From 69062c0ec148ccadaced3ef1d6eff63ba422c055 Mon Sep 17 00:00:00 2001
From: st782s <statta@research.att.com>
Date: Wed, 3 Jan 2018 14:30:16 -0500
Subject: Harden code

Issue-ID: PORTAL-145,PORTAL-119,PORTAL-118

Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui; Missing error page

Change-Id: I1818fbf86c601dd41b274729038e731fb2ec8f7d
Signed-off-by: st782s <statta@research.att.com>
---
 .../portalsdk/analytics/model/SearchHandler.java   |   2 +-
 ecomp-sdk/epsdk-app-common/README.md               |   4 +-
 .../controller/core/FnMenuController.java          |  13 +--
 .../controller/core/ProfileController.java         |   6 +-
 .../portalapp/controller/core/RoleController.java  |   8 +-
 .../controller/core/RoleListController.java        |   4 +-
 .../controller/core/SingleSignOnController.java    |  18 +++-
 .../controller/sample/BroadcastController.java     |  11 +-
 .../controller/sample/BroadcastListController.java |   4 +-
 .../onap/portalapp/util/SecurityXssValidator.java  |  34 +++---
 ecomp-sdk/epsdk-app-os/README.md                   |   8 +-
 .../db-scripts/EcompSdkDMLMySql_2_1_OS.sql         |  12 +++
 .../onap/portalapp/filter/SecurityXssFilter.java   | 120 ++++++++++++++-------
 .../src/main/webapp/WEB-INF/conf/system.properties |   4 +-
 .../epsdk-app-os/src/main/webapp/WEB-INF/web.xml   |  23 ++--
 .../src/main/resources/ESAPI.properties            |   2 +-
 .../src/main/webapp/WEB-INF/jsp/error.jsp          |  38 ++++++-
 .../ds2-admin/modals/role-function-add.html        |  17 ++-
 .../DS2-view-models/ds2-admin/role_list.html       |   2 +-
 .../src/main/webapp/app/fusion/styles/ecomp.css    |  11 ++
 ecomp-sdk/epsdk-core/README.md                     |   3 +-
 .../interceptor/SessionTimeoutInterceptor.java     |  19 +++-
 .../core/logging/format/AlarmSeverityEnum.java     |  16 ++-
 .../onap/portalsdk/core/service/UrlAccessImpl.java |  82 ++++++++++++--
 .../onap/portalsdk/core/util/SystemProperties.java |   2 +
 .../workflow/controllers/WorkflowController.java   |   2 +-
 26 files changed, 350 insertions(+), 115 deletions(-)

diff --git a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java
index a6043ea7..863f510c 100644
--- a/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java
+++ b/ecomp-sdk/epsdk-analytics/src/main/java/org/onap/portalsdk/analytics/model/SearchHandler.java
@@ -295,7 +295,7 @@ public class SearchHandler extends org.onap.portalsdk.analytics.RaptorObject {
 		} else {
 			rep_name_sql = " AND UPPER(cr.title) LIKE UPPER('%%') ";
 		}
-		sql = sql.replace("[fReportName]", ESAPI.encoder().encodeForSQL( SecurityCodecUtil.getCodec(),rep_name_sql));
+		sql = sql.replace("[fReportName]",rep_name_sql);
 
 		if (menuId.length() > 0){
 			/*sql += "AND INSTR('|'||cr.menu_id||'|', '|'||'" + menuId + "'||'|') > 0 "
diff --git a/ecomp-sdk/epsdk-app-common/README.md b/ecomp-sdk/epsdk-app-common/README.md
index fa3e7bc4..e72d9420 100644
--- a/ecomp-sdk/epsdk-app-common/README.md
+++ b/ecomp-sdk/epsdk-app-common/README.md
@@ -29,9 +29,9 @@ Version 1.4.0
 - PORTAL-42 Use OParent as parent POM
 - PORTAL-72 Address Sonar Scan code issues
 - PORTAL-90 Use approved ONAP license text
-- Portal-86 Remove application specific usages from tests and other files
+- PORTAL-86 Remove application specific usages from tests and other files
 - PORTAL-78 Fix SingleSignon by force session creation prior to redirection to portal
-
+- PORTAL-118 Missing Error page in Portal-SDK app when there is an exception happen in the backend.
 
 Version 1.3.0, 28 August 2017
 - Portal-19 Renaming the Group Id in the POM file to org.onap.portal.sdk
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/FnMenuController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/FnMenuController.java
index dfc735b1..c441417b 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/FnMenuController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/FnMenuController.java
@@ -76,7 +76,7 @@ public class FnMenuController extends RestrictedBaseController {
 
 	@Autowired
 	FnMenuService service;
-	
+
 	@Autowired
 	FunctionalMenuListService functionalMenuListService;
 
@@ -91,7 +91,7 @@ public class FnMenuController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "getParentListFailed", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred in the getParentList () ");
 		}
 	}
 
@@ -104,7 +104,7 @@ public class FnMenuController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "getFunctionCDList", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred in the getFunctionCDList ()");
 		}
 
 	}
@@ -160,7 +160,6 @@ public class FnMenuController extends RestrictedBaseController {
 			mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
 			JsonNode root = mapper.readTree(request.getReader());
 			Menu fnMenuItem = mapper.readValue(root.get("availableFnMenuItem").toString(), Menu.class);
-
 			service.saveFnMenu(fnMenuItem);
 			request.getSession()
 					.removeAttribute(SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_ATTRIBUTE_NAME));
@@ -183,7 +182,7 @@ public class FnMenuController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred in the updateFnMenu () ");
 		}
 		return null;
 
@@ -198,9 +197,7 @@ public class FnMenuController extends RestrictedBaseController {
 			JsonNode root = mapper.readTree(request.getReader());
 			Menu fnMenuItem = mapper.readValue(root.get("fnMenuItem").toString(), Menu.class);
 			Menu fnMenuItemRow = service.getMenuItemRow(fnMenuItem.getId());
-
 			service.removeMenuItem(fnMenuItemRow);
-
 			response.setCharacterEncoding("UTF-8");
 			response.setContentType("application / json");
 			request.setCharacterEncoding("UTF-8");
@@ -215,7 +212,7 @@ public class FnMenuController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred in the removeFnMenu ()");
 		}
 		return null;
 
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileController.java
index c83e926e..b63d24aa 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/ProfileController.java
@@ -229,7 +229,7 @@ public class ProfileController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");			
 			try {
 				PrintWriter 	out = response.getWriter();
-				out.write(e.getMessage());
+				out.write("An error occurred in the saveProfile ()");
 			} catch (IOException e1) {
 				logger.error(EELFLoggerDelegate.errorLogger, "saveProfile: failed to write", e1);
 			}
@@ -279,7 +279,7 @@ public class ProfileController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "removeRole failed", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred in the removeRole ()");
 			return null;
 		}
 	}
@@ -322,7 +322,7 @@ public class ProfileController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred in the addNewRole ()");
 			return null;
 		}
 
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleController.java
index 69a25e66..bd1a6ab0 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleController.java
@@ -232,7 +232,7 @@ public class RoleController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "removeRole failed", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred removeRole failed in the removeRoleFunction");
 			return null;
 		}
 
@@ -269,7 +269,7 @@ public class RoleController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction failed", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred removeRoleFunction failed in the removeRoleFunction");
 			return null;
 		}
 
@@ -305,7 +305,7 @@ public class RoleController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "removeChildRole failed", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred removeChildRole failed in the removeChildRole()");
 			return null;
 		}
 
@@ -342,7 +342,7 @@ public class RoleController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "addChildRole failed", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred addChildRole failed in the addChildRole()");
 			return null;
 		}
 
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
index b89cb43c..c7804e5f 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/RoleListController.java
@@ -141,7 +141,7 @@ public class RoleListController extends RestrictedBaseController {
 			logger.error(EELFLoggerDelegate.errorLogger, "toggleRole failed", e);
 			response.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred while saving Role  in the toggleRole()");
 			return null;
 		}
 
@@ -180,7 +180,7 @@ public class RoleListController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred while removing Role  in the toggleRole()");
 			return null;
 		}
 
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java
index fb2e3b80..982a60b8 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/core/SingleSignOnController.java
@@ -37,6 +37,8 @@
  */
 package org.onap.portalapp.controller.core;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.util.HashMap;
@@ -47,6 +49,7 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringUtils;
 import org.onap.portalsdk.core.auth.LoginStrategy;
 import org.onap.portalsdk.core.command.LoginBean;
 import org.onap.portalsdk.core.controller.UnRestrictedBaseController;
@@ -159,6 +162,7 @@ public class SingleSignOnController extends UnRestrictedBaseController {
 				// both user and session are non-null.
 				logger.info(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: redirecting to the forwardURL {}",
 						forwardURL);
+				validateDomain(forwardURL);
 				return new ModelAndView("redirect:" + forwardURL);
 			}
 
@@ -180,6 +184,7 @@ public class SingleSignOnController extends UnRestrictedBaseController {
 				// application can publish a base URL in system.properties
 				String appUrl = SystemProperties.getProperty(SystemProperties.APP_BASE_URL);
 				returnToAppUrl = appUrl + (appUrl.endsWith("/") ? "" : "/") + forwardURL;
+				validateDomain(returnToAppUrl);
 				logger.debug(EELFLoggerDelegate.debugLogger,
 						"singleSignOnLogin: using app base URL {} and redirectURL {}", appUrl, returnToAppUrl);
 			} else {
@@ -190,6 +195,7 @@ public class SingleSignOnController extends UnRestrictedBaseController {
 				// should always find the specified token.
 				returnToAppUrl = request.getRequestURL().toString().replace("single_signon.htm",
 						forwardURL);
+				validateDomain(returnToAppUrl);
 				logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: computed redirectURL {}",
 						returnToAppUrl);
 			}
@@ -202,7 +208,6 @@ public class SingleSignOnController extends UnRestrictedBaseController {
 			final String redirectUrl = portalUrl + "?uebAppKey=" + uebAppKey + "&redirectUrl=" + encodedReturnToAppUrl;
 			logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: portal-bound redirect URL is {}",
 					redirectUrl);
-			
 			// this line may not be necessary but jsessionid coockie is not getting created in all cases;
 			// so force the cookie creation
 			request.getSession(true);
@@ -211,6 +216,17 @@ public class SingleSignOnController extends UnRestrictedBaseController {
 		}
 	}
 
+	private void validateDomain(String forwardURL) throws MalformedURLException {
+		if (StringUtils.isNotBlank(forwardURL)) {
+			String hostName = new URL(forwardURL).getHost();
+			if (StringUtils.isNotBlank(hostName) && !hostName.endsWith(SystemProperties.getProperty(SystemProperties.COOKIE_DOMAIN))) {
+				logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: accessing Unauthorized url",
+						hostName);
+				throw new SecurityException("accessing Unauthorized url : " + hostName);
+			}
+		}
+	}
+
 	protected void initateSessionMgtHandler(HttpServletRequest request) {
 		String portalJSessionId = getPortalJSessionId(request);
 		String jSessionId = getJessionId(request);
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastController.java
index 316f35cd..c4f0d430 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastController.java
@@ -45,8 +45,10 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.json.JSONObject;
+import org.onap.portalapp.util.SecurityXssValidator;
 import org.onap.portalsdk.core.controller.RestrictedBaseController;
 import org.onap.portalsdk.core.domain.BroadcastMessage;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.onap.portalsdk.core.service.BroadcastService;
 import org.onap.portalsdk.core.util.SystemProperties;
 import org.onap.portalsdk.core.web.support.AppUtils;
@@ -65,6 +67,8 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 @RequestMapping("/")
 public class BroadcastController extends RestrictedBaseController {
 
+	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(BroadcastController.class);
+	
 	@Autowired
 	private BroadcastService broadcastService;
 
@@ -77,7 +81,7 @@ public class BroadcastController extends RestrictedBaseController {
 			model.put("broadcastMessage", mapper.writeValueAsString(broadcastService.getBroadcastMessage(request)));
 			model.put("broadcastSites", mapper.writeValueAsString(referenceData(request).get("broadcastSites")));
 		} catch (Exception e) {
-			e.printStackTrace();
+			logger.error(EELFLoggerDelegate.errorLogger, "broadcast() failed", e);
 		}
 		return new ModelAndView(getViewName(), model);
 	}
@@ -96,7 +100,7 @@ public class BroadcastController extends RestrictedBaseController {
 			response.getWriter().write(j.toString());
 
 		} catch (Exception e) {
-			e.printStackTrace();
+			logger.error(EELFLoggerDelegate.errorLogger, "getBroadcast() failed", e);
 		}
 
 	}
@@ -141,7 +145,8 @@ public class BroadcastController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred while saving the BroadcastMessage in the save () mapping-/broadcast/save   ");
+			logger.error(EELFLoggerDelegate.errorLogger, "save() failed", e);
 			return null;
 		}
 
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
index aeeaca56..2a9af812 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/controller/sample/BroadcastListController.java
@@ -121,7 +121,7 @@ public class BroadcastListController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred while removing the BroadcastMessage in the remove ()");
 			logger.error(EELFLoggerDelegate.errorLogger, "remove() failed", e);
 			return null;
 		}
@@ -156,7 +156,7 @@ public class BroadcastListController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred while saving the BroadcastMessage in the toggleActive () ");
 			logger.error(EELFLoggerDelegate.errorLogger, "toggleActive() failed", e);
 			return null;
 		}
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
index b51cb8db..97545508 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
@@ -60,6 +60,7 @@ public class SecurityXssValidator {
 	private static final String MYSQL_DB = "mysql";
 	private static final String ORACLE_DB = "oracle";
 	private static final String MARIA_DB = "mariadb";
+	private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
 
 	static SecurityXssValidator validator = null;
 	private static Codec instance;
@@ -82,46 +83,39 @@ public class SecurityXssValidator {
 
 	private SecurityXssValidator() {
 		// Avoid anything between script tags
-		XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
 
 		// avoid iframes
-		XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
 
 		// Avoid anything in a src='...' type of expression
-		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
-				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
-				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)",
-				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
 
 		// Remove any lonesome </script> tag
-		XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
 
 		// Remove any lonesome <script ...> tag
-		XSS_INPUT_PATTERNS
-				.add(Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
 
 		// Avoid eval(...) expressions
-		XSS_INPUT_PATTERNS
-				.add(Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
 
 		// Avoid expression(...) expressions
-		XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)",
-				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
 
 		// Avoid javascript:... expressions
-		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", Pattern.CASE_INSENSITIVE));
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
 
 		// Avoid onload= expressions
-		XSS_INPUT_PATTERNS.add(
-				Pattern.compile(".*(onload(.*?)=).*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL));
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
 	}
 
 	private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
diff --git a/ecomp-sdk/epsdk-app-os/README.md b/ecomp-sdk/epsdk-app-os/README.md
index d9d7fb68..daf03237 100644
--- a/ecomp-sdk/epsdk-app-os/README.md
+++ b/ecomp-sdk/epsdk-app-os/README.md
@@ -19,9 +19,11 @@ Version 1.4.0, <?day> <?month> 2017
 - PORTAL-72 Address Sonar Scan code issues
 - PORTAL-79 remove unwanted SDK left menu under Report-sample dashboard
 - PORTAL-90 Use approved ONAP license text
-- Portal-86 Remove application specific usages from tests and other files (rework)
-- Portal-104 Replaced the sql connector to maria db
-- Portal-127 Remove GreenSock license code from b2b library
+- PORTAL-86 Remove application specific usages from tests and other files (rework)
+- PORTAL-104 Replaced the sql connector to maria db
+- PORTAL-127 Remove GreenSock license code from b2b library
+- PORTAL-118 Missing Error page in Portal-SDK app when there is an exception happen in the backend.
+
 * Put new entries here *
 
 Version 1.3.0, 28 August 2017
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
index cb4a3085..91402fb0 100644
--- a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
+++ b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
@@ -36,4 +36,16 @@ Insert into fn_app (APP_ID,APP_NAME,APP_IMAGE_URL,APP_DESCRIPTION,APP_NOTES,APP_
 -- fn_user_role
 Insert into fn_user_role (USER_ID,ROLE_ID,PRIORITY,APP_ID) values (1,1,null,1);
 
+-- fn_restricted_url
+insert into fn_restricted_url values('admin','menu_admin');
+insert into fn_restricted_url values('get_role','menu_admin');
+insert into fn_restricted_url values('get_role_functions','menu_admin');
+insert into fn_restricted_url values('role_list/*','menu_admin');
+insert into fn_restricted_url values('role_function_list/*','menu_admin');
+insert into fn_restricted_url values('addRole','menu_admin');
+insert into fn_restricted_url values('addRoleFunction','menu_admin');
+insert into fn_restricted_url values('removeRole','menu_admin');
+insert into fn_restricted_url values('removeRoleFunction','menu_admin');
+insert into fn_restricted_url values('profile/*','menu_admin');
+
 commit;
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
index 71ab7359..aad01286 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -38,71 +38,119 @@
  */
 package org.onap.portalapp.filter;
 
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 
 import javax.servlet.FilterChain;
+import javax.servlet.ReadListener;
 import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.http.HttpStatus;
 import org.onap.portalapp.util.SecurityXssValidator;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
 import org.springframework.web.filter.OncePerRequestFilter;
-import org.springframework.web.util.ContentCachingRequestWrapper;
-import org.springframework.web.util.ContentCachingResponseWrapper;
-import org.springframework.web.util.WebUtils;
 
 public class SecurityXssFilter extends OncePerRequestFilter {
 
-	private static final String BAD_REQUEST = "BAD_REQUEST";
+	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+
+	private static final String APPLICATION_JSON = "application/json";
+
+	private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}";
 
 	private SecurityXssValidator validator = SecurityXssValidator.getInstance();
 
-	private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
-		String payload = null;
-		ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
-		if (wrapper != null) {
-			byte[] buf = wrapper.getContentAsByteArray();
-			if (buf.length > 0) {
-				payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
-			}
+	public class RequestWrapper extends HttpServletRequestWrapper {
+
+		private ByteArrayOutputStream cachedBytes;
+
+		public RequestWrapper(HttpServletRequest request) {
+			super(request);
 		}
-		return payload;
-	}
 
-	private static String getResponseData(final HttpServletResponse response) throws IOException {
-		String payload = null;
-		ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
-				ContentCachingResponseWrapper.class);
-		if (wrapper != null) {
-			byte[] buf = wrapper.getContentAsByteArray();
-			if (buf.length > 0) {
-				payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
-				wrapper.copyBodyToResponse();
+		@Override
+		public ServletInputStream getInputStream() throws IOException {
+			if (cachedBytes == null)
+				cacheInputStream();
+
+			return new CachedServletInputStream();
+		}
+
+		@Override
+		public BufferedReader getReader() throws IOException {
+			return new BufferedReader(new InputStreamReader(getInputStream()));
+		}
+
+		private void cacheInputStream() throws IOException {
+			cachedBytes = new ByteArrayOutputStream();
+			IOUtils.copy(super.getInputStream(), cachedBytes);
+		}
+
+		public class CachedServletInputStream extends ServletInputStream {
+			private ByteArrayInputStream input;
+
+			public CachedServletInputStream() {
+				input = new ByteArrayInputStream(cachedBytes.toByteArray());
 			}
+
+			@Override
+			public int read() throws IOException {
+				return input.read();
+			}
+
+			public boolean isFinished() {
+				return false;
+			}
+
+			public boolean isReady() {
+				return false;
+			}
+
+			public void setReadListener(ReadListener readListener) {
+
+			}
+
 		}
-		return payload;
 	}
 
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
-
-		if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
-
-			HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
-			HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
-			filterChain.doFilter(requestToCache, responseToCache);
-			String requestData = getRequestData(requestToCache);
-			String responseData = getResponseData(responseToCache);
-			if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
-				throw new SecurityException(BAD_REQUEST);
+		if (validateRequestType(request)) {
+			request = new RequestWrapper(request);
+			String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
+			try {
+				if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
+					response.setContentType(APPLICATION_JSON);
+					response.setStatus(HttpStatus.SC_BAD_REQUEST);
+					response.getWriter().write(ERROR_BAD_REQUEST);
+					throw new SecurityException(ERROR_BAD_REQUEST);
+				}
+			} catch (Exception e) {
+				logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
+				response.getWriter().close();
+				return;
 			}
+			filterChain.doFilter(request, response);
 
 		} else {
 			filterChain.doFilter(request, response);
 		}
 
 	}
-}
+
+	private boolean validateRequestType(HttpServletRequest request) {
+		return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
+				|| request.getMethod().equalsIgnoreCase("DELETE"));
+	}
+}
\ No newline at end of file
diff --git a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/conf/system.properties b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/conf/system.properties
index de056a3d..0dc81301 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/conf/system.properties
+++ b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/conf/system.properties
@@ -69,4 +69,6 @@ instance_uuid=8da691c9-987d-43ed-a358-00ac2f35685d
 # app_base_url = https://www.openecomp.org/app_context/
 
 #authenticate user server
-authenticate_user_server=http://todo_enter_auth_server_hostname:8383/openid-connect-server-webapp/allUsers
\ No newline at end of file
+authenticate_user_server=http://todo_enter_auth_server_hostname:8383/openid-connect-server-webapp/allUsers
+#cookie domain 
+cookie_domain = onap.org
\ No newline at end of file
diff --git a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
index f5039df4..76a372be 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
+++ b/ecomp-sdk/epsdk-app-os/src/main/webapp/WEB-INF/web.xml
@@ -1,8 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee" 
-         xmlns:web="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
-         version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee">
+	xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee" xmlns:web="http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+	version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee">
 
 	<display-name>ecomp-sdk-app-os</display-name>
 
@@ -14,12 +13,16 @@
 		<tracking-mode>COOKIE</tracking-mode>
 	</session-config>
 	<filter>
-    <filter-name>SecurityXssFilter</filter-name>
-    <filter-class>org.onap.portalapp.filter.SecurityXssFilter</filter-class>
-   </filter> 
-    <filter-mapping>
-    <filter-name>SecurityXssFilter</filter-name>
-    <url-pattern>/*</url-pattern>
-  </filter-mapping>
+		<filter-name>SecurityXssFilter</filter-name>
+		<filter-class>org.onap.portalapp.filter.SecurityXssFilter
+		</filter-class>
+	</filter>
+	<filter-mapping>
+		<filter-name>SecurityXssFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	<error-page>
+		<location>/WEB-INF/jsp/error.jsp</location>
+	</error-page>
 
 </web-app>
\ No newline at end of file
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/resources/ESAPI.properties b/ecomp-sdk/epsdk-app-overlay/src/main/resources/ESAPI.properties
index d06d602c..3bf78f70 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/resources/ESAPI.properties
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/resources/ESAPI.properties
@@ -6,7 +6,7 @@
 # If you need to troubleshoot a properties related problem, turning this on may help.
 # This is 'false' in the src/test/resources/.esapi version. It is 'true' by
 # default for reasons of backward compatibility with earlier ESAPI versions.
-ESAPI.printProperties=true
+ESAPI.printProperties=false
 
 # ESAPI is designed to be easily extensible. You can use the reference implementation
 # or implement your own providers to take advantage of your enterprise's security
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/jsp/error.jsp b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/jsp/error.jsp
index 3f31fe0a..8e1c3a5e 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/jsp/error.jsp
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/WEB-INF/jsp/error.jsp
@@ -6,7 +6,7 @@
   ===================================================================
  
   Unless otherwise specified, all software contained herein is licensed
-  under the Apache License, Version 2.0 (the “License”);
+  under the Apache License, Version 2.0 (the "License");
   you may not use this software except in compliance with the License.
   You may obtain a copy of the License at
  
@@ -19,7 +19,7 @@
   limitations under the License.
  
   Unless otherwise specified, all documentation contained herein is licensed
-  under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+  under the Creative Commons License, Attribution 4.0 Intl. (the "€License"€);
   you may not use this documentation except in compliance with the License.
   You may obtain a copy of the License at
  
@@ -35,4 +35,36 @@
  
   ECOMP is a trademark and service mark of AT&T Intellectual Property.
   --%>
-${errMsg}
+<%@ page language="java" contentType="text/html;"
+	pageEncoding="US-ASCII" isErrorPage="true"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html;">
+		<title>Error Page</title>
+	</head>
+	<body>
+		<h1>Something went wrong. Please go back to the previous page or
+			try again later.</h1>
+			
+		<h3>Please see the exception:</h3>
+	
+		<table width="100%" border="1">
+			<tr valign="top">
+				<td width="40%"><b>Error:</b></td>
+				<td>${pageContext.exception}</td>
+			</tr>
+	
+			<tr valign="top">
+				<td><b>URI:</b></td>
+				<td>${pageContext.errorData.requestURI}</td>
+			</tr>
+	
+			<tr valign="top">
+				<td><b>Status code:</b></td>
+				<td>${pageContext.errorData.statusCode}</td>
+			</tr>
+		</table>
+	
+	</body>
+</html>
\ No newline at end of file
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/modals/role-function-add.html b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/modals/role-function-add.html
index a6912571..531c55e5 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/modals/role-function-add.html
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/modals/role-function-add.html
@@ -12,18 +12,29 @@
 		style="height: 145px;">
 
 		<div class="field-group">
-			Name <input id="textinputID-2a" ddh-reset ng-model="roleFun['name']"
+			<span ID="required" style="color: Red;" visible="false"> *</span>Name <input id="textinputID-2a" ddh-reset ng-model="roleFun['name']"
 				placeholder="Name" class="span12" type="text">
 		</div>
+		<div class="error-container"
+			ng-show="!roleFun['name']||roleFun['name']==0">
+			<small id="name-required" class="err-message">Name is Required</small>
+		</div>
+		<br>
 		<div class="field-group">
-			Code <input id="textinputID-2a" ddh-reset ng-model="roleFun['code']"
+			<span ID="required" style="color: Red;" visible="false"> *</span>Code <input id="textinputID-2a" ddh-reset ng-model="roleFun['code']"
 				placeholder="Code" class="span12" type="text">
 
 		</div>
+		<div class="error-container"
+			ng-show="!roleFun['code']||roleFun['code']==0">
+			<small id="code-required" class="err-message">Code is Required</small>
+		</div>
+		
 	</div>
+	<br>
 	<div class="b2b-modal-footer ng-scope ng-isolate-scope in">
 		<div class="cta-button-group in">
-			<button class="btn btn-alt btn-medium" type="button"
+			<button class="btn btn-alt btn-medium" type="button" ng-disabled= "(!roleFun['name']||roleFun['name']==0)|| (!roleFun['code']||roleFun['code']==0)"
 				ng-click="save(roleFun);">Create</button>
 			<button class="btn btn-medium" type="button"
 				ng-click="$dismiss('cancel')">Cancel</button>
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/role_list.html b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/role_list.html
index e325b8ab..e8820f95 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/role_list.html
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/scripts/DS2-view-models/ds2-admin/role_list.html
@@ -9,7 +9,7 @@
 	</div>
 	<div ng-hide="showLoader">
 		<div>
-			 <button type="submit" ng-click="addRoleFuncPopUp(rowData);" class="btn btn-alt btn-small" ng-if="isAppCentralized=='false'">Add New Role</button>
+			 <button type="submit"  onClick="window.location='admin#/role/0';" class="btn btn-alt btn-small" ng-if="isAppCentralized=='false'">Add New Role</button>
 		</div>
 		<h2 class="heading-small" ng-if="isAppCentralized=='false'">Click on a Role to view its details.</h2>
 			<table class="striped" ng-if="availableRoleFunctions" style="width: auto;">
diff --git a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/styles/ecomp.css b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/styles/ecomp.css
index 4c780f38..635ede44 100644
--- a/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/styles/ecomp.css
+++ b/ecomp-sdk/epsdk-app-overlay/src/main/webapp/app/fusion/styles/ecomp.css
@@ -180,4 +180,15 @@ p,a{
 	max-height:300px; 
 	overflow:auto; 
 	display:block
+}
+.error-container {
+    position: absolute;
+    width: 220px;
+    display: block;
+    height: 12px;
+    line-height: 12px;
+}
+.err-message {
+    color: #cf2a2a;
+    font-size: 10px;
 }
\ No newline at end of file
diff --git a/ecomp-sdk/epsdk-core/README.md b/ecomp-sdk/epsdk-core/README.md
index fbc2bf24..55cf69fd 100644
--- a/ecomp-sdk/epsdk-core/README.md
+++ b/ecomp-sdk/epsdk-core/README.md
@@ -14,7 +14,8 @@ ECOMP SDK web application.
 ### ONAP Distributions
 
 Version 2.1.0
-- PORTAL-19 Rename Java package base to org.onap
+- PORTAL-19  Rename Java package base to org.onap
+- PORTAL-145 Harden code to address penetration attacks
 
 Version 1.4.0
 - PORTAL-19 Rename Java package base to org.onap
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java
index 809266d4..a6b98fdf 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/interceptor/SessionTimeoutInterceptor.java
@@ -37,17 +37,21 @@
  */
 package org.onap.portalsdk.core.interceptor;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.net.URLEncoder;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringUtils;
 import org.onap.portalsdk.core.controller.FusionBaseController;
 import org.onap.portalsdk.core.domain.User;
 import org.onap.portalsdk.core.exception.SessionExpiredException;
 import org.onap.portalsdk.core.listener.CollaborateListBindingListener;
 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SystemProperties;
 import org.onap.portalsdk.core.web.support.AppUtils;
 import org.onap.portalsdk.core.web.support.UserUtils;
 import org.springframework.web.method.HandlerMethod;
@@ -56,7 +60,7 @@ import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
 
 	private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SessionTimeoutInterceptor.class);
-	
+
 	/**
 	 * Checks all requests for valid session information. If not found, redirects to
 	 * a controller that will establish a valid session.
@@ -98,6 +102,7 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
 						// "/context/single_signon.htm"
 						final String redirectUrl = request.getContextPath() + singleSignonPrefix
 								+ "redirectToPortal=Yes&" + forwardUrlParm;
+						validateDomain(redirectUrl);
 						logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: session is expired, redirecting to {}",
 								redirectUrl);
 						response.sendRedirect(redirectUrl);
@@ -107,6 +112,7 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
 						// Redirect to an absolute path in the webapp; e.g.,
 						// "/context/single_signon.htm"
 						final String redirectUrl = request.getContextPath() + singleSignonPrefix + forwardUrlParm;
+						validateDomain(redirectUrl);
 						logger.debug(EELFLoggerDelegate.debugLogger, "preHandle: took exception {}, redirecting to {}",
 								ex.getMessage(), redirectUrl);
 						response.sendRedirect(redirectUrl);
@@ -119,4 +125,15 @@ public class SessionTimeoutInterceptor extends HandlerInterceptorAdapter {
 		return super.preHandle(request, response, handler);
 	}
 
+	private void validateDomain(final String redirectUrl) throws MalformedURLException {
+		if (StringUtils.isNotBlank(redirectUrl)) {
+			String hostName = new URL(redirectUrl).getHost();
+			if (StringUtils.isNotBlank(hostName)
+					&& !hostName.endsWith(SystemProperties.getProperty(SystemProperties.COOKIE_DOMAIN))) {
+				logger.debug(EELFLoggerDelegate.debugLogger, "singleSignOnLogin: accessing Unauthorized url", hostName);
+				throw new SecurityException("accessing Unauthorized url : " + hostName);
+			}
+		}
+	}
+
 }
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/logging/format/AlarmSeverityEnum.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/logging/format/AlarmSeverityEnum.java
index 5e202475..c2ce2b3d 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/logging/format/AlarmSeverityEnum.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/logging/format/AlarmSeverityEnum.java
@@ -38,5 +38,19 @@
 package org.onap.portalsdk.core.logging.format;
 
 public enum AlarmSeverityEnum {
-	CRITICAL, MAJOR, MINOR, INFORMATIONAL, NONE,
+	CRITICAL("1"),
+	MAJOR("2"), 
+	MINOR("3"), 
+	INFORMATIONAL("4"), 
+	NONE("0");
+
+	private final String severity;
+
+	AlarmSeverityEnum(String severity) {
+		this.severity = severity;
+	}
+
+	public String severity() {
+		return severity;
+	}
 }
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java
index 4dde6116..ddadc101 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/service/UrlAccessImpl.java
@@ -37,12 +37,15 @@
  */
 package org.onap.portalsdk.core.service;
 
-import java.util.HashMap;
+import java.util.ArrayList;
 import java.util.List;
-import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.hibernate.criterion.Criterion;
+import org.hibernate.criterion.Restrictions;
 import org.onap.portalsdk.core.domain.UrlsAccessible;
 import org.onap.portalsdk.core.web.support.UserUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -59,17 +62,18 @@ public class UrlAccessImpl implements UrlAccessService {
 	@Override
 	public boolean isUrlAccessible(HttpServletRequest request, String currentUrl) {
 		boolean isAccessible = false;
-		Map<String, String> params = new HashMap<>();
-		params.put("current_url", currentUrl);
-		List list = dataAccessService.executeNamedQuery("restrictedUrls", params, null);
+		List<?> list = getAccessUrlList(currentUrl);
 
 		// loop through the list of restricted URL's
 		if (list != null && !list.isEmpty()) {
 			for (int i = 0; i < list.size(); i++) {
-				UrlsAccessible urlFunctions = (UrlsAccessible) list.get(i);
-				String functionCd = urlFunctions.getFunctionCd();
+				UrlsAccessible urlFunction = (UrlsAccessible) list.get(i);
+				if (!matchPattern(currentUrl, urlFunction.getUrl()))
+					continue;
+				String functionCd = urlFunction.getFunctionCd();
 				if (UserUtils.isAccessible(request, functionCd)) {
 					isAccessible = true;
+					break;
 				}
 			}
 			return isAccessible;
@@ -77,4 +81,68 @@ public class UrlAccessImpl implements UrlAccessService {
 		return true;
 	}
 
+	/*
+	 * This Method returns all the entries in the database that start with the
+	 * first part of the currentUrl split at the "/" character. 
+	 * 
+	 * Example: if currentUrl
+	 * is "xyz/abc/1", all the entries in the corresponding tables that match
+	 * with "xyz" are returned
+	 */
+	private List<?> getAccessUrlList(String currentUrl) {
+		List<?> list = null;
+
+		if (currentUrl != null) {
+			int indexOfSlash = currentUrl.indexOf("/");
+			String currentFirstUrl = (indexOfSlash > 0) ? currentUrl.substring(0, indexOfSlash) : currentUrl;
+
+			if (currentFirstUrl != null) {
+
+				List<Criterion> restrictionsList = new ArrayList<Criterion>();
+				Criterion criterion1 = Restrictions.like("urlsAccessibleKey.url", currentFirstUrl + "%");
+				restrictionsList.add(criterion1);
+				list = dataAccessService.getList(UrlsAccessible.class, null, restrictionsList, null);
+
+			}
+		}
+		return list;
+	}
+
+	/*
+	 * This method compares the portalApiPath against the urlPattern; splits the
+	 * portalApiPath by "/" and compares each part with that of the urlPattern.
+	 * 
+	 * Example: "xyz/1/abc" matches with the pattern "xyz/* /abc" but not with
+	 * "xyz/*"
+	 * 
+	 */
+
+	private Boolean matchPattern(String portalApiPath, String urlPattern) {
+		String[] path = portalApiPath.split("/");
+		if (path.length > 1) {
+
+			String[] roleFunctionArray = urlPattern.split("/");
+			boolean match = true;
+			if (roleFunctionArray.length == path.length) {
+				for (int i = 0; i < roleFunctionArray.length; i++) {
+					if (match) {
+						if (!roleFunctionArray[i].equals("*")) {
+							Pattern p = Pattern.compile(path[i], Pattern.CASE_INSENSITIVE);
+							Matcher m = p.matcher(roleFunctionArray[i]);
+							match = m.matches();
+
+						}
+					}
+				}
+				if (match)
+					return match;
+			}
+		} else {
+			if (portalApiPath.matches(urlPattern))
+				return true;
+
+		}
+		return false;
+	}
+
 }
diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/SystemProperties.java b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/SystemProperties.java
index 6f119104..b6b03a44 100644
--- a/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/SystemProperties.java
+++ b/ecomp-sdk/epsdk-core/src/main/java/org/onap/portalsdk/core/util/SystemProperties.java
@@ -263,6 +263,8 @@ public class SystemProperties {
 	// Left Menu
 	public static final String LEFT_MENU_PARENT = "parentList";
 	public static final String LEFT_MENU_CHILDREND = "childItemList";
+	public static final String COOKIE_DOMAIN = "cookie_domain";
+
 
 	public enum RESULT_ENUM {
 		SUCCESS, FAILURE
diff --git a/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java b/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java
index 42386821..b4ceb6f2 100644
--- a/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java
+++ b/ecomp-sdk/epsdk-workflow/src/main/java/org/onap/portalsdk/workflow/controllers/WorkflowController.java
@@ -103,7 +103,7 @@ public class WorkflowController extends RestrictedBaseController {
 			response.setCharacterEncoding("UTF-8");
 			request.setCharacterEncoding("UTF-8");
 			PrintWriter out = response.getWriter();
-			out.write(e.getMessage());
+			out.write("An error occurred while removing Role  in the toggleRole()");
 		}
 
 	}
-- 
cgit 1.2.3-korg