aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java5
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java48
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java323
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java143
8 files changed, 10 insertions, 521 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 5f74d8fdd..67611dd72 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -254,7 +254,8 @@ public abstract class AbstractController extends MOAIDAuthConstants {
//add stacktrace if debug is enabled
if (Logger.isTraceEnabled()) {
- config.putCustomParameter("stacktrace", getStacktraceFromException(error));
+ config.putCustomParameter("stacktrace",
+ StringEscapeUtils.escapeHtml(getStacktraceFromException(error)));
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
index a146f778e..19f3fdc54 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java
@@ -28,6 +28,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringEscapeUtils;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.springframework.beans.factory.annotation.Autowired;
@@ -93,9 +94,9 @@ public class IDPSingleLogOutServlet extends AbstractController {
String ssoid = ssoManager.getSSOSessionID(req);
- Object restartProcessObj = req.getParameter(MOAIDAuthConstants.PARAM_SLORESTART);
+ Object restartProcessObj = StringEscapeUtils.escapeHtml(req.getParameter(MOAIDAuthConstants.PARAM_SLORESTART));
- Object tokkenObj = req.getParameter(MOAIDAuthConstants.PARAM_SLOSTATUS);
+ Object tokkenObj = StringEscapeUtils.escapeHtml(req.getParameter(MOAIDAuthConstants.PARAM_SLOSTATUS));
String tokken = null;
String status = null;
if (tokkenObj != null && tokkenObj instanceof String) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
index be511d888..a7f911845 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java
@@ -65,7 +65,7 @@ public class RedirectServlet {
Logger.debug("Receive " + RedirectServlet.class + " Request");
String url = req.getParameter(REDIRCT_PARAM_URL);
- String target = req.getParameter(MOAIDAuthConstants.PARAM_TARGET);
+ String target = StringEscapeUtils.escapeHtml(req.getParameter(MOAIDAuthConstants.PARAM_TARGET));
String artifact = req.getParameter(MOAIDAuthConstants.PARAM_SAMLARTIFACT);
String interIDP = req.getParameter(MOAIDAuthConstants.INTERFEDERATION_IDP);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index aff2c83ad..3770dad2f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -161,7 +161,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
Logger.info("Remove active user-session");
if(internalMOASsoSessionID == null) {
- internalMOASsoSessionID = (String) request.getParameter(PARAM_SESSIONID);
+ internalMOASsoSessionID = StringEscapeUtils.escapeHtml((String) request.getParameter(PARAM_SESSIONID));
}
if(internalMOASsoSessionID == null) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
index 0f9b615a4..aebcf372e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
@@ -27,6 +27,7 @@ import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@@ -51,7 +52,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
public void finalizeAuthProtocol(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException, IOException {
//read pendingRequest from http request
- Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID);
+ Object idObject = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_TARGET_PENDINGREQUESTID));
IRequest pendingReq = null;
String pendingRequestID = null;
if (idObject != null && (idObject instanceof String)) {
@@ -61,7 +62,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
}
//receive an authentication error
- String errorid = req.getParameter(ERROR_CODE_PARAM);
+ String errorid = StringEscapeUtils.escapeHtml(req.getParameter(ERROR_CODE_PARAM));
if (errorid != null) {
try {
//load stored exception from database
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java
deleted file mode 100644
index d715b8b7b..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
-
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-
-public class Digester {
- public static String byteArrayToHexString(byte[] b) {
- String result = "";
- for (int i=0; i < b.length; i++) {
- result +=
- Integer.toString( ( b[i] & 0xff ) + 0x100, 16).substring( 1 );
- }
- return result;
- }
-
- public static String toSHA1(byte[] convertme) {
- MessageDigest md = null;
- try {
- md = MessageDigest.getInstance("SHA-1");
- }
- catch(NoSuchAlgorithmException e) {
- e.printStackTrace();
- }
- return byteArrayToHexString(md.digest(convertme));
- }
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java
deleted file mode 100644
index c40731576..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java
+++ /dev/null
@@ -1,323 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
-
-import java.io.*;
-import javax.xml.parsers.*;
-import javax.xml.transform.*;
-import javax.xml.transform.dom.*;
-import javax.xml.transform.stream.*;
-
-import org.w3c.dom.Document;
-
-import org.xml.sax.*;
-import org.xml.sax.helpers.*;
-
-
-/**
-This class "pretty prints" an XML stream to something more human-readable.
-It duplicates the character content with some modifications to whitespace,
-restoring line breaks and a simple pattern of indenting child elements.
-
-This version of the class acts as a SAX 2.0 <code>DefaultHandler</code>,
-so to provide the unformatted XML just pass a new instance to a SAX parser.
-Its output is via the {@link #toString toString} method.
-
-One major limitation: we gather character data for elements in a single
-buffer, so mixed-content documents will lose a lot of data! This works
-best with data-centric documents where elements either have single values
-or child elements, but not both.
-
-@author Will Provost
-*/
-/*
-Copyright 2002-2003 by Will Provost.
-All rights reserved.
-*/
-public class PrettyPrinter
- extends DefaultHandler
-{
- /**
- Convenience method to wrap pretty-printing SAX pass over existing content.
- */
- public static String prettyPrint (byte[] content)
- {
- try
- {
- PrettyPrinter pretty = new PrettyPrinter ();
- SAXParserFactory factory = SAXParserFactory.newInstance ();
- factory.setFeature
- ("http://xml.org/sax/features/namespace-prefixes", true);
- factory.newSAXParser ().parse
- (new ByteArrayInputStream (content), pretty);
- return pretty.toString ();
- }
- catch (Exception ex)
- {
- ex.printStackTrace ();
- return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
- ex.getMessage () + "\"";
- }
- }
-
- /**
- Convenience method to wrap pretty-printing SAX pass over existing content.
- */
- public static String prettyPrint (String content)
- {
- try
- {
- PrettyPrinter pretty = new PrettyPrinter ();
- SAXParserFactory factory = SAXParserFactory.newInstance ();
- factory.setFeature
- ("http://xml.org/sax/features/namespace-prefixes", true);
- factory.newSAXParser ().parse (content, pretty);
- return pretty.toString ();
- }
- catch (Exception ex)
- {
- ex.printStackTrace ();
- return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
- ex.getMessage () + "\"";
- }
- }
-
- /**
- Convenience method to wrap pretty-printing SAX pass over existing content.
- */
- public static String prettyPrint (InputStream content)
- {
- try
- {
- PrettyPrinter pretty = new PrettyPrinter ();
- SAXParserFactory factory = SAXParserFactory.newInstance ();
- factory.setFeature
- ("http://xml.org/sax/features/namespace-prefixes", true);
- factory.newSAXParser ().parse (content, pretty);
- return pretty.toString ();
- }
- catch (Exception ex)
- {
- ex.printStackTrace ();
- return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
- ex.getMessage () + "\"";
- }
- }
-
- /**
- Convenience method to wrap pretty-printing SAX pass over existing content.
- */
- public static String prettyPrint (Document doc)
- throws TransformerException
- {
- try
- {
- ByteArrayOutputStream buffer = new ByteArrayOutputStream ();
- TransformerFactory.newInstance ().newTransformer()
- .transform (new DOMSource (doc), new StreamResult (buffer));
- byte[] rawResult = buffer.toByteArray ();
- buffer.close ();
-
- return prettyPrint (rawResult);
- }
- catch (Exception ex)
- {
- ex.printStackTrace ();
- return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
- ex.getMessage () + "\"";
- }
- }
-
- public static class StreamAdapter
- extends OutputStream
- {
- public StreamAdapter (Writer finalDestination)
- {
- this.finalDestination = finalDestination;
- }
-
- public void write (int b)
- {
- out.write (b);
- }
-
- public void flushPretty ()
- throws IOException
- {
- PrintWriter finalPrinter = new PrintWriter (finalDestination);
- finalPrinter.println
- (PrettyPrinter.prettyPrint (out.toByteArray ()));
- finalPrinter.close ();
- out.close ();
- }
-
- private ByteArrayOutputStream out = new ByteArrayOutputStream ();
- Writer finalDestination;
- }
-
- /**
- Call this to get the formatted XML post-parsing.
- */
- public String toString ()
- {
- return output.toString ();
- }
-
- /**
- Prints the XML declaration.
- */
- public void startDocument ()
- throws SAXException
- {
- output.append ("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>")
- .append (endLine);
- }
-
- /**
- Prints a blank line at the end of the reformatted document.
- */
- public void endDocument () throws SAXException
- {
- output.append (endLine);
- }
-
- /**
- Writes the start tag for the element.
- Attributes are written out, one to a text line. Starts gathering
- character data for the element.
- */
- public void startElement
- (String URI, String name, String qName, Attributes attributes)
- throws SAXException
- {
- if (justHitStartTag)
- output.append ('>');
-
- output.append (endLine)
- .append (indent)
- .append ('<')
- .append (qName);
-
- int length = attributes.getLength ();
- for (int a = 0; a < length; ++a)
- output.append (endLine)
- .append (indent)
- .append (standardIndent)
- .append (attributes.getQName (a))
- .append ("=\"")
- .append (attributes.getValue (a))
- .append ('\"');
-
- if (length > 0)
- output.append (endLine)
- .append (indent);
-
- indent += standardIndent;
- currentValue = new StringBuffer ();
- justHitStartTag = true;
- }
-
- /**
- Checks the {@link #currentValue} buffer to gather element content.
- Writes this out if it is available. Writes the element end tag.
- */
- public void endElement (String URI, String name, String qName)
- throws SAXException
- {
- indent = indent.substring
- (0, indent.length () - standardIndent.length ());
-
- if (currentValue == null)
- output.append (endLine)
- .append (indent)
- .append ("</")
- .append (qName)
- .append ('>');
- else if (currentValue.length () != 0)
- output.append ('>')
- .append (currentValue.toString ())
- .append ("</")
- .append (qName)
- .append ('>');
- else
- output.append ("/>");
-
- currentValue = null;
- justHitStartTag = false;
- }
-
- /**
- When the {@link #currentValue} buffer is enabled, appends character
- data into it, to be gathered when the element end tag is encountered.
- */
- public void characters (char[] chars, int start, int length)
- throws SAXException
- {
- if (currentValue != null)
- currentValue.append (escape (chars, start, length));
- }
-
- /**
- Filter to pass strings to output, escaping <b>&lt;</b> and <b>&amp;</b>
- characters to &amp;lt; and &amp;amp; respectively.
- */
- private static String escape (char[] chars, int start, int length)
- {
- StringBuffer result = new StringBuffer ();
- for (int c = start; c < start + length; ++c)
- if (chars[c] == '<')
- result.append ("&lt;");
- else if (chars[c] == '&')
- result.append ("&amp;");
- else
- result.append (chars[c]);
-
- return result.toString ();
- }
-
- /**
- This whitespace string is expanded and collapsed to manage the output
- indenting.
- */
- private String indent = "";
-
- /**
- A buffer for character data. It is &quot;enabled&quot; in
- {@link #startElement startElement} by being initialized to a
- new <b>StringBuffer</b>, and then read and reset to
- <code>null</code> in {@link #endElement endElement}.
- */
- private StringBuffer currentValue = null;
-
- /**
- The primary buffer for accumulating the formatted XML.
- */
- private StringBuffer output = new StringBuffer ();
-
- private boolean justHitStartTag;
-
- private static final String standardIndent = " ";
- private static final String endLine =
- System.getProperty ("line.separator");
-}
-
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java
deleted file mode 100644
index d87d510fa..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/XMLUtil.java
+++ /dev/null
@@ -1,143 +0,0 @@
-/**
- *
- */
-package at.gv.egovernment.moa.id.util;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.Reader;
-import java.io.StringReader;
-import java.io.StringWriter;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.transform.OutputKeys;
-import javax.xml.transform.Result;
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-
-/**
- * Helper class for XML processing
- * @author bzwattendorfer
- *
- */
-public class XMLUtil {
-
- /**
- * Transforms a string representation to a DOM representation
- * @param xmlString XML as string
- * @return DOM representation of String
- * @throws ParserConfigurationException
- * @throws SAXException
- * @throws IOException
- */
- public static Element stringToDOM(String xmlString) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- dbf.setNamespaceAware(true);
-
- DocumentBuilder builder = dbf.newDocumentBuilder();
-
- Reader reader = new StringReader(xmlString);
- InputSource src = new InputSource(reader);
- Document domDoc = builder.parse(src);
- return domDoc.getDocumentElement();
- }
-
- /**
- * Creates a new and empty XML document
- * @return New XML document
- * @throws ParserConfigurationException
- */
- public static Document createNewDocument() throws ParserConfigurationException {
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- dbf.setNamespaceAware(true);
-
- DocumentBuilder builder = dbf.newDocumentBuilder();
- return builder.newDocument();
- }
-
- /**
- * Transforms an XML to a String
- * @param node XML node
- * @return String represenation of XML
- */
- public static String printXML(Node node) {
- TransformerFactory tfactory = TransformerFactory.newInstance();
- Transformer serializer;
- try {
- serializer = tfactory.newTransformer();
-
- serializer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
- serializer.setOutputProperty(OutputKeys.ENCODING,"UTF-8");
-
- StringWriter output = new StringWriter();
- serializer.transform(new DOMSource(node), new StreamResult(output));
- return output.toString();
- } catch (TransformerException e) {
-
- throw new RuntimeException(e);
- }
- }
-
- /**
- * Writes an XML element to a given file
- * @param doc XML element
- * @param filename Filename of the file where to write XML
- */
- public static void writeXmlFile(Element doc, String filename) {
- try {
-
- Source source = new DOMSource(doc);
- File file = new File(filename);
- Result result = new StreamResult(file);
-
- Transformer xformer = TransformerFactory.newInstance().newTransformer();
- xformer.transform(source, result);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- }
-
- /**
- * Gets the first text value of a NodeList
- * @param nList NodeList
- * @return first text value of a NodeList
- */
- public static String getFirstTextValueFromNodeList(NodeList nList) {
- if (nList != null && nList.getLength() != 0) {
- return nList.item(0).getTextContent();
- }
- return null;
- }
-
- /**
- * Gets the first element of a Node
- * @param parent Node
- * @return first element of a Node
- */
- public static Element getFirstElement(Node parent) {
- Node n = parent.getFirstChild();
- while (n != null && n.getNodeType() != Node.ELEMENT_NODE) {
- n = n.getNextSibling();
- }
- if (n == null) {
- return null;
- }
- return (Element)n;
- }
-
-
-
-}