Release 6.15.2

CHANGELOG.md

@@ -1,4 +1,9 @@
 
+## 6.15.2 (11-11-2024)
+
+### Bugfix: 1
+- [#34615](https://parermine.regione.emilia-romagna.it/issues/34615) Correzione controllo esistenza password nulla nel servizi di recupero
+
 ## 6.15.1 (12-09-2024)
 
 ### Bugfix: 1

RELEASE-NOTES.md

@@ -1,4 +1,4 @@
-## 6.15.1 (12-09-2024)
+## 6.15.2 (11-11-2024)
 
 ### Bugfix: 1
-- [#33872](https://parermine.regione.emilia-romagna.it/issues/33872) Correzione recupero informazione organizzazione versante
+- [#34615](https://parermine.regione.emilia-romagna.it/issues/34615) Correzione controllo esistenza password nulla nel servizi di recupero

pom.xml

@@ -1,19 +1,19 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>spagofat</artifactId>
-    <version>6.15.2-SNAPSHOT</version>
+    <version>6.15.3-SNAPSHOT</version>
     <packaging>pom</packaging>
     <name>Spagolite</name>
     <description>Framework utilizzato dalle applicazioni web, si tratta di uno strato software comune contenente anche le dipendenze di terze parti ed ereditato come bom.</description>
 
-    <distributionManagement>
+<distributionManagement>
         <repository>
                <id>github</id>
                <url>https://maven.pkg.github.com/RegioneER/parer-framework-spagolite</url>
            </repository>      
     </distributionManagement>
 
-    <repositories>
+<repositories>
         <repository>
             <id>github</id>
             <url>https://maven.pkg.github.com/RegioneER/parer-framework-parerpom</url>            
@@ -23,16 +23,13 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>parer-pom</artifactId>
-        <version>6.4.0</version>
+        <version>6.4.1</version>
     </parent>
 
-    <scm>
+<scm>
         <developerConnection>scm:git:https://github.com/RegioneER/parer-framework-spagolite.git</developerConnection>
         <tag>HEAD</tag>
     </scm>
-
-
-
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <!-- Javadoc skipped by default (temporaneo) -->

spagolite-core/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>

spagolite-middle/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <build>
         <plugins>

spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPIamLoginHandler.java

@@ -85,7 +85,7 @@ public boolean handleMessage(SOAPMessageContext msgCtx) {
                         && (passNode = passwordEl.item(0)) != null && (servizioWeb = svcn.getLocalPart()) != null) {
                     username = userNode.getFirstChild().getNodeValue();
                     password = passNode.getFirstChild().getNodeValue();
-                    WSLoginHandler.loginAndCheckAuthzIAM(username, password, servizioWeb, ipAddress, em);
+                    WSLoginHandler.loginAndCheckAuthzIAM(username, password, servizioWeb, ipAddress, em, false);
                     msgCtx.put(AuthenticationHandlerConstants.AUTHN_STAUTS, java.lang.Boolean.TRUE);
                     msgCtx.put(AuthenticationHandlerConstants.USER, username);
                     msgCtx.put(AuthenticationHandlerConstants.PWD, password);

spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/SOAPServerLoginHandler2.java

@@ -86,7 +86,7 @@ public boolean handleMessage(SOAPMessageContext msgCtx) {
                         && (passNode = passwordEl.item(0)) != null && (servizioWeb = svcn.getLocalPart()) != null) {
                     username = userNode.getFirstChild().getNodeValue();
                     password = passNode.getFirstChild().getNodeValue();
-                    WSLoginHandler.loginAndCheckAuthzAtLeastOneOrganiz(username, password, servizioWeb, ipAddress, em);
+                    WSLoginHandler.loginAndCheckAuthzAtLeastOneOrganiz(username, password, servizioWeb, ipAddress, em, false);
                     msgCtx.put(AuthenticationHandlerConstants.AUTHN_STAUTS, java.lang.Boolean.TRUE);
                     msgCtx.put(AuthenticationHandlerConstants.USER, username);
                     msgCtx.put(AuthenticationHandlerConstants.PWD, password);

spagolite-middle/src/main/java/it/eng/spagoLite/security/auth/WSLoginHandler.java

@@ -43,6 +43,7 @@ public class WSLoginHandler {
     private static Logger log = LoggerFactory.getLogger(WSLoginHandler.class);
 
     private static final String LOGIN_FALLITO_MSG = "Username e/o password errate/a";
+    private static final String LOGIN_FALLITO_NO_PASSWORD = "Valorizzare il campo password";
     private static final String PROBLEMA_ESTRAZIONE_APPLICAZIONE_MSG = "Problema nell'estrazione dei dati dell'applicazione";
 
     private static final String LOGIN_IP_FALLITO_MSG = "Indirizzo IP dell'utente che ha originato la richiesta non autorizzato";
@@ -111,7 +112,16 @@ public static boolean login(String username, String password, String ipAddress,
         q1.setParameter("username", username);
         Query ipListQuery = em.createQuery(IP_LIST_QUERY);
         ipListQuery.setParameter("username", username);
-        return doLogin(username, password, ipAddress, q1, ipListQuery, null);
+        return doLogin(username, password, ipAddress, q1, ipListQuery, null, false);
+    }
+
+    public static boolean login(String username, String password, String ipAddress, EntityManager em, boolean isOAuth2)
+            throws AuthWSException {
+        Query q1 = em.createQuery(LOGIN_QUERY);
+        q1.setParameter("username", username);
+        Query ipListQuery = em.createQuery(IP_LIST_QUERY);
+        ipListQuery.setParameter("username", username);
+        return doLogin(username, password, ipAddress, q1, ipListQuery, null, isOAuth2);
     }
 
     /**
@@ -127,7 +137,7 @@ public static boolean login(String certCommonName, EntityManager em) throws Auth
         q1.setParameter("username", certCommonName);
         // Nel parametro username passa il common name che eventualmente viene usato
         // nel messaggio di errore nel caso l'utente non esistesse
-        return doLogin(certCommonName, null, null, q1, null, certCommonName);
+        return doLogin(certCommonName, null, null, q1, null, certCommonName, false);
     }
 
     /**
@@ -151,15 +161,15 @@ public static boolean login(String certCommonName, EntityManager em) throws Auth
      *             eccezione lanciata se l'utente non è autorizzato
      */
     public static boolean loginAndCheckAuthzAtLeastOneOrganiz(String username, String password, String servizioWeb,
-            String ipAddress, EntityManager em) throws AuthWSException {
+            String ipAddress, EntityManager em, boolean isOAuth2) throws AuthWSException {
         Query q1 = em.createQuery(LOGIN_QUERY);
         q1.setParameter("username", username);
         Query q2 = em.createQuery(AT_LEAST_ONE_AUTH_QUERY);
         q2.setParameter("username", username);
         q2.setParameter("servizioWeb", servizioWeb);
         Query ipListQuery = em.createQuery(IP_LIST_QUERY);
         ipListQuery.setParameter("username", username);
-        return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery);
+        return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery, isOAuth2);
     }
 
     /**
@@ -182,15 +192,15 @@ public static boolean loginAndCheckAuthzAtLeastOneOrganiz(String username, Strin
      *             eccezione lanciata se l'utente non è autorizzato
      */
     public static boolean loginAndCheckAuthzIAM(String username, String password, String servizioWeb, String ipAddress,
-            EntityManager em) throws AuthWSException {
+            EntityManager em, boolean isOAuth2) throws AuthWSException {
         Query q1 = em.createQuery(IAM_LOGIN_QUERY);
         q1.setParameter("username", username);
         Query q2 = em.createQuery(IAM_AUTH_QUERY);
         q2.setParameter("username", username);
         q2.setParameter("servizioWeb", servizioWeb);
         Query ipListQuery = em.createQuery(IAM_IP_LIST_QUERY);
         ipListQuery.setParameter("username", username);
-        return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery);
+        return doLoginAndCheckAuthz(username, password, null, servizioWeb, ipAddress, q1, q2, ipListQuery, isOAuth2);
     }
 
     private static boolean doCheckAuthz(String username, Integer idOrganiz, String servizioWeb, Query q2)
@@ -210,7 +220,7 @@ private static boolean doCheckAuthz(String username, Integer idOrganiz, String s
     }
 
     private static boolean doLogin(String username, String password, String ipAddress, Query q1, Query ipListQuery,
-            String commonName) throws AuthWSException {
+            String commonName, boolean isOAuth2) throws AuthWSException {
         Object res[];
         try {
             res = (Object[]) q1.getSingleResult();
@@ -254,6 +264,12 @@ private static boolean doLogin(String username, String password, String ipAddres
                             throw new AuthWSException(AuthWSException.CodiceErrore.LOGIN_FALLITO, LOGIN_FALLITO_MSG);
                         }
                     }
+                } else if (!isOAuth2) {
+                    log.warn("Login failed for user: " + username);
+                    throw new AuthWSException(AuthWSException.CodiceErrore.LOGIN_FALLITO, LOGIN_FALLITO_MSG);
+                } else {
+                    log.warn("Login failed for user: " + username);
+                    throw new AuthWSException(AuthWSException.CodiceErrore.LOGIN_FALLITO, LOGIN_FALLITO_NO_PASSWORD);
                 }
 
                 if (ipCheck) {
@@ -281,8 +297,8 @@ private static boolean doLogin(String username, String password, String ipAddres
     }
 
     private static boolean doLoginAndCheckAuthz(String username, String password, Integer idOrganiz, String servizioWeb,
-            String ipAddress, Query q1, Query q2, Query ipListQuery) throws AuthWSException {
-        doLogin(username, password, ipAddress, q1, ipListQuery, null);
+            String ipAddress, Query q1, Query q2, Query ipListQuery, boolean isOAuth2) throws AuthWSException {
+        doLogin(username, password, ipAddress, q1, ipListQuery, null, isOAuth2);
         doCheckAuthz(username, idOrganiz, servizioWeb, q2);
         return true;
 

spagolite-paginator-ejb/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
 
      <dependencyManagement>

spagolite-paginator-gf/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
 
     <dependencyManagement>

spagolite-si-client/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>

spagolite-si-server/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <packaging>war</packaging>
     <dependencies>

spagolite-si-util/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <build>
         <plugins>

spagolite-sl-ejb/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>

spagolite-sl-jpa/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>

spagolite-sl-slg/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>

spagolite-sl-web/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <dependencies>
 		<dependency>

spagolite-timer-wrapper-common/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <artifactId>spagofat-timer-wrapper-common</artifactId>
     <name>Spagolite Timer wrapper - common</name>

spagolite-timer-wrapper-ejb/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>it.eng.parer</groupId>
         <artifactId>spagofat</artifactId>
-        <version>6.15.2-SNAPSHOT</version>
+        <version>6.15.3-SNAPSHOT</version>
     </parent>
     <artifactId>spagofat-timer-wrapper-ejb</artifactId>
     <name>Spagolite Timer wrapper - ejb</name>

spagolite-webresources/pom.xml

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>it.eng.parer</groupId>
 		<artifactId>spagofat</artifactId>
-		<version>6.15.2-SNAPSHOT</version>
+		<version>6.15.3-SNAPSHOT</version>
 	</parent>
 	<build>
 		<plugins>

src/site/owasp/suppress.xml

@@ -1,16 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
-        <notes><![CDATA[
-        file name: spring-web-5.3.37.jar
-        ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
         <cve>CVE-2016-1000027</cve>
      </suppress>
      <suppress>
-        <notes><![CDATA[
-        file name: spring-security-crypto-5.8.13.jar
-        ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-crypto@.*$</packageUrl>
         <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
      </suppress>