexus.onap.org/content/repositories/snapshots</url>
- </pluginRepository>
- </pluginRepositories>
+ <!-- repositories are inherited from parent -->
- <profiles>
- <!-- disable doclint, a new feature in Java 8, when generating javadoc -->
- <profile>
- <id>doclint-java8-disable</id>
- <activation>
- <jdk>[1.8,)</jdk>
- </activation>
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-javadoc-plugin</artifactId>
- <version>2.10.4</version>
- <configuration>
- <additionalparam>-Xdoclint:none</additionalparam>
- </configuration>
- </plugin>
- </plugins>
- </build>
- </profile>
- </profiles>
+ <!-- profiles are inherited from parent -->
<build>
<!-- The war file name carries no version number -->
<finalName>${project.artifactId}</finalName>
- <pluginManagement>
- <plugins>
- <!-- Silence Eclipse/m2e complaints about checkstyle plugin brought in by OParent -->
- <plugin>
- <groupId>org.eclipse.m2e</groupId>
- <artifactId>lifecycle-mapping</artifactId>
- <version>1.0.0</version>
- <configuration>
- <lifecycleMappingMetadata>
- <pluginExecutions>
- <pluginExecution>
- <pluginExecutionFilter>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-checkstyle-plugin</artifactId>
- <versionRange>2.17,)</versionRange>
- <goals>
- <goal>check</goal>
- </goals>
- </pluginExecutionFilter>
- <action>
- <ignore />
- </action>
- </pluginExecution>
- </pluginExecutions>
- </lifecycleMappingMetadata>
- </configuration>
- </plugin>
- </plugins>
- </pluginManagement>
-
<plugins>
- <!-- Compile to Java 1.8 class output format -->
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <version>3.1</version>
- <configuration>
- <source>1.8</source>
- <target>1.8</target>
- </configuration>
- </plugin>
-
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
new file mode 100644
index 00000000..b3ebed73
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -0,0 +1,130 @@
+
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalapp.filter;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.apache.commons.lang.StringUtils;
+import org.onap.portalapp.util.SecurityXssValidator;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+
+public class SecurityXssFilter implements Filter {
+
+ private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+
+ private SecurityXssValidator validator = SecurityXssValidator.getInstance();
+
+ class SecurityRequestWrapper extends HttpServletRequestWrapper {
+
+ public SecurityRequestWrapper(HttpServletRequest servletRequest) {
+ super(servletRequest);
+ }
+
+ @Override
+ public String[] getParameterValues(String parameter) {
+ String[] values = super.getParameterValues(parameter);
+
+ if (values == null) {
+ return null;
+ }
+
+ int count = values.length;
+ String[] encodedValues = new String[count];
+ for (int i = 0; i < count; i++) {
+ encodedValues[i] = stripXss(values[i]);
+
+ }
+
+ return encodedValues;
+ }
+
+ private String stripXss(String value) {
+
+
+ return validator.stripXSS(value);
+ }
+
+ @Override
+ public String getParameter(String parameter) {
+ String value = super.getParameter(parameter);
+ if (StringUtils.isNotBlank(value)) {
+ value = stripXss(value);
+ }
+ return value;
+ }
+
+ @Override
+ public String getHeader(String name) {
+ String value = super.getHeader(name);
+ if (StringUtils.isNotBlank(value)) {
+ value = stripXss(value);
+ }
+ return value;
+ }
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+
+ try {
+
+ chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
+ } catch (Exception e) {
+ logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+ }
+ }
+
+}
diff --git a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
index 0290f1fc..7441508a 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
+++ b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
@@ -10,8 +10,16 @@
<distributable />
<session-config>
- <session-timeout>7</session-timeout>
+ <session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
+ <filter>
+ <filter-name>SecurityXssFilter</filter-name>
+ <filter-class>org.onap.portalapp.filtersss.SecurityXssFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>SecurityXssFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
</web-app> \ No newline at end of file