From 7d9c2ec8e170df74fa544cdb83d8967c3d654ed2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 31 Jan 2017 13:18:30 +0100 Subject: fix problem with iaik pki-module and worker threads --- .../moa/id/commons/utils/ssl/SSLUtils.java | 27 ++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) (limited to 'id/server/moa-id-commons/src') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 4ecda435d..109390132 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -61,6 +61,8 @@ import javax.net.ssl.TrustManager; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moaspss.logging.LoggingContext; +import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.DefaultPKIConfiguration; import iaik.pki.PKIException; import iaik.pki.PKIFactory; @@ -94,6 +96,21 @@ public class SSLUtils { } + /** + * IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging + * check if current thread has set this variable and set loggingcontext otherwise + * + * @param url transactionID for logging + */ + private static void checkMoaSigLoggingContext(String url) { + LoggingContextManager logMgr = LoggingContextManager.getInstance(); + if (logMgr.getLoggingContext() == null) { + LoggingContext ctx = new LoggingContext(url); + logMgr.setLoggingContext(ctx); + + } + } + public static SSLSocketFactory getSSLSocketFactory( String url, String certStoreRootDirParam, @@ -111,8 +128,11 @@ public class SSLUtils { Logger.debug("Get SSLSocketFactory for " + url); // retrieve SSLSocketFactory if already created SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(url); - if (ssf != null) - return ssf; + if (ssf != null) { + checkMoaSigLoggingContext(url); + return ssf; + + } TrustManager[] tms = getTrustManagers( certStoreRootDirParam, @@ -129,6 +149,9 @@ public class SSLUtils { ssf = ctx.getSocketFactory(); // store SSLSocketFactory sslSocketFactories.put(url, ssf); + + checkMoaSigLoggingContext(url); + return ssf; } -- cgit v1.2.3 From 6f8fabef2ee6abaef940d6a2a64cd6ec79de0542 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 21 Feb 2017 15:30:11 +0100 Subject: update javadoc --- .../java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/moa-id-commons/src') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index d2c827d55..fcf4c3ffa 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -32,7 +32,7 @@ public interface AuthConfiguration extends ConfigurationProvider{ * Get a configuration value from basic file based MOA-ID configuration * * @param key configuration key - * @return configuration value + * @return configuration value or null if it is not found */ public String getBasicMOAIDConfiguration(final String key); -- cgit v1.2.3 From 27933ddff7201ea229e1f9572c88eecba47304c7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 10 Mar 2017 16:02:16 +0100 Subject: fix possible DoS Bug --- .../src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'id/server/moa-id-commons/src') diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index fed968443..62a168ac8 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -28,6 +28,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -542,6 +543,7 @@ public class DOMUtils { /** * A convenience method to parse an XML document non validating. + * This method disallow DocType declarations * * @param inputStream The InputStream containing the XML * document. @@ -552,10 +554,16 @@ public class DOMUtils { * parser. */ public static Element parseXmlNonValidating(InputStream inputStream) - throws ParserConfigurationException, SAXException, IOException { + throws ParserConfigurationException, SAXException, IOException { return DOMUtils - .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, null) - .getDocumentElement(); + .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, + Collections.unmodifiableMap(new HashMap() { + private static final long serialVersionUID = 1L; + { + put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true); + + } + })).getDocumentElement(); } /** -- cgit v1.2.3