From d025c38a426e22b0d1ccfbb4558ff6ce78ac1d0b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 30 Sep 2016 09:22:29 +0200 Subject: refactor http servlet response processing to prohibit 'chunked' transfer encoding --- .../WebFrontEndSecurityInterceptor.java | 17 ++++++----- .../moa/id/protocols/pvp2x/MetadataAction.java | 10 +++---- .../auth/frontend/builder/GUIFormBuilderImpl.java | 18 ++++++++++-- .../internal/tasks/CreateIdentityLinkFormTask.java | 9 +++--- .../moa/id/util/CitizenCardServletUtils.java | 33 +++++++++------------- .../eidas/tasks/GenerateAuthnRequestTask.java | 5 +++- .../moa/id/protocols/eidas/EIDASProtocol.java | 6 ++-- .../eidas/eIDASAuthenticationRequest.java | 5 +++- .../controller/ELGAMandateMetadataController.java | 6 ++-- .../oauth20/protocol/OAuth20Protocol.java | 8 +++--- .../oauth20/protocol/OAuth20TokenAction.java | 10 +++---- .../FederatedAuthMetadataController.java | 6 ++-- .../saml1/GetAuthenticationDataService.java | 7 +++-- .../moa/id/auth/servlet/MonitoringController.java | 11 ++++---- 14 files changed, 87 insertions(+), 64 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java index 9fdec9fbb..2976dc420 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java @@ -50,7 +50,14 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { - + + //TODO: add additional headers or checks + //set security headers + response.setHeader(MOAIDAuthConstants.HEADER_EXPIRES, MOAIDAuthConstants.HEADER_VALUE_EXPIRES); + response.setHeader(MOAIDAuthConstants.HEADER_PRAGMA, MOAIDAuthConstants.HEADER_VALUE_PRAGMA); + response.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); + response.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + //only for SAML1 GetAuthenticationData webService functionality String requestedServlet = request.getServletPath(); if (MiscUtil.isNotEmpty(requestedServlet) && @@ -85,13 +92,9 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor { public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { - //TODO: add additional headers or checks - //set security headers - response.setHeader(MOAIDAuthConstants.HEADER_EXPIRES, MOAIDAuthConstants.HEADER_VALUE_EXPIRES); - response.setHeader(MOAIDAuthConstants.HEADER_PRAGMA, MOAIDAuthConstants.HEADER_VALUE_PRAGMA); - response.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL); - response.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE); + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index b282e3a4b..851f47a68 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -63,12 +63,12 @@ public class MetadataAction implements IAction { String metadataXML = metadatabuilder.buildPVPMetadata(metadataConfig); Logger.debug("METADATA: " + metadataXML); - + + byte[] content = metadataXML.getBytes("UTF-8"); + httpResp.setStatus(HttpServletResponse.SC_OK); + httpResp.setContentLength(content.length); httpResp.setContentType(MediaType.XML_UTF_8.toString()); - httpResp.getOutputStream().write(metadataXML.getBytes("UTF-8")); - - httpResp.getOutputStream().close(); - + httpResp.getOutputStream().write(content); return null; } catch (Exception e) { diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java index 26b37226d..e77933986 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java @@ -101,11 +101,23 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder { //evaluate template StringWriter writer = new StringWriter(); engine.evaluate(context, writer, loggerName, new BufferedReader(new InputStreamReader(is))); - + //write template to response + final byte[] content = writer.toString().getBytes("UTF-8"); httpResp.setStatus(HttpServletResponse.SC_OK); - httpResp.setContentType(contentType); - httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8")); + httpResp.setContentLength(content.length); + httpResp.setContentType(contentType); + httpResp.getOutputStream().write(content); + + if (Logger.isTraceEnabled()) { + Logger.trace("Write Content for viewName:" + viewName + + ". Contentsize:" + String.valueOf(content.length) + + " BufferSize:" + httpResp.getBufferSize() + + " ContentType:" + contentType); + for (String el : httpResp.getHeaderNames()) + Logger.trace(" * Headername:" + el + " Value:" + httpResp.getHeader(el)); + + } } catch (IOException e) { Logger.error("GUI form-builder has an internal error.", e); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java index e47aff83b..e1495f254 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java @@ -1,7 +1,5 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; -import java.io.PrintWriter; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -79,11 +77,12 @@ public class CreateIdentityLinkFormTask extends AbstractAuthServletTask { pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_URL, moasession.getBkuURL()); if (!StringUtils.isEmpty(getIdentityLinkForm)) { + byte[] content = getIdentityLinkForm.getBytes("UTF-8"); resp.setContentType(MediaType.HTML_UTF_8.toString()); - PrintWriter out = new PrintWriter(resp.getOutputStream()); - out.print(getIdentityLinkForm); - out.flush(); + resp.setContentLength(content.length); + resp.getOutputStream().write(content); Logger.debug("Finished GET " + CreateIdentityLinkFormTask.class); + } } catch (WrongParametersException ex) { diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java index 9fbdf5cd7..1f2cda680 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java @@ -50,7 +50,6 @@ package at.gv.egovernment.moa.id.util; import java.io.IOException; -import java.io.OutputStream; import java.net.URLEncoder; import javax.servlet.http.HttpServletResponse; @@ -93,12 +92,11 @@ public class CitizenCardServletUtils extends ServletUtils{ resp.addHeader("Location", dataURL); //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) - resp.setContentType(MediaType.XML_UTF_8.toString()); - OutputStream out = resp.getOutputStream(); - out.write(createXMLSignatureRequestOrRedirect.getBytes("UTF-8")); - out.flush(); - out.close(); + byte[] content = createXMLSignatureRequestOrRedirect.getBytes("UTF-8"); + resp.setContentType(MediaType.XML_UTF_8.toString()); + resp.setContentLength(content.length); + resp.getOutputStream().write(content); Logger.debug("Finished POST " + servletName); } else { @@ -129,12 +127,11 @@ public class CitizenCardServletUtils extends ServletUtils{ resp.addHeader("Location", dataURL); //TODO test impact of explicit setting charset with older versions of BKUs (HotSign) + + byte[] content = createXMLSignatureRequestOrRedirect.getBytes("UTF-8"); resp.setContentType(MediaType.XML_UTF_8.toString()); - - OutputStream out = resp.getOutputStream(); - out.write(createXMLSignatureRequestOrRedirect.getBytes("UTF-8")); - out.flush(); - out.close(); + resp.setContentLength(content.length); + resp.getOutputStream().write(content); Logger.debug("Finished POST " + servletName); } @@ -156,16 +153,14 @@ public class CitizenCardServletUtils extends ServletUtils{ IOException { resp.setStatus(200); Logger.debug("ContentType set to: application/x-www-form-urlencoded"); - - resp.setContentType("application/x-www-form-urlencoded"); - - String content = "XMLRequest=" + URLEncoder.encode(createXMLSignatureRequestOrRedirect, "UTF-8") + "&" + + + String respString = "XMLRequest=" + URLEncoder.encode(createXMLSignatureRequestOrRedirect, "UTF-8") + "&" + "DataURL=" + URLEncoder.encode(dataURL, "UTF-8"); - OutputStream out = resp.getOutputStream(); - out.write(content.getBytes("UTF-8")); - out.flush(); - out.close(); + byte[] content = respString.getBytes("UTF-8"); + resp.setContentType("application/x-www-form-urlencoded"); + resp.setContentLength(content.length); + resp.getOutputStream().write(content); Logger.debug("Finished POST " + servletName); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index a3fd51c4c..ea8e88278 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -248,8 +248,11 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { Logger.debug("Sending html content: " + writer.getBuffer().toString()); + + byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); response.setContentType(MediaType.HTML_UTF_8.toString()); - response.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); + response.setContentLength(content.length); + response.getOutputStream().write(content); revisionsLogger.logEvent(oaConfig, pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_REQUESTED, diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 9fab58f94..13e64cdd0 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -386,9 +386,11 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { Logger.trace("Sending html content : " + new String(writer.getBuffer())); - response.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); + byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); response.setContentType(MediaType.TEXT_HTML.getType()); - + response.setContentLength(content.length); + response.getOutputStream().write(content); + return true; } catch (Exception e1 ) { diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index 0f17eccab..22ac37604 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -252,8 +252,11 @@ public class eIDASAuthenticationRequest implements IAction { Logger.trace("Sending html content : " + new String(writer.getBuffer())); - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); + byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); httpResp.setContentType(MediaType.TEXT_HTML.getType()); + httpResp.setContentLength(content.length); + httpResp.getOutputStream().write(content); + } catch (Exception e) { Logger.error("Velocity error: " + e.getMessage()); diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java index 5720e4827..ca7401ab7 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java @@ -82,9 +82,11 @@ public class ELGAMandateMetadataController extends AbstractController { String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); //write response + byte[] content = xmlMetadata.getBytes("UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + resp.setContentLength(content.length); resp.setContentType(MediaType.XML_UTF_8.toString()); - resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8")); - resp.getOutputStream().close(); + resp.getOutputStream().write(content); } diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index e6ccc67b7..118c53f6b 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -225,14 +225,14 @@ public class OAuth20Protocol extends AbstractAuthProtocolModulController { // create response JsonObject jsonObject = new JsonObject(); OAuth20Util.addProperytiesToJsonObject(jsonObject, params); - String jsonResponse = jsonObject.toString(); - Logger.debug("JSON Response: " + jsonResponse); + byte[] jsonResponse = jsonObject.toString().getBytes("UTF-8"); + Logger.debug("JSON Response: " + new String(jsonResponse)); // write respone to http response response.setContentType("application/json"); + response.setContentLength(jsonResponse.length); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); - response.getOutputStream().print(jsonResponse); - response.getOutputStream().close(); + response.getOutputStream().write(jsonResponse); return true; } diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java index 9d78418cd..985e1d1c5 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java @@ -83,14 +83,14 @@ class OAuth20TokenAction implements IAction { // create response JsonObject jsonObject = new JsonObject(); OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession()); - String jsonResponse = jsonObject.toString(); - Logger.debug("JSON Response: " + jsonResponse); + byte[] jsonResponse = jsonObject.toString().getBytes("UTF-8"); + Logger.debug("JSON Response: " + new String(jsonResponse)); // write respone to http response httpResp.setContentType("application/json"); - httpResp.setStatus(HttpServletResponse.SC_OK); - httpResp.getOutputStream().print(jsonResponse); - httpResp.getOutputStream().close(); + httpResp.setContentLength(jsonResponse.length); + httpResp.setStatus(HttpServletResponse.SC_OK); + httpResp.getOutputStream().write(jsonResponse); return null; } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java index 02356d74a..e86d31708 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java @@ -82,9 +82,11 @@ public class FederatedAuthMetadataController extends AbstractController { String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); //write response + byte[] content = xmlMetadata.getBytes("UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + resp.setContentLength(content.length); resp.setContentType(MediaType.XML_UTF_8.toString()); - resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8")); - resp.getOutputStream().close(); + resp.getOutputStream().write(content); } diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java index 893799b5d..13df30862 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java @@ -344,8 +344,11 @@ public class GetAuthenticationDataService extends AbstractController implements VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); BufferedReader reader = new BufferedReader(new InputStreamReader(is )); StringWriter writer = new StringWriter(); - engine.evaluate(context, writer, "SAML1 GetAuthenticationData", reader); - httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8")); + engine.evaluate(context, writer, "SAML1 GetAuthenticationData", reader); + + byte[] content = writer.toString().getBytes("UTF-8"); + httpResp.setContentLength(content.length); + httpResp.getOutputStream().write(content); } catch (Exception e) { Logger.error("SAML1 GetAuthenticationData has an error:", e); diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java index 8d324b535..b232b9512 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java @@ -112,13 +112,12 @@ public class MonitoringController { Logger.warn("Monitoring Servlet found some Error: " + errorMessage); resp.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); resp.setContentType("text/html;charset=UTF-8"); - PrintWriter out; - try { - out = new PrintWriter(resp.getOutputStream()); + resp.setCharacterEncoding("UTF-8"); + + try { for (String error : errorMessage) - out.write(error + "
"); - out.flush(); - + resp.getWriter().write(error + "
"); + } catch (IOException e) { Logger.warn("Internal Monitoring Servlet Error. ", e); } -- cgit v1.2.3