From 5ac7c031b38bd652e984ad58285b1cb4af4c5e1f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 13:18:04 +0200 Subject: blank database elements with sensitive data before delete the entry --- .../moa/id/storage/AssertionStorage.java | 21 +++++++++++-- .../id/storage/AuthenticationSessionStoreage.java | 34 +++++++++++++++++----- 2 files changed, 45 insertions(+), 10 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java index 77cd23b60..cca13fad9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java @@ -144,7 +144,7 @@ public class AssertionStorage { if (results.size() != 0) { for(AssertionStore result : results) { try { - MOASessionDBUtils.delete(result); + cleanDelete(result); Logger.info("Remove sessioninformation with ID=" + result.getArtifact() + " after timeout."); @@ -161,7 +161,7 @@ public class AssertionStorage { try { AssertionStore element = searchInDatabase(artifact); - MOASessionDBUtils.delete(element); + cleanDelete(element); Logger.info("Remove sessioninformation with ID" + artifact); @@ -174,6 +174,23 @@ public class AssertionStorage { } } + private void cleanDelete(AssertionStore element) { + try { + element.setAssertion(new byte[]{}); + MOASessionDBUtils.saveOrUpdate(element); + + } catch (MOADatabaseException e) { + Logger.warn("Blank shortTime session with artifact=" + element.getArtifact() + " FAILED.", e); + + } finally { + if (!MOASessionDBUtils.delete(element)) + Logger.error("ShortTime session with artifact=" + element.getArtifact() + + " not removed! (Error during Database communication)"); + + } + + } + @SuppressWarnings("rawtypes") private AssertionStore searchInDatabase(String artifact) throws MOADatabaseException { MiscUtil.assertNotNull(artifact, "artifact"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 27f219452..ca5cb9226 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -156,7 +156,7 @@ public class AuthenticationSessionStoreage { public static void destroySession(String moaSessionID) throws MOADatabaseException { - Session session = MOASessionDBUtils.getCurrentSession(); + Session session = MOASessionDBUtils.getCurrentSession(); List result; @@ -176,11 +176,11 @@ public class AuthenticationSessionStoreage { throw new MOADatabaseException("No session found with this sessionID"); } - AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); - - //delete MOA Session - session.delete(dbsession); - session.getTransaction().commit(); + AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); + + session.getTransaction().commit(); + + cleanDelete(dbsession); } } @@ -443,7 +443,7 @@ public class AuthenticationSessionStoreage { return false; } else { - MOASessionDBUtils.delete(result.get(0)); + cleanDelete(result.get(0)); return true; } @@ -521,7 +521,7 @@ public class AuthenticationSessionStoreage { if (results.size() != 0) { for(AuthenticatedSessionStore result : results) { try { - MOASessionDBUtils.delete(result); + cleanDelete(result); Logger.info("Authenticated session with sessionID=" + result.getSessionid() + " after session timeout."); @@ -534,6 +534,24 @@ public class AuthenticationSessionStoreage { } } + private static void cleanDelete(AuthenticatedSessionStore result) { + try { + result.setSession(new byte[] {}); + MOASessionDBUtils.saveOrUpdate(result); + + } catch (MOADatabaseException e) { + Logger.warn("Blank authenticated session with sessionID=" + result.getSessionid() + " FAILED.", e); + + } finally { + if (!MOASessionDBUtils.delete(result)) + Logger.error("Authenticated session with sessionID=" + result.getSessionid() + + " not removed! (Error during Database communication)"); + + } + + + } + @SuppressWarnings("rawtypes") private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException { MiscUtil.assertNotNull(sessionID, "moasessionID"); -- cgit v1.2.3