diff --git a/CHANGELOG.md b/CHANGELOG.md index 1fe6408..0e064cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,9 @@ +## 6.15.2 (11-11-2024) + +### Bugfix: 1 +- [#34615](https://parermine.regione.emilia-romagna.it/issues/34615) Correzione controllo esistenza password nulla nel servizi di recupero + ## 6.15.1 (12-09-2024) ### Bugfix: 1 diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index 9cd7221..a01c7b4 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -1,4 +1,4 @@ -## 6.15.1 (12-09-2024) +## 6.15.2 (11-11-2024) ### Bugfix: 1 -- [#33872](https://parermine.regione.emilia-romagna.it/issues/33872) Correzione recupero informazione organizzazione versante +- [#34615](https://parermine.regione.emilia-romagna.it/issues/34615) Correzione controllo esistenza password nulla nel servizi di recupero diff --git a/pom.xml b/pom.xml index 5d2c989..83b345c 100644 --- a/pom.xml +++ b/pom.xml @@ -1,19 +1,19 @@ 4.0.0 spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT pom Spagolite Framework utilizzato dalle applicazioni web, si tratta di uno strato software comune contenente anche le dipendenze di terze parti ed ereditato come bom. - + github https://maven.pkg.github.com/RegioneER/parer-framework-spagolite - + github https://maven.pkg.github.com/RegioneER/parer-framework-parerpom @@ -23,16 +23,13 @@ it.eng.parer parer-pom - 6.4.0 + 6.4.1 - + scm:git:https://github.com/RegioneER/parer-framework-spagolite.git HEAD - - - UTF-8 diff --git a/spagolite-core/pom.xml b/spagolite-core/pom.xml index f863c13..a5cae7f 100644 --- a/spagolite-core/pom.xml +++ b/spagolite-core/pom.xml @@ -8,7 +8,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-middle/pom.xml b/spagolite-middle/pom.xml index 80dca1c..2e43dac 100644 --- a/spagolite-middle/pom.xml +++ b/spagolite-middle/pom.xml @@ -8,7 +8,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPIamLoginHandler.java b/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPIamLoginHandler.java index b8731ea..4b9b692 100644 --- a/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPIamLoginHandler.java +++ b/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPIamLoginHandler.java @@ -85,7 +85,7 @@ public boolean handleMessage(SOAPMessageContext msgCtx) { && (passNode = passwordEl.item(0)) != null && (servizioWeb = svcn.getLocalPart()) != null) { username = userNode.getFirstChild().getNodeValue(); password = passNode.getFirstChild().getNodeValue(); - WSLoginHandler.loginAndCheckAuthzIAM(username, password, servizioWeb, ipAddress, em); + WSLoginHandler.loginAndCheckAuthzIAM(username, password, servizioWeb, ipAddress, em, false); msgCtx.put(AuthenticationHandlerConstants.AUTHN_STAUTS, java.lang.Boolean.TRUE); msgCtx.put(AuthenticationHandlerConstants.USER, username); msgCtx.put(AuthenticationHandlerConstants.PWD, password); diff --git a/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPServerLoginHandler2.java b/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPServerLoginHandler2.java index 1f73262..0f2447d 100644 --- a/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPServerLoginHandler2.java +++ b/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPServerLoginHandler2.java @@ -86,7 +86,7 @@ public boolean handleMessage(SOAPMessageContext msgCtx) { && (passNode = passwordEl.item(0)) != null && (servizioWeb = svcn.getLocalPart()) != null) { username = userNode.getFirstChild().getNodeValue(); password = passNode.getFirstChild().getNodeValue(); - WSLoginHandler.loginAndCheckAuthzAtLeastOneOrganiz(username, password, servizioWeb, ipAddress, em); + WSLoginHandler.loginAndCheckAuthzAtLeastOneOrganiz(username, password, servizioWeb, ipAddress, em, false); msgCtx.put(AuthenticationHandlerConstants.AUTHN_STAUTS, java.lang.Boolean.TRUE); msgCtx.put(AuthenticationHandlerConstants.USER, username); msgCtx.put(AuthenticationHandlerConstants.PWD, password); diff --git a/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/WSLoginHandler.java b/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/WSLoginHandler.java index aac953d..7b8f1e1 100644 --- a/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/WSLoginHandler.java +++ b/spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/WSLoginHandler.java @@ -43,6 +43,7 @@ public class WSLoginHandler { private static Logger log = LoggerFactory.getLogger(WSLoginHandler.class); private static final String LOGIN_FALLITO_MSG = "Username e/o password errate/a"; + private static final String LOGIN_FALLITO_NO_PASSWORD = "Valorizzare il campo password"; private static final String PROBLEMA_ESTRAZIONE_APPLICAZIONE_MSG = "Problema nell'estrazione dei dati dell'applicazione"; private static final String LOGIN_IP_FALLITO_MSG = "Indirizzo IP dell'utente che ha originato la richiesta non autorizzato"; @@ -111,7 +112,16 @@ public static boolean login(String username, String password, String ipAddress, q1.setParameter("username", username); Query ipListQuery = em.createQuery(IP_LIST_QUERY); ipListQuery.setParameter("username", username); - return doLogin(username, password, ipAddress, q1, ipListQuery, null); + return doLogin(username, password, ipAddress, q1, ipListQuery, null, false); + } + + public static boolean login(String username, String password, String ipAddress, EntityManager em, boolean isOAuth2) + throws AuthWSException { + Query q1 = em.createQuery(LOGIN_QUERY); + q1.setParameter("username", username); + Query ipListQuery = em.createQuery(IP_LIST_QUERY); + ipListQuery.setParameter("username", username); + return doLogin(username, password, ipAddress, q1, ipListQuery, null, isOAuth2); } /** @@ -127,7 +137,7 @@ public static boolean login(String certCommonName, EntityManager em) throws Auth q1.setParameter("username", certCommonName); // Nel parametro username passa il common name che eventualmente viene usato // nel messaggio di errore nel caso l'utente non esistesse - return doLogin(certCommonName, null, null, q1, null, certCommonName); + return doLogin(certCommonName, null, null, q1, null, certCommonName, false); } /** @@ -151,7 +161,7 @@ public static boolean login(String certCommonName, EntityManager em) throws Auth * eccezione lanciata se l'utente non è autorizzato */ public static boolean loginAndCheckAuthzAtLeastOneOrganiz(String username, String password, String servizioWeb, - String ipAddress, EntityManager em) throws AuthWSException { + String ipAddress, EntityManager em, boolean isOAuth2) throws AuthWSException { Query q1 = em.createQuery(LOGIN_QUERY); q1.setParameter("username", username); Query q2 = em.createQuery(AT_LEAST_ONE_AUTH_QUERY); @@ -159,7 +169,7 @@ public static boolean loginAndCheckAuthzAtLeastOneOrganiz(String username, Strin q2.setParameter("servizioWeb", servizioWeb); Query ipListQuery = em.createQuery(IP_LIST_QUERY); ipListQuery.setParameter("username", username); - return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery); + return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery, isOAuth2); } /** @@ -182,7 +192,7 @@ public static boolean loginAndCheckAuthzAtLeastOneOrganiz(String username, Strin * eccezione lanciata se l'utente non è autorizzato */ public static boolean loginAndCheckAuthzIAM(String username, String password, String servizioWeb, String ipAddress, - EntityManager em) throws AuthWSException { + EntityManager em, boolean isOAuth2) throws AuthWSException { Query q1 = em.createQuery(IAM_LOGIN_QUERY); q1.setParameter("username", username); Query q2 = em.createQuery(IAM_AUTH_QUERY); @@ -190,7 +200,7 @@ public static boolean loginAndCheckAuthzIAM(String username, String password, St q2.setParameter("servizioWeb", servizioWeb); Query ipListQuery = em.createQuery(IAM_IP_LIST_QUERY); ipListQuery.setParameter("username", username); - return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery); + return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery, isOAuth2); } private static boolean doCheckAuthz(String username, Integer idOrganiz, String servizioWeb, Query q2) @@ -210,7 +220,7 @@ private static boolean doCheckAuthz(String username, Integer idOrganiz, String s } private static boolean doLogin(String username, String password, String ipAddress, Query q1, Query ipListQuery, - String commonName) throws AuthWSException { + String commonName, boolean isOAuth2) throws AuthWSException { Object res[]; try { res = (Object[]) q1.getSingleResult(); @@ -254,6 +264,12 @@ private static boolean doLogin(String username, String password, String ipAddres throw new AuthWSException(AuthWSException.CodiceErrore.LOGIN_FALLITO, LOGIN_FALLITO_MSG); } } + } else if (!isOAuth2) { + log.warn("Login failed for user: " + username); + throw new AuthWSException(AuthWSException.CodiceErrore.LOGIN_FALLITO, LOGIN_FALLITO_MSG); + } else { + log.warn("Login failed for user: " + username); + throw new AuthWSException(AuthWSException.CodiceErrore.LOGIN_FALLITO, LOGIN_FALLITO_NO_PASSWORD); } if (ipCheck) { @@ -281,8 +297,8 @@ private static boolean doLogin(String username, String password, String ipAddres } private static boolean doLoginAndCheckAuthz(String username, String password, Integer idOrganiz, String servizioWeb, - String ipAddress, Query q1, Query q2, Query ipListQuery) throws AuthWSException { - doLogin(username, password, ipAddress, q1, ipListQuery, null); + String ipAddress, Query q1, Query q2, Query ipListQuery, boolean isOAuth2) throws AuthWSException { + doLogin(username, password, ipAddress, q1, ipListQuery, null, isOAuth2); doCheckAuthz(username, idOrganiz, servizioWeb, q2); return true; diff --git a/spagolite-paginator-ejb/pom.xml b/spagolite-paginator-ejb/pom.xml index ca5cbcd..172b1a8 100644 --- a/spagolite-paginator-ejb/pom.xml +++ b/spagolite-paginator-ejb/pom.xml @@ -6,7 +6,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-paginator-gf/pom.xml b/spagolite-paginator-gf/pom.xml index cf8f7a5..993741c 100644 --- a/spagolite-paginator-gf/pom.xml +++ b/spagolite-paginator-gf/pom.xml @@ -5,7 +5,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-si-client/pom.xml b/spagolite-si-client/pom.xml index a2aa0b7..d9a1149 100644 --- a/spagolite-si-client/pom.xml +++ b/spagolite-si-client/pom.xml @@ -7,7 +7,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-si-server/pom.xml b/spagolite-si-server/pom.xml index a6a3ea7..00f00f0 100644 --- a/spagolite-si-server/pom.xml +++ b/spagolite-si-server/pom.xml @@ -6,7 +6,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT war diff --git a/spagolite-si-util/pom.xml b/spagolite-si-util/pom.xml index 2b02600..952cfb9 100644 --- a/spagolite-si-util/pom.xml +++ b/spagolite-si-util/pom.xml @@ -14,7 +14,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-sl-ejb/pom.xml b/spagolite-sl-ejb/pom.xml index 5998e42..e0b3215 100644 --- a/spagolite-sl-ejb/pom.xml +++ b/spagolite-sl-ejb/pom.xml @@ -7,7 +7,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-sl-jpa/pom.xml b/spagolite-sl-jpa/pom.xml index 0721170..e13ca65 100644 --- a/spagolite-sl-jpa/pom.xml +++ b/spagolite-sl-jpa/pom.xml @@ -7,7 +7,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-sl-slg/pom.xml b/spagolite-sl-slg/pom.xml index aaa21da..1965a15 100644 --- a/spagolite-sl-slg/pom.xml +++ b/spagolite-sl-slg/pom.xml @@ -7,7 +7,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-sl-web/pom.xml b/spagolite-sl-web/pom.xml index cff9efa..56160a5 100644 --- a/spagolite-sl-web/pom.xml +++ b/spagolite-sl-web/pom.xml @@ -7,7 +7,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/spagolite-timer-wrapper-common/pom.xml b/spagolite-timer-wrapper-common/pom.xml index 64d8230..04ada67 100644 --- a/spagolite-timer-wrapper-common/pom.xml +++ b/spagolite-timer-wrapper-common/pom.xml @@ -4,7 +4,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT spagofat-timer-wrapper-common Spagolite Timer wrapper - common diff --git a/spagolite-timer-wrapper-ejb/pom.xml b/spagolite-timer-wrapper-ejb/pom.xml index 8f8cfcd..2c17de5 100644 --- a/spagolite-timer-wrapper-ejb/pom.xml +++ b/spagolite-timer-wrapper-ejb/pom.xml @@ -4,7 +4,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT spagofat-timer-wrapper-ejb Spagolite Timer wrapper - ejb diff --git a/spagolite-webresources/pom.xml b/spagolite-webresources/pom.xml index dd2df70..a834dee 100644 --- a/spagolite-webresources/pom.xml +++ b/spagolite-webresources/pom.xml @@ -6,7 +6,7 @@ it.eng.parer spagofat - 6.15.2-SNAPSHOT + 6.15.3-SNAPSHOT diff --git a/src/site/owasp/suppress.xml b/src/site/owasp/suppress.xml index f5fe35c..5964e5f 100644 --- a/src/site/owasp/suppress.xml +++ b/src/site/owasp/suppress.xml @@ -1,16 +1,10 @@ - ^pkg:maven/org\.springframework/spring-web@.*$ CVE-2016-1000027 - ^pkg:maven/org\.springframework\.security/spring-security-crypto@.*$ CVE-2020-5408