diff options
author | st782s <statta@research.att.com> | 2017-11-02 17:05:10 -0400 |
---|---|---|
committer | st782s <statta@research.att.com> | 2017-11-02 17:07:34 -0400 |
commit | a37fe92b5daca76aabd50ff1e6920670b30b84ee (patch) | |
tree | 35c4bf73f1235830054967352a816e0f05329599 /ecomp-sdk/epsdk-core | |
parent | 5eb302b890ef11d7bab5b27b91c77c5d9175a7f4 (diff) |
Security vulnerabilityv1.3.21.0.0-ONAP1.0.0-Amsterdamrelease-1.3.2amsterdam
Handle Session issues and security vulnerability login issue to by
preventing sql injection attack
Issue: PORTAL-137
Change-Id: I16eeacd6958af1a8274259e5dc0a008c5f64fb9f
Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-core')
4 files changed, 158 insertions, 217 deletions
diff --git a/ecomp-sdk/epsdk-core/README.md b/ecomp-sdk/epsdk-core/README.md index b6eac5c9..6b22f121 100644 --- a/ecomp-sdk/epsdk-core/README.md +++ b/ecomp-sdk/epsdk-core/README.md @@ -13,6 +13,9 @@ ECOMP SDK web application. ### ONAP Distributions +Version 1.3.2, 1 November 2017 +- PORTAL-137 Enhance authentication + Version 1.3.1, 15 October 2017 - No changes diff --git a/ecomp-sdk/epsdk-core/pom.xml b/ecomp-sdk/epsdk-core/pom.xml index b2f69eba..bfef5a9a 100644 --- a/ecomp-sdk/epsdk-core/pom.xml +++ b/ecomp-sdk/epsdk-core/pom.xml @@ -5,7 +5,7 @@ <parent> <groupId>org.onap.portal.sdk</groupId> <artifactId>epsdk-project</artifactId> - <version>1.3.1</version> + <version>1.3.2</version> </parent> <!-- GroupId is inherited from parent --> diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java index bab2249c..7783e82e 100644 --- a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java +++ b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceCentralizedImpl.java @@ -24,46 +24,38 @@ import org.springframework.transaction.annotation.Transactional; @Transactional public class LoginServiceCentralizedImpl extends FusionService implements LoginService { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceCentralizedImpl.class); - - @Autowired - AppService appService; + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceCentralizedImpl.class); @Autowired private DataAccessService dataAccessService; - - @Autowired - RestApiRequestBuilder restApiRequestBuilder; - + @Autowired - UserService userService; + private RestApiRequestBuilder restApiRequestBuilder; - @SuppressWarnings("unused") - private MenuBuilder menuBuilder; + @Autowired + private UserService userService; @Override - public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams) - throws Exception { + public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, @SuppressWarnings("rawtypes") HashMap additionalParams) throws Exception { return findUser(bean, menuPropertiesFilename, additionalParams, true); } + @Override @SuppressWarnings("rawtypes") public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams, boolean matchPassword) throws Exception { - User user = null; - User userCopy = null; - if (bean.getUserid() != null && bean.getUserid() != null) { - user = (User) findUser(bean); + User user; + if (bean.getUserid() != null) { + user = findUser(bean); } else { if (matchPassword) - user = (User) findUser(bean.getLoginId(), bean.getLoginPwd()); + user = findUser(bean.getLoginId(), bean.getLoginPwd()); else - user = (User) findUserWithoutPwd(bean.getLoginId()); + user = findUserWithoutPwd(bean.getLoginId()); } if (user != null) { - if (AppUtils.isApplicationLocked() && !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) { bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED); @@ -82,15 +74,20 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS // this will be a snapshot of the user's information as // retrieved from the database - userCopy = (User) user.clone(); + User userCopy = null; + try { + userCopy = (User) user.clone(); + } catch (CloneNotSupportedException ex) { + // Never happens + logger.error(EELFLoggerDelegate.errorLogger, "findUser failed", ex); + } - User appuser = getUser(userCopy); + User appuser = findUserWithoutPwd(user.getLoginId()); appuser.setLastLoginDate(new Date()); // update the last logged in date for the user - // user.setLastLoginDate(new Date()); - getDataAccessService().saveDomainObject(appuser, additionalParams); + dataAccessService.saveDomainObject(appuser, additionalParams); // update the audit log of the user // Check for the client device type and set log attributes @@ -117,6 +114,7 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS private boolean userHasActiveRoles(User user) { boolean hasActiveRole = false; + @SuppressWarnings("rawtypes") Iterator roles = user.getRoles().iterator(); while (roles.hasNext()) { Role role = (Role) roles.next(); @@ -128,72 +126,43 @@ public class LoginServiceCentralizedImpl extends FusionService implements LoginS return hasActiveRole; } - @SuppressWarnings("null") - public User findUser(LoginBean bean) throws Exception { - User user = null; + private User findUser(LoginBean bean) throws Exception { String repsonse = restApiRequestBuilder.getViaREST("/user/" + bean.getUserid(), true, bean.getUserid()); - user = userService.userMapper(repsonse); + User user = userService.userMapper(repsonse); user.setId(getUserIdByOrgUserId(user.getOrgUserId())); return user; } - - public Long getUserIdByOrgUserId(String orgUserId) { - Map<String, String> params = new HashMap<String, String>(); + + private Long getUserIdByOrgUserId(String orgUserId) { + Map<String, String> params = new HashMap<>(); params.put("orgUserId", orgUserId); @SuppressWarnings("rawtypes") - List list = getDataAccessService().executeNamedQuery("getUserIdByorgUserId", params, null); + List list = dataAccessService.executeNamedQuery("getUserIdByorgUserId", params, null); Long userId = null; if (list != null && !list.isEmpty()) userId = (Long) list.get(0); return userId; } - - - public User findUser(String loginId, String password) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'").append(" and login_pwd = '").append(password) - .append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); - return (list == null || list.size() == 0) ? null : (User) list.get(0); + @SuppressWarnings("rawtypes") + private User findUser(String loginId, String password) { + Map<String,String> params = new HashMap<>(); + params.put("login_id", loginId); + params.put("login_pwd", password); + List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); } + @SuppressWarnings("rawtypes") private User findUserWithoutPwd(String loginId) { - List list = null; - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'"); - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); - return (list == null || list.size() == 0) ? null : (User) list.get(0); - } - - public DataAccessService getDataAccessService() { - return dataAccessService; + Map<String,String> params = new HashMap<>(); + params.put("login_id", loginId); + List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); } - public void setDataAccessService(DataAccessService dataAccessService) { - this.dataAccessService = dataAccessService; - } - - public MenuBuilder getMenuBuilder() { + private MenuBuilder getMenuBuilder() { return new MenuBuilder(); } - public void setMenuBuilder(MenuBuilder menuBuilder) { - this.menuBuilder = menuBuilder; - } - - public User getUser(User user) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(user.getLoginId()).append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); - return (list == null || list.size() == 0) ? null : (User) list.get(0); - - } - } diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java index a38a16ff..9ba7dcf8 100644 --- a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java +++ b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java @@ -1,6 +1,6 @@ /*- * ================================================================================ - * eCOMP Portal SDK + * ECOMP Portal SDK * ================================================================================ * Copyright (C) 2017 AT&T Intellectual Property * ================================================================================ @@ -24,11 +24,13 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.Set; import org.openecomp.portalsdk.core.command.LoginBean; import org.openecomp.portalsdk.core.domain.Role; import org.openecomp.portalsdk.core.domain.User; +import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.openecomp.portalsdk.core.menu.MenuBuilder; import org.openecomp.portalsdk.core.service.support.FusionService; import org.openecomp.portalsdk.core.util.SystemProperties; @@ -40,161 +42,128 @@ import org.springframework.transaction.annotation.Transactional; @Transactional public class LoginServiceImpl extends FusionService implements LoginService { - @SuppressWarnings("unused") - private MenuBuilder menuBuilder; - - @Autowired - private DataAccessService dataAccessService; - - @SuppressWarnings("rawtypes") - public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams ) throws Exception { - return findUser(bean, menuPropertiesFilename, additionalParams, true); - } - - @SuppressWarnings("rawtypes") - public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams, boolean matchPassword) throws Exception { - User user = null; - User userCopy = null; - - if (bean.getUserid() != null && bean.getUserid() != null) { - user = (User)findUser(bean); - } - else { - if (matchPassword) - user = (User)findUser(bean.getLoginId(), bean.getLoginPwd()); - else - user = (User)findUserWithoutPwd(bean.getLoginId()); - } - - if (user != null) { - - // raise an error if the application is locked and the user does not have system administrator privileges - if (AppUtils.isApplicationLocked() && !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) { - bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED); - } - - // raise an error if the user is inactive - if (!user.getActive()) { - bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); - } - - // raise an error if no active roles exist for the user -// boolean hasActiveRole = false; -// Iterator roles = user.getRoles().iterator(); -// while (roles.hasNext()) { -// Role role = (Role)roles.next(); -// if (role.getActive()) { -// hasActiveRole = true; -// break; -// } -// } - -// if (!hasActiveRole) { -// bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); -// } - if (!userHasActiveRoles(user)) { - bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); - } - // only login the user if no errors have occurred - if (bean.getLoginErrorMessage() == null) { - - // this will be a snapshot of the user's information as retrieved from the database - userCopy = (User)user.clone(); - - // update the last logged in date for the user - user.setLastLoginDate(new Date()); - getDataAccessService().saveDomainObject(user, additionalParams); - - // update the audit log of the user - //Check for the client device type and set log attributes appropriately - - - // save the above changes to the User and their audit trail - - // create the application menu based on the user's privileges - Set appMenu = getMenuBuilder().getMenu(SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_SET_NAME),dataAccessService); - bean.setMenu(appMenu != null?appMenu:new HashSet()); - Set businessDirectMenu = getMenuBuilder().getMenu(SystemProperties.getProperty(SystemProperties.BUSINESS_DIRECT_MENU_SET_NAME),dataAccessService); - bean.setBusinessDirectMenu(businessDirectMenu != null?businessDirectMenu:new HashSet()); - - bean.setUser(userCopy); - } - - } - - return bean; - } - - private boolean userHasActiveRoles(User user) { - boolean hasActiveRole = false; - @SuppressWarnings("rawtypes") - Iterator roles = user.getRoles().iterator(); - while (roles.hasNext()) { - Role role = (Role)roles.next(); - if (role.getActive()) { - hasActiveRole = true; - break; - } - } - return hasActiveRole; - } - - @SuppressWarnings("rawtypes") - public User findUser(String loginId, String password) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'") - .append(" and login_pwd = '").append(password).append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceImpl.class); - return (list == null || list.size() == 0) ? null : (User)list.get(0); - } - - @SuppressWarnings("rawtypes") - private User findUserWithoutPwd(String loginId) { - List list = null; + @Autowired + private DataAccessService dataAccessService; - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); - - return (list == null || list.size() == 0) ? null : (User)list.get(0); - } - - @SuppressWarnings("rawtypes") - public User findUser(LoginBean bean) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where org_user_id = '").append(bean.getUserid()).append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + @Override + @SuppressWarnings("rawtypes") + public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams) { + return findUser(bean, menuPropertiesFilename, additionalParams, true); + } - return (list == null || list.size() == 0) ? null : (User)list.get(0); - } + @Override + @SuppressWarnings("rawtypes") + public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams, + boolean matchPassword) { + + User user; + if (bean.getUserid() != null && bean.getUserid() != null) { + user = findUser(bean); + } else { + if (matchPassword) + user = findUser(bean.getLoginId(), bean.getLoginPwd()); + else + user = findUserWithoutPwd(bean.getLoginId()); + } + if (user != null) { + // raise an error if the application is locked and the user does not have system + // administrator privileges + if (AppUtils.isApplicationLocked() + && !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) { + bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED); + } + + // raise an error if the user is inactive + if (!user.getActive()) { + bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); + } + + if (!userHasActiveRoles(user)) { + bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); + } + // only login the user if no errors have occurred + if (bean.getLoginErrorMessage() == null) { + + // this will be a snapshot of the user's information as retrieved from the + // database + User userCopy = null; + try { + userCopy = (User) user.clone(); + } catch (CloneNotSupportedException ex) { + // Never happens + logger.error(EELFLoggerDelegate.errorLogger, "findUser failed", ex); + } + + // update the last logged in date for the user + user.setLastLoginDate(new Date()); + dataAccessService.saveDomainObject(user, additionalParams); + + // update the audit log of the user + // Check for the client device type and set log attributes appropriately + + // save the above changes to the User and their audit trail + + // create the application menu based on the user's privileges + Set appMenu = getMenuBuilder().getMenu( + SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_SET_NAME), dataAccessService); + bean.setMenu(appMenu != null ? appMenu : new HashSet()); + Set businessDirectMenu = getMenuBuilder().getMenu( + SystemProperties.getProperty(SystemProperties.BUSINESS_DIRECT_MENU_SET_NAME), + dataAccessService); + bean.setBusinessDirectMenu(businessDirectMenu != null ? businessDirectMenu : new HashSet()); + + bean.setUser(userCopy); + } - public MenuBuilder getMenuBuilder() { - return new MenuBuilder(); - } + } + return bean; + } - public void setMenuBuilder(MenuBuilder menuBuilder) { - this.menuBuilder = menuBuilder; - } + private boolean userHasActiveRoles(User user) { + boolean hasActiveRole = false; + @SuppressWarnings("rawtypes") + Iterator roles = user.getRoles().iterator(); + while (roles.hasNext()) { + Role role = (Role) roles.next(); + if (role.getActive()) { + hasActiveRole = true; + break; + } + } + return hasActiveRole; + } - - public DataAccessService getDataAccessService() { - return dataAccessService; + @SuppressWarnings("rawtypes") + private User findUser(String loginId, String password) { + Map<String, String> params = new HashMap<>(); + params.put("login_id", loginId); + params.put("login_pwd", password); + List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); } + @SuppressWarnings("rawtypes") + private User findUserWithoutPwd(String loginId) { + Map<String, String> params = new HashMap<>(); + params.put("login_id", loginId); + List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); + } - public void setDataAccessService(DataAccessService dataAccessService) { - this.dataAccessService = dataAccessService; + @SuppressWarnings("rawtypes") + private User findUser(LoginBean bean) { + Map<String, String> params = new HashMap<>(); + params.put("org_user_id", bean.getUserid()); + List list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); } + private MenuBuilder getMenuBuilder() { + return new MenuBuilder(); + } } |