aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:33:37 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:33:37 +0100
commite392f06a8e1920e4404f11f74c8f51795ad590a6 (patch)
tree74d06da7d89582d1448cbb0a3c0c8d1858318b06 /id/ConfigWebTool
parent813e08137530dba321db7807bd1bb5a53af80541 (diff)
downloadmoa-id-spss-e392f06a8e1920e4404f11f74c8f51795ad590a6.tar.gz
moa-id-spss-e392f06a8e1920e4404f11f74c8f51795ad590a6.tar.bz2
moa-id-spss-e392f06a8e1920e4404f11f74c8f51795ad590a6.zip
add some more escaptions
Diffstat (limited to 'id/ConfigWebTool')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java32
1 files changed, 7 insertions, 25 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index df1786402..bf75a3068 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -39,7 +39,6 @@ import org.apache.log4j.Logger;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
-import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
@@ -51,34 +50,18 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.security.MetadataCredentialResolver;
-import org.opensaml.security.MetadataCredentialResolverFactory;
-import org.opensaml.security.MetadataCriteria;
-import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xml.parse.BasicParserPool;
-import org.opensaml.xml.security.CriteriaSet;
-import org.opensaml.xml.security.credential.UsageType;
-import org.opensaml.xml.security.criteria.EntityIDCriteria;
-import org.opensaml.xml.security.criteria.UsageCriteria;
-import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
-import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
-import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
-import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;
import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
@@ -86,7 +69,6 @@ import at.gv.egovernment.moa.id.configuration.Constants;
import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
import at.gv.egovernment.moa.id.configuration.auth.AuthenticationManager;
import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils;
-import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom;
import at.gv.egovernment.moa.id.configuration.exception.BasicActionException;
import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper;
@@ -160,7 +142,7 @@ public class IndexAction extends BasicAction {
if (MiscUtil.isNotEmpty(username)) {
if (ValidationHelper.containsNotValidCharacter(username, false)) {
- log.warn("Username contains potentail XSS characters: " + username);
+ log.warn("Username contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(username));
addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
return Constants.STRUTS_ERROR;
@@ -197,13 +179,13 @@ public class IndexAction extends BasicAction {
dbuser.setIsUsernamePasswordAllowed(true);
if (!dbuser.isIsActive() || !dbuser.isIsUsernamePasswordAllowed()) {
- log.warn("Username " + dbuser.getUsername() + " is not active or Username/Password login is not allowed");
+ log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " is not active or Username/Password login is not allowed");
addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));
return Constants.STRUTS_ERROR;
}
if (!dbuser.getPassword().equals(key)) {
- log.warn("Username " + dbuser.getUsername() + " use a false password");
+ log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " use a false password");
addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));
return Constants.STRUTS_ERROR;
}
@@ -615,7 +597,7 @@ public class IndexAction extends BasicAction {
check = user.getInstitut();
if (MiscUtil.isNotEmpty(check)) {
if (ValidationHelper.containsNotValidCharacter(check, false)) {
- log.warn("Organisation contains potentail XSS characters: " + check);
+ log.warn("Organisation contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(check));
addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
}
@@ -628,7 +610,7 @@ public class IndexAction extends BasicAction {
check = user.getMail();
if (MiscUtil.isNotEmpty(check)) {
if (!ValidationHelper.isEmailAddressFormat(check)) {
- log.warn("Mailaddress is not valid: " + check);
+ log.warn("Mailaddress is not valid: " + StringEscapeUtils.escapeHtml(check));
addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
}
@@ -640,7 +622,7 @@ public class IndexAction extends BasicAction {
check = user.getPhone();
if (MiscUtil.isNotEmpty(check)) {
if (!ValidationHelper.validatePhoneNumber(check)) {
- log.warn("No valid Phone Number: " + check);
+ log.warn("No valid Phone Number: " + StringEscapeUtils.escapeHtml(check));
addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid",
new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
}