From a37fe92b5daca76aabd50ff1e6920670b30b84ee Mon Sep 17 00:00:00 2001 From: st782s Date: Thu, 2 Nov 2017 17:05:10 -0400 Subject: Security vulnerability Handle Session issues and security vulnerability login issue to by preventing sql injection attack Issue: PORTAL-137 Change-Id: I16eeacd6958af1a8274259e5dc0a008c5f64fb9f Signed-off-by: st782s --- .../portalsdk/core/service/LoginServiceImpl.java | 257 +++++++++------------ 1 file changed, 113 insertions(+), 144 deletions(-) (limited to 'ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java') diff --git a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java index a38a16ff..9ba7dcf8 100644 --- a/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java +++ b/ecomp-sdk/epsdk-core/src/main/java/org/openecomp/portalsdk/core/service/LoginServiceImpl.java @@ -1,6 +1,6 @@ /*- * ================================================================================ - * eCOMP Portal SDK + * ECOMP Portal SDK * ================================================================================ * Copyright (C) 2017 AT&T Intellectual Property * ================================================================================ @@ -24,11 +24,13 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.Set; import org.openecomp.portalsdk.core.command.LoginBean; import org.openecomp.portalsdk.core.domain.Role; import org.openecomp.portalsdk.core.domain.User; +import org.openecomp.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.openecomp.portalsdk.core.menu.MenuBuilder; import org.openecomp.portalsdk.core.service.support.FusionService; import org.openecomp.portalsdk.core.util.SystemProperties; @@ -40,161 +42,128 @@ import org.springframework.transaction.annotation.Transactional; @Transactional public class LoginServiceImpl extends FusionService implements LoginService { - @SuppressWarnings("unused") - private MenuBuilder menuBuilder; - - @Autowired - private DataAccessService dataAccessService; - - @SuppressWarnings("rawtypes") - public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams ) throws Exception { - return findUser(bean, menuPropertiesFilename, additionalParams, true); - } - - @SuppressWarnings("rawtypes") - public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams, boolean matchPassword) throws Exception { - User user = null; - User userCopy = null; - - if (bean.getUserid() != null && bean.getUserid() != null) { - user = (User)findUser(bean); - } - else { - if (matchPassword) - user = (User)findUser(bean.getLoginId(), bean.getLoginPwd()); - else - user = (User)findUserWithoutPwd(bean.getLoginId()); - } - - if (user != null) { - - // raise an error if the application is locked and the user does not have system administrator privileges - if (AppUtils.isApplicationLocked() && !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) { - bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED); - } - - // raise an error if the user is inactive - if (!user.getActive()) { - bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); - } - - // raise an error if no active roles exist for the user -// boolean hasActiveRole = false; -// Iterator roles = user.getRoles().iterator(); -// while (roles.hasNext()) { -// Role role = (Role)roles.next(); -// if (role.getActive()) { -// hasActiveRole = true; -// break; -// } -// } - -// if (!hasActiveRole) { -// bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); -// } - if (!userHasActiveRoles(user)) { - bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); - } - // only login the user if no errors have occurred - if (bean.getLoginErrorMessage() == null) { - - // this will be a snapshot of the user's information as retrieved from the database - userCopy = (User)user.clone(); - - // update the last logged in date for the user - user.setLastLoginDate(new Date()); - getDataAccessService().saveDomainObject(user, additionalParams); - - // update the audit log of the user - //Check for the client device type and set log attributes appropriately - - - // save the above changes to the User and their audit trail - - // create the application menu based on the user's privileges - Set appMenu = getMenuBuilder().getMenu(SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_SET_NAME),dataAccessService); - bean.setMenu(appMenu != null?appMenu:new HashSet()); - Set businessDirectMenu = getMenuBuilder().getMenu(SystemProperties.getProperty(SystemProperties.BUSINESS_DIRECT_MENU_SET_NAME),dataAccessService); - bean.setBusinessDirectMenu(businessDirectMenu != null?businessDirectMenu:new HashSet()); - - bean.setUser(userCopy); - } - - } - - return bean; - } - - private boolean userHasActiveRoles(User user) { - boolean hasActiveRole = false; - @SuppressWarnings("rawtypes") - Iterator roles = user.getRoles().iterator(); - while (roles.hasNext()) { - Role role = (Role)roles.next(); - if (role.getActive()) { - hasActiveRole = true; - break; - } - } - return hasActiveRole; - } - - @SuppressWarnings("rawtypes") - public User findUser(String loginId, String password) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'") - .append(" and login_pwd = '").append(password).append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + private static final EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(LoginServiceImpl.class); - return (list == null || list.size() == 0) ? null : (User)list.get(0); - } - - @SuppressWarnings("rawtypes") - private User findUserWithoutPwd(String loginId) { - List list = null; + @Autowired + private DataAccessService dataAccessService; - StringBuffer criteria = new StringBuffer(); - criteria.append(" where login_id = '").append(loginId).append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); - - return (list == null || list.size() == 0) ? null : (User)list.get(0); - } - - @SuppressWarnings("rawtypes") - public User findUser(LoginBean bean) { - List list = null; - - StringBuffer criteria = new StringBuffer(); - criteria.append(" where org_user_id = '").append(bean.getUserid()).append("'"); - - list = getDataAccessService().getList(User.class, criteria.toString(), null, null); + @Override + @SuppressWarnings("rawtypes") + public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams) { + return findUser(bean, menuPropertiesFilename, additionalParams, true); + } - return (list == null || list.size() == 0) ? null : (User)list.get(0); - } + @Override + @SuppressWarnings("rawtypes") + public LoginBean findUser(LoginBean bean, String menuPropertiesFilename, HashMap additionalParams, + boolean matchPassword) { + + User user; + if (bean.getUserid() != null && bean.getUserid() != null) { + user = findUser(bean); + } else { + if (matchPassword) + user = findUser(bean.getLoginId(), bean.getLoginPwd()); + else + user = findUserWithoutPwd(bean.getLoginId()); + } + if (user != null) { + // raise an error if the application is locked and the user does not have system + // administrator privileges + if (AppUtils.isApplicationLocked() + && !UserUtils.hasRole(user, SystemProperties.getProperty(SystemProperties.SYS_ADMIN_ROLE_ID))) { + bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_APPLICATION_LOCKED); + } + + // raise an error if the user is inactive + if (!user.getActive()) { + bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); + } + + if (!userHasActiveRoles(user)) { + bean.setLoginErrorMessage(SystemProperties.MESSAGE_KEY_LOGIN_ERROR_USER_INACTIVE); + } + // only login the user if no errors have occurred + if (bean.getLoginErrorMessage() == null) { + + // this will be a snapshot of the user's information as retrieved from the + // database + User userCopy = null; + try { + userCopy = (User) user.clone(); + } catch (CloneNotSupportedException ex) { + // Never happens + logger.error(EELFLoggerDelegate.errorLogger, "findUser failed", ex); + } + + // update the last logged in date for the user + user.setLastLoginDate(new Date()); + dataAccessService.saveDomainObject(user, additionalParams); + + // update the audit log of the user + // Check for the client device type and set log attributes appropriately + + // save the above changes to the User and their audit trail + + // create the application menu based on the user's privileges + Set appMenu = getMenuBuilder().getMenu( + SystemProperties.getProperty(SystemProperties.APPLICATION_MENU_SET_NAME), dataAccessService); + bean.setMenu(appMenu != null ? appMenu : new HashSet()); + Set businessDirectMenu = getMenuBuilder().getMenu( + SystemProperties.getProperty(SystemProperties.BUSINESS_DIRECT_MENU_SET_NAME), + dataAccessService); + bean.setBusinessDirectMenu(businessDirectMenu != null ? businessDirectMenu : new HashSet()); + + bean.setUser(userCopy); + } - public MenuBuilder getMenuBuilder() { - return new MenuBuilder(); - } + } + return bean; + } - public void setMenuBuilder(MenuBuilder menuBuilder) { - this.menuBuilder = menuBuilder; - } + private boolean userHasActiveRoles(User user) { + boolean hasActiveRole = false; + @SuppressWarnings("rawtypes") + Iterator roles = user.getRoles().iterator(); + while (roles.hasNext()) { + Role role = (Role) roles.next(); + if (role.getActive()) { + hasActiveRole = true; + break; + } + } + return hasActiveRole; + } - - public DataAccessService getDataAccessService() { - return dataAccessService; + @SuppressWarnings("rawtypes") + private User findUser(String loginId, String password) { + Map params = new HashMap<>(); + params.put("login_id", loginId); + params.put("login_pwd", password); + List list = dataAccessService.executeNamedQuery("getUserByLoginIdLoginPwd", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); } + @SuppressWarnings("rawtypes") + private User findUserWithoutPwd(String loginId) { + Map params = new HashMap<>(); + params.put("login_id", loginId); + List list = dataAccessService.executeNamedQuery("getUserByLoginId", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); + } - public void setDataAccessService(DataAccessService dataAccessService) { - this.dataAccessService = dataAccessService; + @SuppressWarnings("rawtypes") + private User findUser(LoginBean bean) { + Map params = new HashMap<>(); + params.put("org_user_id", bean.getUserid()); + List list = dataAccessService.executeNamedQuery("getUserByOrgUserId", params, new HashMap()); + return (list == null || list.isEmpty()) ? null : (User) list.get(0); } + private MenuBuilder getMenuBuilder() { + return new MenuBuilder(); + } } -- cgit 1.2.3-korg