aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2017-11-26 21:04:51 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2017-11-26 21:04:51 +0100
commitcc09b52b5cb1c93543d8b4353dfc59b8192e79af (patch)
treec66cabed572557945ff66da64d3babe8df11143d /id/server/modules
parent7cba2dfc31076ac4ec9f4a46bc4901e7dd082121 (diff)
downloadmoa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.tar.gz
moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.tar.bz2
moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.zip
add String escaping on same methods
Diffstat (limited to 'id/server/modules')
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java36
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java2
-rw-r--r--id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java7
3 files changed, 22 insertions, 23 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
index 09c64c267..7bb07df74 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
@@ -94,24 +94,24 @@ public class ParepUtils {
return str == null || "".equals(str);
}
- /**
- * Reads a XML document from an input stream (namespace-aware).
- *
- * @param is
- * the input stream to read from.
- * @return the read XML document.
- * @throws SZRGWClientException
- * if an error occurs reading the document from the input stream.
- */
- public static Document readDocFromIs(InputStream is) throws SZRGWClientException {
- try {
- DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
- f.setNamespaceAware(true);
- return f.newDocumentBuilder().parse(is);
- } catch (Exception e) {
- throw new SZRGWClientException(e);
- }
- }
+// /**
+// * Reads a XML document from an input stream (namespace-aware).
+// *
+// * @param is
+// * the input stream to read from.
+// * @return the read XML document.
+// * @throws SZRGWClientException
+// * if an error occurs reading the document from the input stream.
+// */
+// public static Document readDocFromIs(InputStream is) throws SZRGWClientException {
+// try {
+// DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
+// f.setNamespaceAware(true);
+// return f.newDocumentBuilder().parse(is);
+// } catch (Exception e) {
+// throw new SZRGWClientException(e);
+// }
+// }
// /*
// *
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index b2522ea33..b7c54203f 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -71,7 +71,7 @@ class OAuth20AuthAction implements IAction {
revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST);
- String code = Random.nextRandom();
+ String code = Random.nextHexRandom32();
try {
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index 7d1bfd7b9..a37beac70 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -50,6 +50,7 @@ import javax.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringEscapeUtils;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
@@ -186,7 +187,7 @@ public class SSOTransferServlet{
Logger.debug("Receive " + this.getClass().getName() + " request");
Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);
if (tokenObj != null && tokenObj instanceof String) {
- String token = (String)tokenObj;
+ String token = StringEscapeUtils.escapeHtml((String)tokenObj);
try {
Logger.debug("Load token:" + token + " from storage.");
SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut * 1000);
@@ -285,7 +286,7 @@ public class SSOTransferServlet{
Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);
if (tokenObj != null && tokenObj instanceof String) {
- String token = (String)tokenObj;
+ String token = StringEscapeUtils.escapeHtml((String)tokenObj);
try {
SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut);
if (container != null) {
@@ -402,8 +403,6 @@ public class SSOTransferServlet{
null);
if (ssomanager.isValidSSOSession(ssoid, null)) {
- //Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR);
-
//create first step of SSO Transfer GUI
IAuthenticationSession authSession = authenticationSessionStorage.getInternalMOASessionWithSSOID(ssoid);