diff options
Diffstat (limited to 'ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java')
-rw-r--r-- | ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java index fb2e3b80..982a60b8 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java @@ -37,6 +37,8 @@ */ package org.onap.portalapp.controller.core; +import java.net.MalformedURLException; +import java.net.URL; import java.net.URLDecoder; import java.net.URLEncoder; import java.util.HashMap; @@ -47,6 +49,7 @@ import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; +import org.apache.commons.lang.StringUtils; import org.onap.portalsdk.core.auth.LoginStrategy; import org.onap.portalsdk.core.command.LoginBean; import org.onap.portalsdk.core.controller.UnRestrictedBaseController; @@ -159,6 +162,7 @@ public class SingleSignOnController extends UnRestrictedBaseController { // both user and session are non-null. logger.info(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: redirecting to the forwardURL {}", forwardURL); + validateDomain(forwardURL); return new ModelAndView("redirect:" + forwardURL); } @@ -180,6 +184,7 @@ public class SingleSignOnController extends UnRestrictedBaseController { // application can publish a base URL in system.properties String appUrl = SystemProperties.getProperty(SystemProperties.APP_BASE_URL); returnToAppUrl = appUrl + (appUrl.endsWith("/") ? "" : "/") + forwardURL; + validateDomain(returnToAppUrl); logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: using app base URL {} and redirectURL {}", appUrl, returnToAppUrl); } else { @@ -190,6 +195,7 @@ public class SingleSignOnController extends UnRestrictedBaseController { // should always find the specified token. returnToAppUrl = request.getRequestURL().toString().replace("single_signon.htm", forwardURL); + validateDomain(returnToAppUrl); logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: computed redirectURL {}", returnToAppUrl); } @@ -202,7 +208,6 @@ public class SingleSignOnController extends UnRestrictedBaseController { final String redirectUrl = portalUrl + "?uebAppKey=" + uebAppKey + "&redirectUrl=" + encodedReturnToAppUrl; logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: portal-bound redirect URL is {}", redirectUrl); - // this line may not be necessary but jsessionid coockie is not getting created in all cases; // so force the cookie creation request.getSession(true); @@ -211,6 +216,17 @@ public class SingleSignOnController extends UnRestrictedBaseController { } } + private void validateDomain(String forwardURL) throws MalformedURLException { + if (StringUtils.isNotBlank(forwardURL)) { + String hostName = new URL(forwardURL).getHost(); + if (StringUtils.isNotBlank(hostName) && !hostName.endsWith(SystemProperties.getProperty(SystemProperties.COOKIE_DOMAIN))) { + logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: accessing Unauthorized url", + hostName); + throw new SecurityException("accessing Unauthorized url : " + hostName); + } + } + } + protected void initateSessionMgtHandler(HttpServletRequest request) { String portalJSessionId = getPortalJSessionId(request); String jSessionId = getJessionId(request); |