65. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 11/9/2017 4:31:05 PM Central Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

65.1 Files compared

# Location File Last Modified
1 PPS-N_B397.zip\PPS-N_B397\PPS-N_B397\PS_PPS_ui\src\main\java\gov\va\med\pharmacy\peps\presentation\common\auth PpsAuthentication.java Thu Nov 9 15:03:10 2017 UTC
2 PPS-N_B397.zip\PPS-N_B397\PPS-N_B397\PS_PPS_ui\src\main\java\gov\va\med\pharmacy\peps\presentation\common\auth PpsAuthentication.java Thu Nov 9 20:03:42 2017 UTC

65.2 Comparison summary

Description Between
Files 1 and 2
Text Blocks Lines
Unchanged 4 124
Changed 3 6
Inserted 0 0
Removed 0 0

65.3 Comparison options

Whitespace
Character case Differences in character case are significant
Line endings Differences in line endings (CR and LF characters) are ignored
CR/LF characters Not shown in the comparison detail

65.4 Active regular expressions

No regular expressions were active.

65.5 Comparison detail

  1   package go v.va.med.p harmacy.pe ps.present ation.comm on.auth;
  2  
  3   import jav ax.servlet .http.Http ServletReq uest;
  4  
  5   import org .apache.co mmons.lang 3.StringUt ils;
  6   import org .apache.lo gging.log4 j.LogManag er;
  7   import org .apache.lo gging.log4 j.Logger;
  8  
  9   import gov .va.med.ph armacy.pep s.common.u tility.sec urity.ESAP IValidatio nType;
  10   import gov .va.med.ph armacy.pep s.common.u tility.sec urity.ESAP IValidator ;
  11  
  12   /**
  13    * Foundat ional cons tants and  methods re lated to a uthenticat ion in PPS .
  14    */
  15   public fin al class P psAuthenti cation {
  16       
  17       privat e static f inal Logge r LOG = Lo gManager.g etLogger(P psAuthenti cation.cla ss);
  18  
  19       /**
  20        * The  session a ttribute k ey for the  UserVo. T his sessio n attribut e seems re dundant wi th {@link
  21        * Use rContext#g etUser()}  and should  probably  be removed .
  22        */
  23       public  static fi nal String  USER_ATTR IBUTE = "u ser";
  24       
  25       /**
  26        * <p>
  27        * Ret urns the U RL to whic h the user  should be  directed  upon logou t from PPS . The retu rned URL i s provided  by the SS Oi
  28          * agent, b ut this me thod valid ates that  the return ed URL is  an HTTPS U RL in the  DNS       domain.
  29        * </p >
  30        * 
  31        * <p>
  32          * The vali dation is  done to pr event Open  Redirect  security h oles. Allo wing anyth ing in  DNS       is pretty  broad, but
  33        * app ropriate a s we highl y trust th e SSOi hea ders. Only  the SSOi  agent can  set them,  and we tru st the age nt to auth enticate
  34          * the user . This bas ic  DNS       validation  simply pr ovides som e defense- in-depth.
  35        * </p >
  36        * 
  37        * @pa ram servle tRequest t he HTTP Se rvlet requ est. Neces sary to re ad headers  set by th e SSOi age nt.
  38        * @re turn the U RL as a st ring. Poss ibly null  or empty i f no targe t URL coul d be deter mined.
  39        */
  40       public  static St ring getLo goutTarget Url(final  HttpServle tRequest s ervletRequ est) {
  41           //  Try to se nd the use r to the S SOi Landin g page fir st.
  42           tr y {
  43                final St ring ssoiL andingUrl  = getValid atedUrlFro mSsoi(serv letRequest , SsoiHead er.SSOI_LA NDING_URL) ;
  44                if (Stri ngUtils.is NotEmpty(s soiLanding Url)) {
  45                    retu rn ssoiLan dingUrl;
  46                }
  47           }  catch (fin al Excepti on ex) {
  48                LOG.warn ("Could no t get vali dated land ing page U RL, fallin g back to  log out UR L.", ex);
  49           }
  50           
  51           //  As a fall back, send  the user  to the SSO i Log out  page.
  52           re turn getVa lidatedUrl FromSsoi(s ervletRequ est, SsoiH eader.SSOI _LOGGEDOUT _URL);
  53       }
  54       
  55       privat e static S tring getV alidatedUr lFromSsoi( final Http ServletReq uest servl etRequest,  final Sso iHeader he ader) {
  56           re turn ESAPI Validator. validateSt ringInput(
  57                servletR equest.get Header(hea der.getHea derName()) , ESAPIVal idationTyp e.VA_HTTPS _URL);
  58       }
  59  
  60       /**
  61        * Pre vent insta ntiation.
  62        */
  63       privat e PpsAuthe ntication( ) {
  64       };
  65   }