You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by mb...@apache.org on 2017/10/07 14:19:30 UTC
svn commit: r1811430 -
/ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
Author: mbrohl
Date: Sat Oct 7 14:19:29 2017
New Revision: 1811430
URL: http://svn.apache.org/viewvc?rev=1811430&view=rev
Log:
Improved: Fixing defects reported by FindBugs, package
org.apache.ofbiz.securityext.login.
(OFBIZ-9637)
Thanks Dennis Balkir for reporting and providing the patch.
Modified:
ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
Modified: ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java?rev=1811430&r1=1811429&r2=1811430&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java Sat Oct 7 14:19:29 2017
@@ -23,6 +23,7 @@ import java.io.UnsupportedEncodingExcept
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Iterator;
+import java.util.Locale;
import java.util.Map;
import javax.servlet.http.Cookie;
@@ -34,6 +35,7 @@ import org.apache.commons.lang.RandomStr
import org.apache.ofbiz.base.crypto.HashCrypt;
import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.GeneralException;
+import org.apache.ofbiz.base.util.UtilCodec;
import org.apache.ofbiz.base.util.UtilFormatOut;
import org.apache.ofbiz.base.util.UtilHttp;
import org.apache.ofbiz.base.util.UtilMisc;
@@ -57,6 +59,8 @@ import org.apache.ofbiz.service.LocalDis
import org.apache.ofbiz.service.ModelService;
import org.apache.ofbiz.webapp.control.LoginWorker;
+import edu.emory.mathcs.backport.java.util.Arrays;
+
/**
* LoginEvents - Events for UserLogin and Security handling.
*/
@@ -85,10 +89,10 @@ public class LoginEvents {
String password = request.getParameter("PASSWORD");
if ((username != null) && ("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", "username.lowercase", delegator)))) {
- username = username.toLowerCase();
+ username = username.toLowerCase(Locale.getDefault());
}
if ((password != null) && ("true".equalsIgnoreCase(EntityUtilProperties.getPropertyValue("security", "password.lowercase", delegator)))) {
- password = password.toLowerCase();
+ password = password.toLowerCase(Locale.getDefault());
}
// save parameters into the session - so they can be used later, if needed
@@ -159,7 +163,7 @@ public class LoginEvents {
String errMsg = null;
if ((userLoginId != null) && ("true".equals(EntityUtilProperties.getPropertyValue("security", "username.lowercase", delegator)))) {
- userLoginId = userLoginId.toLowerCase();
+ userLoginId = userLoginId.toLowerCase(Locale.getDefault());
}
if (UtilValidate.isEmpty(userLoginId)) {
@@ -219,7 +223,7 @@ public class LoginEvents {
String userLoginId = request.getParameter("USERNAME");
if ((userLoginId != null) && ("true".equals(EntityUtilProperties.getPropertyValue("security", "username.lowercase", delegator)))) {
- userLoginId = userLoginId.toLowerCase();
+ userLoginId = userLoginId.toLowerCase(Locale.getDefault());
}
if (UtilValidate.isEmpty(userLoginId)) {
@@ -244,12 +248,12 @@ public class LoginEvents {
// password encrypted, can't send, generate new password and email to user
passwordToSend = RandomStringUtils.randomAlphanumeric(EntityUtilProperties.getPropertyAsInteger("security", "password.length.min", 5).intValue());
if ("true".equals(EntityUtilProperties.getPropertyValue("security", "password.lowercase", delegator))){
- passwordToSend=passwordToSend.toLowerCase();
+ passwordToSend=passwordToSend.toLowerCase(Locale.getDefault());
}
autoPassword = RandomStringUtils.randomAlphanumeric(EntityUtilProperties.getPropertyAsInteger("security", "password.length.min", 5).intValue());
EntityCrypto entityCrypto = new EntityCrypto(delegator,null);
try {
- passwordToSend = entityCrypto.encrypt(keyValue, EncryptMethod.TRUE, (Object) autoPassword);
+ passwordToSend = entityCrypto.encrypt(keyValue, EncryptMethod.TRUE, autoPassword);
} catch (GeneralException e) {
Debug.logWarning(e, "Problem in encryption", module);
}
@@ -281,7 +285,6 @@ public class LoginEvents {
party = supposedUserLogin.getRelatedOne("Party", false);
} catch (GenericEntityException e) {
Debug.logWarning(e, "", module);
- party = null;
}
if (party != null) {
Iterator<GenericValue> emailIter = UtilMisc.toIterator(ContactHelper.getContactMechByPurpose(party, "PRIMARY_EMAIL", false));
@@ -315,14 +318,14 @@ public class LoginEvents {
}
// set the needed variables in new context
- Map<String, Object> bodyParameters = new HashMap<String, Object>();
+ Map<String, Object> bodyParameters = new HashMap<>();
bodyParameters.put("useEncryption", Boolean.valueOf(useEncryption));
bodyParameters.put("password", UtilFormatOut.checkNull(passwordToSend));
bodyParameters.put("locale", UtilHttp.getLocale(request));
bodyParameters.put("userLogin", supposedUserLogin);
bodyParameters.put("productStoreId", productStoreId);
- Map<String, Object> serviceContext = new HashMap<String, Object>();
+ Map<String, Object> serviceContext = new HashMap<>();
serviceContext.put("bodyScreenUri", bodyScreenLocation);
serviceContext.put("bodyParameters", bodyParameters);
if (productStoreEmail != null) {
@@ -414,7 +417,7 @@ public class LoginEvents {
public static String getUsername(HttpServletRequest request) {
String cookieUsername = null;
Cookie[] cookies = request.getCookies();
- if (Debug.verboseOn()) Debug.logVerbose("Cookies:" + cookies, module);
+ if (Debug.verboseOn()) Debug.logVerbose("Cookies:" + Arrays.toString(cookies), module);
if (cookies != null) {
for (Cookie cookie: cookies) {
if (cookie.getName().equals(usernameCookieName)) {
@@ -434,7 +437,8 @@ public class LoginEvents {
synchronized (session) {
if (UtilValidate.isEmpty(getUsername(request))) {
// create the cookie and send it back
- Cookie cookie = new Cookie(usernameCookieName, request.getParameter("USERNAME"));
+ String usernameParam = UtilCodec.getEncoder("html").encode(request.getParameter("USERNAME"));
+ Cookie cookie = new Cookie(usernameCookieName, usernameParam);
cookie.setMaxAge(60 * 60 * 24 * 365);
cookie.setPath("/");
cookie.setDomain(domain);