From 5ac7c031b38bd652e984ad58285b1cb4af4c5e1f Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 17 Apr 2014 13:18:04 +0200
Subject: blank database elements with sensitive data before delete the entry

---
 .../moa/id/storage/AssertionStorage.java           | 21 +++++++++++--
 .../id/storage/AuthenticationSessionStoreage.java  | 34 +++++++++++++++++-----
 2 files changed, 45 insertions(+), 10 deletions(-)

(limited to 'id/server')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java
index 77cd23b60..cca13fad9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java
@@ -144,7 +144,7 @@ public class AssertionStorage {
 		if (results.size() != 0) {
 			for(AssertionStore result : results) {
 				try { 
-					MOASessionDBUtils.delete(result);
+					cleanDelete(result);
 					Logger.info("Remove sessioninformation with ID=" + result.getArtifact() 
 							+ " after timeout.");
 				
@@ -161,7 +161,7 @@ public class AssertionStorage {
 		
 		 try {
 			AssertionStore element = searchInDatabase(artifact);
-			MOASessionDBUtils.delete(element);
+			cleanDelete(element);
 			Logger.info("Remove sessioninformation with ID" + artifact);
 			
 			
@@ -174,6 +174,23 @@ public class AssertionStorage {
 		}
 	}
 
+	private void cleanDelete(AssertionStore element) {
+		try {
+			element.setAssertion(new byte[]{});
+			MOASessionDBUtils.saveOrUpdate(element);
+			
+		} catch (MOADatabaseException e) {
+			Logger.warn("Blank shortTime session with artifact=" + element.getArtifact() + " FAILED.", e);
+			
+		} finally {
+			if (!MOASessionDBUtils.delete(element))
+				Logger.error("ShortTime session with artifact=" + element.getArtifact() 
+							+ " not removed! (Error during Database communication)");
+
+		}
+		
+	}
+	
 	@SuppressWarnings("rawtypes")
 	private AssertionStore searchInDatabase(String artifact) throws MOADatabaseException {
 		  MiscUtil.assertNotNull(artifact, "artifact");	  
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 27f219452..ca5cb9226 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -156,7 +156,7 @@ public class AuthenticationSessionStoreage {
 	
 	public static void destroySession(String moaSessionID) throws MOADatabaseException {
 		
-		  Session session = MOASessionDBUtils.getCurrentSession();
+		Session session = MOASessionDBUtils.getCurrentSession();
 		  
 		  List<AuthenticatedSessionStore> result;
 		  
@@ -176,11 +176,11 @@ public class AuthenticationSessionStoreage {
 			   	throw new MOADatabaseException("No session found with this sessionID");
 			  }
 			  
-			  AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0);
-						
-				//delete MOA Session
-				session.delete(dbsession);
-				session.getTransaction().commit();
+			 AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0);
+			 
+			 session.getTransaction().commit();
+			  
+			 cleanDelete(dbsession);			
 		  }
 				
 	}
@@ -443,7 +443,7 @@ public class AuthenticationSessionStoreage {
 			 return false;
 					 
 		  } else {
-			  MOASessionDBUtils.delete(result.get(0));
+			  cleanDelete(result.get(0));
 			  return true;
 		  }
 		
@@ -521,7 +521,7 @@ public class AuthenticationSessionStoreage {
 		if (results.size() != 0) {
 			for(AuthenticatedSessionStore result : results) {
 				try { 
-					MOASessionDBUtils.delete(result);
+					cleanDelete(result);
 					Logger.info("Authenticated session with sessionID=" + result.getSessionid() 
 							+ " after session timeout.");
 				
@@ -534,6 +534,24 @@ public class AuthenticationSessionStoreage {
 		}	
 	}
 	
+	private static void cleanDelete(AuthenticatedSessionStore result) {		
+		try {
+			result.setSession(new byte[] {});
+			MOASessionDBUtils.saveOrUpdate(result);
+			
+		} catch (MOADatabaseException e) {
+			Logger.warn("Blank authenticated session with sessionID=" + result.getSessionid() + " FAILED.", e);
+			
+		} finally {
+			if (!MOASessionDBUtils.delete(result))
+				Logger.error("Authenticated session with sessionID=" + result.getSessionid() 
+							+ " not removed! (Error during Database communication)");
+			
+		}
+		
+		
+	}
+	
 	@SuppressWarnings("rawtypes")
 	private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException {
 		  MiscUtil.assertNotNull(sessionID, "moasessionID");	  
-- 
cgit v1.2.3