Produced by Araxis Merge on 11/9/2017 4:31:05 PM Central Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | PPS-N_B397.zip\PPS-N_B397\PPS-N_B397\PS_PPS_ui\src\main\java\gov\va\med\pharmacy\peps\presentation\common\auth | PpsAuthentication.java | Thu Nov 9 15:03:10 2017 UTC |
2 | PPS-N_B397.zip\PPS-N_B397\PPS-N_B397\PS_PPS_ui\src\main\java\gov\va\med\pharmacy\peps\presentation\common\auth | PpsAuthentication.java | Thu Nov 9 20:03:42 2017 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 4 | 124 |
Changed | 3 | 6 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | package go v.va.med.p harmacy.pe ps.present ation.comm on.auth; | |
2 | ||
3 | import jav ax.servlet .http.Http ServletReq uest; | |
4 | ||
5 | import org .apache.co mmons.lang 3.StringUt ils; | |
6 | import org .apache.lo gging.log4 j.LogManag er; | |
7 | import org .apache.lo gging.log4 j.Logger; | |
8 | ||
9 | import gov .va.med.ph armacy.pep s.common.u tility.sec urity.ESAP IValidatio nType; | |
10 | import gov .va.med.ph armacy.pep s.common.u tility.sec urity.ESAP IValidator ; | |
11 | ||
12 | /** | |
13 | * Foundat ional cons tants and methods re lated to a uthenticat ion in PPS . | |
14 | */ | |
15 | public fin al class P psAuthenti cation { | |
16 | ||
17 | privat e static f inal Logge r LOG = Lo gManager.g etLogger(P psAuthenti cation.cla ss); | |
18 | ||
19 | /** | |
20 | * The session a ttribute k ey for the UserVo. T his sessio n attribut e seems re dundant wi th {@link | |
21 | * Use rContext#g etUser()} and should probably be removed . | |
22 | */ | |
23 | public static fi nal String USER_ATTR IBUTE = "u ser"; | |
24 | ||
25 | /** | |
26 | * <p> | |
27 | * Ret urns the U RL to whic h the user should be directed upon logou t from PPS . The retu rned URL i s provided by the SS Oi | |
28 | * agent, b ut this me thod valid ates that the return ed URL is an HTTPS U RL in the DNS domain. | |
29 | * </p > | |
30 | * | |
31 | * <p> | |
32 | * The vali dation is done to pr event Open Redirect security h oles. Allo wing anyth ing in DNS is pretty broad, but | |
33 | * app ropriate a s we highl y trust th e SSOi hea ders. Only the SSOi agent can set them, and we tru st the age nt to auth enticate | |
34 | * the user . This bas ic DNS validation simply pr ovides som e defense- in-depth. | |
35 | * </p > | |
36 | * | |
37 | * @pa ram servle tRequest t he HTTP Se rvlet requ est. Neces sary to re ad headers set by th e SSOi age nt. | |
38 | * @re turn the U RL as a st ring. Poss ibly null or empty i f no targe t URL coul d be deter mined. | |
39 | */ | |
40 | public static St ring getLo goutTarget Url(final HttpServle tRequest s ervletRequ est) { | |
41 | // Try to se nd the use r to the S SOi Landin g page fir st. | |
42 | tr y { | |
43 | final St ring ssoiL andingUrl = getValid atedUrlFro mSsoi(serv letRequest , SsoiHead er.SSOI_LA NDING_URL) ; | |
44 | if (Stri ngUtils.is NotEmpty(s soiLanding Url)) { | |
45 | retu rn ssoiLan dingUrl; | |
46 | } | |
47 | } catch (fin al Excepti on ex) { | |
48 | LOG.warn ("Could no t get vali dated land ing page U RL, fallin g back to log out UR L.", ex); | |
49 | } | |
50 | ||
51 | // As a fall back, send the user to the SSO i Log out page. | |
52 | re turn getVa lidatedUrl FromSsoi(s ervletRequ est, SsoiH eader.SSOI _LOGGEDOUT _URL); | |
53 | } | |
54 | ||
55 | privat e static S tring getV alidatedUr lFromSsoi( final Http ServletReq uest servl etRequest, final Sso iHeader he ader) { | |
56 | re turn ESAPI Validator. validateSt ringInput( | |
57 | servletR equest.get Header(hea der.getHea derName()) , ESAPIVal idationTyp e.VA_HTTPS _URL); | |
58 | } | |
59 | ||
60 | /** | |
61 | * Pre vent insta ntiation. | |
62 | */ | |
63 | privat e PpsAuthe ntication( ) { | |
64 | }; | |
65 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.