You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2016/11/24 12:12:32 UTC
cxf-fediz git commit: Adding ESAPI protection to OIDC
Repository: cxf-fediz
Updated Branches:
refs/heads/master 467382b88 -> 3197f65b5
Adding ESAPI protection to OIDC
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/3197f65b
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/3197f65b
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/3197f65b
Branch: refs/heads/master
Commit: 3197f65b5f366cd83378f6ee99569ba211317499
Parents: 467382b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Nov 24 12:12:10 2016 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Nov 24 12:12:10 2016 +0000
----------------------------------------------------------------------
pom.xml | 1 +
services/oidc/pom.xml | 5 +++++
services/oidc/src/main/resources/ESAPI.properties | 1 +
services/oidc/src/main/webapp/WEB-INF/views/client.jsp | 3 ++-
.../oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp | 3 ++-
services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp | 3 ++-
.../src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp | 3 ++-
.../oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp | 4 +++-
8 files changed, 18 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 1facafa..7b7b1c7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,6 +50,7 @@
<easymock.version>3.4</easymock.version>
<ecj.version>4.6.1</ecj.version>
<ehcache.version>2.10.3</ehcache.version>
+ <esapi.version>2.1.0.1</esapi.version>
<httpclient.version>4.3.5</httpclient.version>
<hsqldb.version>2.3.4</hsqldb.version>
<htmlunit.version>2.23</htmlunit.version>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/pom.xml
----------------------------------------------------------------------
diff --git a/services/oidc/pom.xml b/services/oidc/pom.xml
index 50755e5..10183c7 100644
--- a/services/oidc/pom.xml
+++ b/services/oidc/pom.xml
@@ -77,6 +77,11 @@
<artifactId>commons-validator</artifactId>
<version>${commons.validator.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.owasp.esapi</groupId>
+ <artifactId>esapi</artifactId>
+ <version>${esapi.version}</version>
+ </dependency>
<!--
<dependency>
<groupId>org.apache.geronimo.specs</groupId>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/resources/ESAPI.properties
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/resources/ESAPI.properties b/services/oidc/src/main/resources/ESAPI.properties
new file mode 100644
index 0000000..077737c
--- /dev/null
+++ b/services/oidc/src/main/resources/ESAPI.properties
@@ -0,0 +1 @@
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/client.jsp b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
index 58438a9..6bdd74d 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/client.jsp
@@ -4,6 +4,7 @@
<%@ page import="java.util.Locale"%>
<%@ page import="java.util.TimeZone"%>
<%@ page import="javax.servlet.http.HttpServletRequest" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
<%
Client client = (Client)request.getAttribute("data");
@@ -72,7 +73,7 @@
</head>
<body>
<div class="padded">
-<h1><%= client.getApplicationName() %></h1>
+<h1><%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) %></h1>
<br/>
<table border="1" id=client>
<%
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
index a303bd4..4b170e6 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/clientCodeGrants.jsp
@@ -7,6 +7,7 @@
<%@ page import="java.util.TimeZone"%>
<%@ page import="javax.servlet.http.HttpServletRequest" %>
<%@ page import="org.apache.cxf.fediz.service.oidc.clients.ClientCodeGrants" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
<%
ClientCodeGrants tokens = (ClientCodeGrants)request.getAttribute("data");
@@ -41,7 +42,7 @@
</head>
<body>
<div class="padded">
-<h1>Code Grants issued to <%= client.getApplicationName() + " (" + client.getClientId() + ")"%></h1>
+<h1>Code Grants issued to <%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) + " (" + client.getClientId() + ")"%></h1>
<br/>
<table border="1">
<tr><th>ID</th><th>Issue Date</th><th>Expiry Date</th><th>Action</th></tr>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
index 4ccd6de..54ea6a9 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/clientTokens.jsp
@@ -8,6 +8,7 @@
<%@ page import="java.util.TimeZone"%>
<%@ page import="javax.servlet.http.HttpServletRequest" %>
<%@ page import="org.apache.cxf.fediz.service.oidc.clients.ClientTokens" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
<%
ClientTokens tokens = (ClientTokens)request.getAttribute("data");
@@ -44,7 +45,7 @@
</STYLE>
</head>
<body>
-<h1>Tokens issued to <%= client.getApplicationName() + " (" + client.getClientId() + ")"%></h1>
+<h1>Tokens issued to <%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) + " (" + client.getClientId() + ")"%></h1>
<br/>
<div class="padded">
<h2>Access Tokens</h2>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
index 1a71624..a4420c6 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
@@ -2,6 +2,7 @@
<%@ page import="java.util.List" %>
<%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData" %>
<%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthPermission" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
<%
@@ -76,7 +77,7 @@
}
%>
- <h2>Would you like to grant <%= data.getApplicationName() %><br />the following permissions:</h2>
+ <h2>Would you like to grant <%= ESAPI.encoder().encodeForHTML(client.getApplicationName()) %><br />the following permissions:</h2>
<table>
<%
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3197f65b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
index 5fca5f7..009cccf 100644
--- a/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
+++ b/services/oidc/src/main/webapp/WEB-INF/views/registeredClients.jsp
@@ -6,6 +6,7 @@
<%@ page import="java.util.TimeZone"%>
<%@ page import="javax.servlet.http.HttpServletRequest" %>
<%@ page import="org.apache.cxf.fediz.service.oidc.clients.RegisteredClients" %>
+<%@ page import="org.owasp.esapi.ESAPI" %>
<%
Collection<Client> regs = ((RegisteredClients)request.getAttribute("data")).getClients();
@@ -50,7 +51,8 @@
for (Client client : regs) {
%>
<tr>
- <td><a href="<%= basePath + "console/clients/" + client.getClientId() %>"><%= client.getApplicationName() %></a></td>
+ <td><a href="<%= basePath + "console/clients/" + client.getClientId() %>"><%=
+ ESAPI.encoder().encodeForHTML(client.getApplicationName()) %></a></td>
<td>
<%= client.getClientId() %>
</td>