From e3982f6c2a13c903947a66d89e1af1ccbb161e5f Mon Sep 17 00:00:00 2001
From: "Christopher Lott (cl778h)" <clott@research.att.com>
Date: Fri, 20 Oct 2017 08:22:19 -0400
Subject: Role management; security vulnerabilities.

Extend user/role management interface to allow role deletion.
Add filters to defend against common web Javascript attacks.
Drop Greensock code with unusable license.
Use OParent in EPSDK web application.

Issue: US324470, US342324, PORTAL-127
Change-Id: I3a10744fbbbdbda7c88d2b2e542e72e779c9b142
Signed-off-by: Christopher Lott (cl778h) <clott@research.att.com>
---
 .../org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java')

diff --git a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java
index 1533db79..91f019be 100644
--- a/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java
+++ b/ecomp-sdk/epsdk-fw/src/main/java/org/onap/portalsdk/core/onboarding/rest/RestWebServiceClient.java
@@ -49,6 +49,8 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.onap.portalsdk.core.onboarding.util.PortalApiConstants;
 import org.onap.portalsdk.core.onboarding.util.PortalApiProperties;
+import org.owasp.esapi.ESAPI;
+
 
 /**
  * Simple REST client for GET, POST and DELETE operations against the Portal
@@ -209,7 +211,7 @@ public class RestWebServiceClient {
 
 		// add request header
 		con.setRequestProperty("uebkey", appUebKey);
-		con.setRequestProperty("LoginId", loginId);
+		con.setRequestProperty("LoginId", ESAPI.encoder().canonicalize(loginId));
 		con.setRequestProperty("user-agent", appName);
 		con.setRequestProperty("X-ECOMP-RequestID", requestId);
 		con.setRequestProperty("username", appUserName);
-- 
cgit 1.2.3-korg