From ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 Mon Sep 17 00:00:00 2001
From: st782s <statta@research.att.com>
Date: Wed, 22 Nov 2017 11:41:10 -0500
Subject: Harden code

Issue-ID: PORTAL-145,PORTAL-119
Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui

Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204
Signed-off-by: st782s <statta@research.att.com>
---
 .../db-scripts/EcompSdkDDLMySql_2_1_OS.sql         |  12 +++
 .../db-scripts/EcompSdkDMLMySql_2_1_OS.sql         |  39 +++++++
 ecomp-sdk/epsdk-app-os/db-scripts/readme           |  34 +++++++
 ecomp-sdk/epsdk-app-os/db-scripts/readme.txt       |  24 -----
 ecomp-sdk/epsdk-app-os/pom.xml                     |  54 ++++++++--
 .../onap/portalapp/filter/SecurityXssFilter.java   | 112 +++++++++------------
 .../epsdk-app-os/src/main/resources/key.properties |  41 ++++++++
 7 files changed, 217 insertions(+), 99 deletions(-)
 create mode 100644 ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql
 create mode 100644 ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
 create mode 100644 ecomp-sdk/epsdk-app-os/db-scripts/readme
 delete mode 100644 ecomp-sdk/epsdk-app-os/db-scripts/readme.txt
 create mode 100644 ecomp-sdk/epsdk-app-os/src/main/resources/key.properties

(limited to 'ecomp-sdk/epsdk-app-os')

diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql
new file mode 100644
index 00000000..abc21a3a
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDDLMySql_2_1_OS.sql
@@ -0,0 +1,12 @@
+-- ---------------------------------------------------------------------------------------------------------------
+-- This script adds tables for the OPEN-SOURCE version 2.1.0 of the ECOMP SDK application database.
+-- The DDL COMMON script must be executed first!
+-- ---------------------------------------------------------------------------------------------------------------
+
+SET FOREIGN_KEY_CHECKS=1; 
+
+USE ecomp_sdk;
+
+-- No additional tables required at this time
+
+commit;
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
new file mode 100644
index 00000000..cb4a3085
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/db-scripts/EcompSdkDMLMySql_2_1_OS.sql
@@ -0,0 +1,39 @@
+-- ---------------------------------------------------------------------------------------------------------------
+-- This script populates tables in the OPEN-SOURCE version 2.1.0 of the ECOMP SDK application database.
+-- The DML COMMON script must be executed first!
+-- ---------------------------------------------------------------------------------------------------------------
+
+SET FOREIGN_KEY_CHECKS=1; 
+USE ecomp_sdk;
+
+-- fn_menu 
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (1, 'Root', NULL, 10, NULL, 'menu_home', 'N', NULL, NULL, NULL, NULL, 'APP', 'N', NULL); --  we need even though it's inactive
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (5000, 'Sample Pages', 1, 30, 'sample.htm', 'menu_sample', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-documents-book');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (2, 'Home', 1, 10, 'welcome.htm', 'menu_home', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-building-home');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (8, 'Reports', 1, 40, 'report.htm', 'menu_reports', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-misc-piechart');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (9, 'Profile', 1, 90, 'userProfile', 'menu_profile', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-people-oneperson');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (10, 'Admin', 1, 110, 'role_list.htm', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', 'icon-content-star');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (84, 'All Reports', 8, 50, 'report', 'menu_reports', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/reports.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) values (87, 'Create Reports', 8, 120, 'report#/report_wizard', 'menu_reports', 'Y', NULL, 'r_action=report.create', NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) values (88, 'Sample Dashboard', 8, 130, 'report_dashboard', 'menu_reports', 'N', NULL, NULL, NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (89, 'Import', 8, 140, 'report#/report_import', 'menu_reports', 'N', null, null, null, null, 'APP', 'N', null); 
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (94, 'Self', 9, 40,'userProfile#/self_profile', 'menu_profile', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/profile.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (101, 'Roles', 10, 20, 'admin#/admin', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/users.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (102, 'Role Functions', 10, 30, 'admin#/role_function_list', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (105, 'Cache Admin', 10, 40, 'admin#/jcs_admin', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/cache.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (108, 'Usage', 10, 80, 'admin#/usage_list', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/users.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (121, 'Collaboration', 5000, 100, 'samplePage#/collaborate_list', 'menu_sample', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/bubble.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (930, 'Search', 9, 15, 'userProfile', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', '/static/fusion/images/search_profile.png');
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (150022, 'Menus', 10, 60, 'admin#/admin_menu_edit', 'menu_admin', 'Y', NULL, NULL, NULL, NULL, 'APP', 'N', NULL);
+INSERT INTO fn_menu (MENU_ID, LABEL, PARENT_ID, SORT_ORDER, ACTION, FUNCTION_CD, ACTIVE_YN, SERVLET, QUERY_STRING, EXTERNAL_URL, TARGET, MENU_SET_CD, SEPARATOR_YN, IMAGE_SRC) VALUES (150038,'Notebook',5000,135,'samplePage#/notebook','menu_sample','Y',NULL,NULL,NULL,NULL,'APP','N',NULL);
+
+-- fn_user
+Insert into fn_user (USER_ID,ORG_ID,MANAGER_ID,FIRST_NAME,MIDDLE_NAME,LAST_NAME,PHONE,FAX,CELLULAR,EMAIL,ADDRESS_ID,ALERT_METHOD_CD,HRID,ORG_USER_ID,ORG_CODE,LOGIN_ID,LOGIN_PWD,LAST_LOGIN_DATE,ACTIVE_YN,CREATED_ID,CREATED_DATE,MODIFIED_ID,MODIFIED_DATE,IS_INTERNAL_YN,ADDRESS_LINE_1,ADDRESS_LINE_2,CITY,STATE_CD,ZIP_CODE,COUNTRY_CD,LOCATION_CLLI,ORG_MANAGER_USERID,COMPANY,DEPARTMENT_NAME,JOB_TITLE,TIMEZONE,DEPARTMENT,BUSINESS_UNIT,BUSINESS_UNIT_NAME,COST_CENTER,FIN_LOC_CODE,SILO_STATUS) values (1,null,null,'Demo',null,'User',null,null,null,'demo@email.com',null,null,null,'demo',null,'demo','demo',str_to_date('24-OCT-16','%d-%M-%Y'),'Y',null,str_to_date('17-OCT-16','%d-%M-%Y'),1,str_to_date('24-OCT-16','%d-%M-%Y'),'N',null,null,null,'NJ',null,'US',null,null,null,null,null,10,null,null,null,null,null,null);
+
+-- fn_app
+Insert into fn_app (APP_ID,APP_NAME,APP_IMAGE_URL,APP_DESCRIPTION,APP_NOTES,APP_URL,APP_ALTERNATE_URL,APP_REST_ENDPOINT,ML_APP_NAME,ML_APP_ADMIN_ID,MOTS_ID,APP_PASSWORD,OPEN,ENABLED,THUMBNAIL,APP_USERNAME,UEB_KEY,UEB_SECRET,UEB_TOPIC_NAME) VALUES (1,'Default',null,'Some Default Description','Some Default Note',null,null,null,'ECPP','?','1','okYTaDrhzibcbGVq5mjkVQ==','N','N',null,'Default',null,null,'ECOMP-PORTAL-INBOX');
+
+-- fn_user_role
+Insert into fn_user_role (USER_ID,ROLE_ID,PRIORITY,APP_ID) values (1,1,null,1);
+
+commit;
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/readme b/ecomp-sdk/epsdk-app-os/db-scripts/readme
new file mode 100644
index 00000000..47f2fe1a
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/db-scripts/readme
@@ -0,0 +1,34 @@
+* This Readme file contains a description of open source scripts located in  
+
+  epsdk-app-os     / db-scripts / 
+  
+***************************************************************************************************************************************
+
+Directions: 
+
+DDL
+For ONAP Amsterdam instance run EcompSdkDDLMySql_1710_Common.sql add script EcompSdkDDLMySql_1710_OS.sql.
+
+EcompSdkDDLMySql_1710_Common.sql  - this is the DDL entries that both Opensource and AT&T have in common
+EcompSdkDDLMySql_1710_OS.sql -  this is the specific DDL entries that only OS needs, empty placeholder
+
+For ONAP Beijing instance run EcompSdkDDLMySql_2_1_Common.sql add script EcompSdkDDLMySql_2_1_OS.sql.
+
+EcompSdkDDLMySql_2_1_Common.sql  - this is the DDL entries that both Opensource and AT&T have in common
+EcompSdkDDLMySql_2_1_OS.sql -  this is the specific DDL entries that only OS needs, empty placeholder
+
+DML
+For an ONAP Amsterdam instance run script EcompSdkDMLMySql_1710_Common.sql and script EcompSdkDMLMySql_1710_OS.sql.
+
+EcompSdkDMLMySql_1707_Common.sql  - common DML entries 
+EcompSdkDMLMySql_1707_OS.sql - DML entries for Opensource needs
+
+For an ONAP Beijing instance run script EcompSdkDMLMySql_2_1_Common.sql and script EcompSdkDMLMySql_2_1_OS.sql.
+
+EcompSdkDMLMySql_2_1_Common.sql  - common DML entries 
+EcompSdkDMLMySql_2_1_OS.sql - DML entries for Opensource needs
+
+Our Existing Partner Apps can call the following scripts to upgrade from earlier version
+
+EcompSdkMySql_Upgrade_1707_to_1710_Common.sql
+EcompSdkMySql_Rollback_1710_to_1707_Common.sql
diff --git a/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt b/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt
deleted file mode 100644
index 093f77cc..00000000
--- a/ecomp-sdk/epsdk-app-os/db-scripts/readme.txt
+++ /dev/null
@@ -1,24 +0,0 @@
-This Readme file contains a description of open source scripts located in  
-
-  epsdk-app-os     / db-scripts / 
-  
-***************************************************************************************************************************************
-
-Directions: 
-
-DDL
-For ONAP instance run EcompSdkDDLMySql_1710_Common.sql add script EcompSdkDDLMySql_1710_OS.sql.
-
-EcompSdkDDLMySql_1710_Common.sql  - this is the DDL entries that both Opensource and AT&T have in common
-EcompSdkDDLMySql_1710_OS.sql -  this is the specific DDL entries that only OS needs
-
-DML
-For an ONAP instance run script EcompSdkDMLMySql_1710_Common.sql and script EcompSdkDMLMySql_1710_OS.sql.
-
-EcompSdkDMLMySql_1707_Common.sql  - common DML entries 
-EcompSdkDMLMySql_1707_OS.sql - DML entries for Opensource needs
-
-Our Existing Partner Apps can call the following scripts to upgrade from earlier version
-
-EcompSdkMySql_Upgrade_1707_to_1710_Common.sql
-EcompSdkMySql_Rollback_1710_to_1707_Common.sql
diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml
index dc8e9d94..db0a455f 100644
--- a/ecomp-sdk/epsdk-app-os/pom.xml
+++ b/ecomp-sdk/epsdk-app-os/pom.xml
@@ -1,9 +1,11 @@
 <?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 
-	<!-- This is the Maven project object model (POM) file for the open-source SDK web app.
-		 This is NOT the Portal - but it is developed and supported by the Portal team. -->
+	<!-- This is the Maven project object model (POM) file for the open-source 
+		SDK web app. This is NOT the Portal - but it is developed and supported by 
+		the Portal team. -->
 
 	<parent>
 		<groupId>org.onap.portal.sdk</groupId>
@@ -11,9 +13,9 @@
 		<version>2.1.0-SNAPSHOT</version>
 	</parent>
 
-        <!-- GroupId is inherited from parent -->
+	<!-- GroupId is inherited from parent -->
 	<artifactId>epsdk-app-os</artifactId>
-        <!-- Version is inherited from parent -->
+	<!-- Version is inherited from parent -->
 	<packaging>war</packaging>
 	<name>ONAP Portal SDK Webapp for OpenSource</name>
 	<description>ONAP Portal SDK Web Application for public release</description>
@@ -25,6 +27,9 @@
 		<skipassembly>true</skipassembly>
 		<!-- Tests usually require some setup that maven cannot do, so skip. -->
 		<skiptests>true</skiptests>
+		<!-- Version number gets stored only here -->
+		<tomcat.download.path>http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.37/bin</tomcat.download.path>
+		<tomcat.download.name>apache-tomcat-8.0.37</tomcat.download.name>
 	</properties>
 
 	<!-- repositories are inherited from parent -->
@@ -39,7 +44,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>2.19.1</version>
+				<!-- parent specifies the <version>2.19.1</version> -->
 				<configuration>
 					<skipTests>${skiptests}</skipTests>
 					<includes>
@@ -104,15 +109,48 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-deploy-plugin</artifactId>
-				<version>2.8</version>
+				<!-- parent specifies the<version>2.8</version> -->
 				<configuration>
 					<skip>true</skip>
 				</configuration>
 			</plugin>
 
+			<plugin>
+				<groupId>io.fabric8</groupId>
+				<artifactId>docker-maven-plugin</artifactId>
+				<version>0.22.0</version>
+				<configuration>
+					<verbose>true</verbose>
+					<images>
+						<image>
+							<name>onap/portal-sdk:${project.version}</name>
+							<build>
+								<from>frolvlad/alpine-oraclejdk8:slim</from>
+								<assembly>
+									<descriptorRef>artifact</descriptorRef>
+								</assembly>
+								<runCmds>
+									<!-- must be all on one line; use CDATA to turn off the Eclipse formatter -->
+									<run><![CDATA[wget -q ${tomcat.download.path}/${tomcat.download.name}.tar.gz]]></run>
+									<run>tar -xzf ${tomcat.download.name}.tar.gz</run>
+									<run>rm -f ${tomcat.download.name}.tar.gz</run>
+									<run>rm -fr ${tomcat.download.name}/webapps/[a-z]*</run>
+									<run>mkdir -p /opt</run>
+									<run>mv ${tomcat.download.name} /opt</run>
+									<run><![CDATA[mv /maven/*.war /opt/${tomcat.download.name}/webapps/ONAPPORTALSDK.war]]></run>
+								</runCmds>
+								<cmd>
+									<shell>/opt/${tomcat.download.name}/bin/catalina.sh run</shell>
+								</cmd>
+							</build>
+						</image>
+					</images>
+				</configuration>
+			</plugin>
+
 		</plugins>
 	</build>
-	
+
 	<dependencies>
 		<!-- SDK overlay war -->
 		<dependency>
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
index b3ebed73..71ab7359 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -39,92 +39,70 @@
 package org.onap.portalapp.filter;
 
 import java.io.IOException;
-import javax.servlet.Filter;
+import java.io.UnsupportedEncodingException;
+
 import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringUtils;
 import org.onap.portalapp.util.SecurityXssValidator;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-
-public class SecurityXssFilter implements Filter {
-
-	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
-	private SecurityXssValidator validator  = SecurityXssValidator.getInstance();
-	
-	class SecurityRequestWrapper extends HttpServletRequestWrapper {
-
-		public SecurityRequestWrapper(HttpServletRequest servletRequest) {
-			super(servletRequest);
-		}
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.ContentCachingRequestWrapper;
+import org.springframework.web.util.ContentCachingResponseWrapper;
+import org.springframework.web.util.WebUtils;
 
-		@Override
-		public String[] getParameterValues(String parameter) {
-			String[] values = super.getParameterValues(parameter);
+public class SecurityXssFilter extends OncePerRequestFilter {
 
-			if (values == null) {
-				return null;
-			}
-
-			int count = values.length;
-			String[] encodedValues = new String[count];
-			for (int i = 0; i < count; i++) {
-				encodedValues[i] = stripXss(values[i]);
-				
-			}
-
-			return encodedValues;
-		}
+	private static final String BAD_REQUEST = "BAD_REQUEST";
 
-		private String stripXss(String value) {
-			
-			
-			return validator.stripXSS(value);
-		}
+	private SecurityXssValidator validator = SecurityXssValidator.getInstance();
 
-		@Override
-		public String getParameter(String parameter) {
-			String value = super.getParameter(parameter);
-			if (StringUtils.isNotBlank(value)) {
-				value = stripXss(value);
+	private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
+		String payload = null;
+		ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
+		if (wrapper != null) {
+			byte[] buf = wrapper.getContentAsByteArray();
+			if (buf.length > 0) {
+				payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
 			}
-			return value;
 		}
+		return payload;
+	}
 
-		@Override
-		public String getHeader(String name) {
-			String value = super.getHeader(name);
-			if (StringUtils.isNotBlank(value)) {
-				value = stripXss(value);
+	private static String getResponseData(final HttpServletResponse response) throws IOException {
+		String payload = null;
+		ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
+				ContentCachingResponseWrapper.class);
+		if (wrapper != null) {
+			byte[] buf = wrapper.getContentAsByteArray();
+			if (buf.length > 0) {
+				payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
+				wrapper.copyBodyToResponse();
 			}
-			return value;
 		}
-	}
-	
-	@Override
-	public void init(FilterConfig filterConfig) throws ServletException {
+		return payload;
 	}
 
 	@Override
-	public void destroy() {
-	}
-
-	@Override
-	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-			throws IOException, ServletException {
-
-		try {
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+
+		if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
+
+			HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
+			HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
+			filterChain.doFilter(requestToCache, responseToCache);
+			String requestData = getRequestData(requestToCache);
+			String responseData = getResponseData(responseToCache);
+			if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
+				throw new SecurityException(BAD_REQUEST);
+			}
 
-			chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
-		} catch (Exception e) {
-			logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+		} else {
+			filterChain.doFilter(request, response);
 		}
-	}
 
+	}
 }
diff --git a/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties
new file mode 100644
index 00000000..aa3355d1
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties
@@ -0,0 +1,41 @@
+###
+# ============LICENSE_START==========================================
+# ONAP Portal SDK
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+###
+
+# Properties read by the ECOMP Framework library (epsdk-fw)
+
+cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o==
\ No newline at end of file
-- 
cgit 1.2.3-korg