summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-core
diff options
context:
space:
mode:
authorst782s <statta@research.att.com>2017-11-02 17:05:10 -0400
committerst782s <statta@research.att.com>2017-11-02 17:07:34 -0400
commita37fe92b5daca76aabd50ff1e6920670b30b84ee (patch)
tree35c4bf73f1235830054967352a816e0f05329599 /ecomp-sdk/epsdk-core
parent5eb302b890ef11d7bab5b27b91c77c5d9175a7f4 (diff)
Handle Session issues and security vulnerability login issue to by preventing sql injection attack Issue: PORTAL-137 Change-Id: I16eeacd6958af1a8274259e5dc0a008c5f64fb9f Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-core')
-rw-r--r--ecomp-sdk/epsdk-core/README.md3
-rw-r--r--ecomp-sdk/epsdk-core/pom.xml2
-rw-r--r--ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java113
-rw-r--r--ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java257
4 files changed, 158 insertions, 217 deletions
diff --git a/ecomp-sdk/epsdk-core/README.md b/ecomp-sdk/epsdk-core/README.md
index b6eac5c9..6b22f121 100644
--- a/ecomp-sdk/epsdk-core/README.md
+++ b/ecomp-sdk/epsdk-core/README.md
@@ -13,6 +13,9 @@ ECOMP SDK web application.
### ONAP Distributions
+Version 1.3.2, 1 November 2017
+- PORTAL-137 Enhance authentication
+
Version 1.3.1, 15 October 2017
- No changes
diff --git a/ecomp-sdk/epsdk-core/pom.xml b/ecomp-sdk/epsdk-core/pom.xml
index b2f69eba..bfef5a9a 100644
--- a/ecomp-sdk/epsdk-core/pom.xml
+++ b/ecomp-sdk/epsdk-core/pom.xml
@@ -5,7 +5,7 @@
<parent>
<groupId>org.onap.portal.sdk</groupId>
<artifactId>epsdk-project</artifactId>
- <version>1.3.1</version>
+ <version>1.3.2</version>
</parent>
<!-- GroupId is inherited from parent -->
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java
index bab2249c..7783e82e 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java
@@ -24,46 +24,38 @@ import org.springframework.transaction.annotation.Transactional;
@Transactional
public class LoginServiceCentralizedImpl extends FusionService implements LoginService {
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceCentralizedImpl.class);
-
- @Autowired
- AppService appService;
+ private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceCentralizedImpl.class);
@Autowired
private DataAccessService dataAccessService;
-
- @Autowired
- RestApiRequestBuilder restApiRequestBuilder;
-
+
@Autowired
- UserService userService;
+ private RestApiRequestBuilder restApiRequestBuilder;
- @SuppressWarnings("unused")
- private MenuBuilder menuBuilder;
+ @Autowired
+ private UserService userService;
@Override
- public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams)
- throws Exception {
+ public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, @SuppressWarnings("rawtypes") HashMap additionalParams) throws Exception {
return findUser(bean, menuPropertiesFilename, additionalParams, true);
}
+ @Override
@SuppressWarnings("rawtypes")
public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams,
boolean matchPassword) throws Exception {
- User user = null;
- User userCopy = null;
- if (bean.getUserid() != null && bean.getUserid() != null) {
- user = (User) findUser(bean);
+ User user;
+ if (bean.getUserid() != null) {
+ user = findUser(bean);
} else {
if (matchPassword)
- user = (User) findUser(bean.getLoginId(), bean.getLoginPwd());
+ user = findUser(bean.getLoginId(), bean.getLoginPwd());
else
- user = (User) findUserWithoutPwd(bean.getLoginId());
+ user = findUserWithoutPwd(bean.getLoginId());
}
if (user != null) {
-
if (AppUtils.isApplicationLocked()
&& !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) {
bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED);
@@ -82,15 +74,20 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS
// this will be a snapshot of the user's information as
// retrieved from the database
- userCopy = (User) user.clone();
+ User userCopy = null;
+ try {
+ userCopy = (User) user.clone();
+ } catch (CloneNotSupportedException ex) {
+ // Never happens
+ logger.error(EELFLoggerDelegate.errorLogger, "findUser failed", ex);
+ }
- User appuser = getUser(userCopy);
+ User appuser = findUserWithoutPwd(user.getLoginId());
appuser.setLastLoginDate(new Date());
// update the last logged in date for the user
- // user.setLastLoginDate(new Date());
- getDataAccessService().saveDomainObject(appuser, additionalParams);
+ dataAccessService.saveDomainObject(appuser, additionalParams);
// update the audit log of the user
// Check for the client device type and set log attributes
@@ -117,6 +114,7 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS
private boolean userHasActiveRoles(User user) {
boolean hasActiveRole = false;
+ @SuppressWarnings("rawtypes")
Iterator roles = user.getRoles().iterator();
while (roles.hasNext()) {
Role role = (Role) roles.next();
@@ -128,72 +126,43 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS
return hasActiveRole;
}
- @SuppressWarnings("null")
- public User findUser(LoginBean bean) throws Exception {
- User user = null;
+ private User findUser(LoginBean bean) throws Exception {
String repsonse = restApiRequestBuilder.getViaREST("/user/" + bean.getUserid(), true, bean.getUserid());
- user = userService.userMapper(repsonse);
+ User user = userService.userMapper(repsonse);
user.setId(getUserIdByOrgUserId(user.getOrgUserId()));
return user;
}
-
- public Long getUserIdByOrgUserId(String orgUserId) {
- Map<String, String> params = new HashMap<String, String>();
+
+ private Long getUserIdByOrgUserId(String orgUserId) {
+ Map<String, String> params = new HashMap<>();
params.put("orgUserId", orgUserId);
@SuppressWarnings("rawtypes")
- List list = getDataAccessService().executeNamedQuery("getUserIdByorgUserId", params, null);
+ List list = dataAccessService.executeNamedQuery("getUserIdByorgUserId", params, null);
Long userId = null;
if (list != null && !list.isEmpty())
userId = (Long) list.get(0);
return userId;
}
-
-
- public User findUser(String loginId, String password) {
- List list = null;
-
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password)
- .append("'");
-
- list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
- return (list == null || list.size() == 0) ? null : (User) list.get(0);
+ @SuppressWarnings("rawtypes")
+ private User findUser(String loginId, String password) {
+ Map<String,String> params = new HashMap<>();
+ params.put("login_id", loginId);
+ params.put("login_pwd", password);
+ List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap());
+ return (list == null || list.isEmpty()) ? null : (User) list.get(0);
}
+ @SuppressWarnings("rawtypes")
private User findUserWithoutPwd(String loginId) {
- List list = null;
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where login_id = '").append(loginId).append("'");
- list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
- return (list == null || list.size() == 0) ? null : (User) list.get(0);
- }
-
- public DataAccessService getDataAccessService() {
- return dataAccessService;
+ Map<String,String> params = new HashMap<>();
+ params.put("login_id", loginId);
+ List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap());
+ return (list == null || list.isEmpty()) ? null : (User) list.get(0);
}
- public void setDataAccessService(DataAccessService dataAccessService) {
- this.dataAccessService = dataAccessService;
- }
-
- public MenuBuilder getMenuBuilder() {
+ private MenuBuilder getMenuBuilder() {
return new MenuBuilder();
}
- public void setMenuBuilder(MenuBuilder menuBuilder) {
- this.menuBuilder = menuBuilder;
- }
-
- public User getUser(User user) {
- List list = null;
-
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where login_id = '").append(user.getLoginId()).append("'");
-
- list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
- return (list == null || list.size() == 0) ? null : (User) list.get(0);
-
- }
-
}
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java
index a38a16ff..9ba7dcf8 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java
@@ -1,6 +1,6 @@
/*-
* ================================================================================
- * eCOMP Portal SDK
+ * ECOMP Portal SDK
* ================================================================================
* Copyright (C) 2017 AT&T Intellectual Property
* ================================================================================
@@ -24,11 +24,13 @@ import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
+import java.util.Map;
import java.util.Set;
import org.openecomp.portalsdk.core.command.LoginBean;
import org.openecomp.portalsdk.core.domain.Role;
import org.openecomp.portalsdk.core.domain.User;
+import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.openecomp.portalsdk.core.menu.MenuBuilder;
import org.openecomp.portalsdk.core.service.support.FusionService;
import org.openecomp.portalsdk.core.util.SystemProperties;
@@ -40,161 +42,128 @@ import org.springframework.transaction.annotation.Transactional;
@Transactional
public class LoginServiceImpl extends FusionService implements LoginService {
- @SuppressWarnings("unused")
- private MenuBuilder menuBuilder;
-
- @Autowired
- private DataAccessService dataAccessService;
-
- @SuppressWarnings("rawtypes")
- public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams ) throws Exception {
- return findUser(bean, menuPropertiesFilename, additionalParams, true);
- }
-
- @SuppressWarnings("rawtypes")
- public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams, boolean matchPassword) throws Exception {
- User user = null;
- User userCopy = null;
-
- if (bean.getUserid() != null && bean.getUserid() != null) {
- user = (User)findUser(bean);
- }
- else {
- if (matchPassword)
- user = (User)findUser(bean.getLoginId(), bean.getLoginPwd());
- else
- user = (User)findUserWithoutPwd(bean.getLoginId());
- }
-
- if (user != null) {
-
- // raise an error if the application is locked and the user does not have system administrator privileges
- if (AppUtils.isApplicationLocked() && !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) {
- bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED);
- }
-
- // raise an error if the user is inactive
- if (!user.getActive()) {
- bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE);
- }
-
- // raise an error if no active roles exist for the user
-// boolean hasActiveRole = false;
-// Iterator roles = user.getRoles().iterator();
-// while (roles.hasNext()) {
-// Role role = (Role)roles.next();
-// if (role.getActive()) {
-// hasActiveRole = true;
-// break;
-// }
-// }
-
-// if (!hasActiveRole) {
-// bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE);
-// }
- if (!userHasActiveRoles(user)) {
- bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE);
- }
- // only login the user if no errors have occurred
- if (bean.getLoginErrorMessage() == null) {
-
- // this will be a snapshot of the user's information as retrieved from the database
- userCopy = (User)user.clone();
-
- // update the last logged in date for the user
- user.setLastLoginDate(new Date());
- getDataAccessService().saveDomainObject(user, additionalParams);
-
- // update the audit log of the user
- //Check for the client device type and set log attributes appropriately
-
-
- // save the above changes to the User and their audit trail
-
- // create the application menu based on the user's privileges
- Set appMenu = getMenuBuilder().getMenu(SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_SET_NAME),dataAccessService);
- bean.setMenu(appMenu != null?appMenu:new HashSet());
- Set businessDirectMenu = getMenuBuilder().getMenu(SystemProperties.getProperty(SystemProperties.BUSINESS_DIRECT_MENU_SET_NAME),dataAccessService);
- bean.setBusinessDirectMenu(businessDirectMenu != null?businessDirectMenu:new HashSet());
-
- bean.setUser(userCopy);
- }
-
- }
-
- return bean;
- }
-
- private boolean userHasActiveRoles(User user) {
- boolean hasActiveRole = false;
- @SuppressWarnings("rawtypes")
- Iterator roles = user.getRoles().iterator();
- while (roles.hasNext()) {
- Role role = (Role)roles.next();
- if (role.getActive()) {
- hasActiveRole = true;
- break;
- }
- }
- return hasActiveRole;
- }
-
- @SuppressWarnings("rawtypes")
- public User findUser(String loginId, String password) {
- List list = null;
-
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where login_id = '").append(loginId).append("'")
- .append(" and login_pwd = '").append(password).append("'");
-
- list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
+ private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceImpl.class);
- return (list == null || list.size() == 0) ? null : (User)list.get(0);
- }
-
- @SuppressWarnings("rawtypes")
- private User findUserWithoutPwd(String loginId) {
- List list = null;
+ @Autowired
+ private DataAccessService dataAccessService;
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where login_id = '").append(loginId).append("'");
-
- list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
-
- return (list == null || list.size() == 0) ? null : (User)list.get(0);
- }
-
- @SuppressWarnings("rawtypes")
- public User findUser(LoginBean bean) {
- List list = null;
-
- StringBuffer criteria = new StringBuffer();
- criteria.append(" where org_user_id = '").append(bean.getUserid()).append("'");
-
- list = getDataAccessService().getList(User.class, criteria.toString(), null, null);
+ @Override
+ @SuppressWarnings("rawtypes")
+ public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams) {
+ return findUser(bean, menuPropertiesFilename, additionalParams, true);
+ }
- return (list == null || list.size() == 0) ? null : (User)list.get(0);
- }
+ @Override
+ @SuppressWarnings("rawtypes")
+ public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams,
+ boolean matchPassword) {
+
+ User user;
+ if (bean.getUserid() != null && bean.getUserid() != null) {
+ user = findUser(bean);
+ } else {
+ if (matchPassword)
+ user = findUser(bean.getLoginId(), bean.getLoginPwd());
+ else
+ user = findUserWithoutPwd(bean.getLoginId());
+ }
+ if (user != null) {
+ // raise an error if the application is locked and the user does not have system
+ // administrator privileges
+ if (AppUtils.isApplicationLocked()
+ && !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) {
+ bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED);
+ }
+
+ // raise an error if the user is inactive
+ if (!user.getActive()) {
+ bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE);
+ }
+
+ if (!userHasActiveRoles(user)) {
+ bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE);
+ }
+ // only login the user if no errors have occurred
+ if (bean.getLoginErrorMessage() == null) {
+
+ // this will be a snapshot of the user's information as retrieved from the
+ // database
+ User userCopy = null;
+ try {
+ userCopy = (User) user.clone();
+ } catch (CloneNotSupportedException ex) {
+ // Never happens
+ logger.error(EELFLoggerDelegate.errorLogger, "findUser failed", ex);
+ }
+
+ // update the last logged in date for the user
+ user.setLastLoginDate(new Date());
+ dataAccessService.saveDomainObject(user, additionalParams);
+
+ // update the audit log of the user
+ // Check for the client device type and set log attributes appropriately
+
+ // save the above changes to the User and their audit trail
+
+ // create the application menu based on the user's privileges
+ Set appMenu = getMenuBuilder().getMenu(
+ SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_SET_NAME), dataAccessService);
+ bean.setMenu(appMenu != null ? appMenu : new HashSet());
+ Set businessDirectMenu = getMenuBuilder().getMenu(
+ SystemProperties.getProperty(SystemProperties.BUSINESS_DIRECT_MENU_SET_NAME),
+ dataAccessService);
+ bean.setBusinessDirectMenu(businessDirectMenu != null ? businessDirectMenu : new HashSet());
+
+ bean.setUser(userCopy);
+ }
- public MenuBuilder getMenuBuilder() {
- return new MenuBuilder();
- }
+ }
+ return bean;
+ }
- public void setMenuBuilder(MenuBuilder menuBuilder) {
- this.menuBuilder = menuBuilder;
- }
+ private boolean userHasActiveRoles(User user) {
+ boolean hasActiveRole = false;
+ @SuppressWarnings("rawtypes")
+ Iterator roles = user.getRoles().iterator();
+ while (roles.hasNext()) {
+ Role role = (Role) roles.next();
+ if (role.getActive()) {
+ hasActiveRole = true;
+ break;
+ }
+ }
+ return hasActiveRole;
+ }
-
- public DataAccessService getDataAccessService() {
- return dataAccessService;
+ @SuppressWarnings("rawtypes")
+ private User findUser(String loginId, String password) {
+ Map<String, String> params = new HashMap<>();
+ params.put("login_id", loginId);
+ params.put("login_pwd", password);
+ List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap());
+ return (list == null || list.isEmpty()) ? null : (User) list.get(0);
}
+ @SuppressWarnings("rawtypes")
+ private User findUserWithoutPwd(String loginId) {
+ Map<String, String> params = new HashMap<>();
+ params.put("login_id", loginId);
+ List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap());
+ return (list == null || list.isEmpty()) ? null : (User) list.get(0);
+ }
- public void setDataAccessService(DataAccessService dataAccessService) {
- this.dataAccessService = dataAccessService;
+ @SuppressWarnings("rawtypes")
+ private User findUser(LoginBean bean) {
+ Map<String, String> params = new HashMap<>();
+ params.put("org_user_id", bean.getUserid());
+ List list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap());
+ return (list == null || list.isEmpty()) ? null : (User) list.get(0);
}
+ private MenuBuilder getMenuBuilder() {
+ return new MenuBuilder();
+ }
}