From 79bae717a220d55fd02a238824a537f723e8ff25 Mon Sep 17 00:00:00 2001 From: Massimiliano Assante Date: Thu, 24 Aug 2017 17:29:18 +0000 Subject: [PATCH] added further check on the user and groupid in the XHR Request git-svn-id: https://svn.research-infrastructures.eu/d4science/gcube/trunk/portal/portal-manager@152517 82a268e6-3cf1-43bd-a215-b396298e98cf --- pom.xml | 2 +- .../org/gcube/common/portal/PortalContext.java | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/pom.xml b/pom.xml index 4d22626..699584f 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ org.gcube.common.portal portal-manager - 2.3.0-SNAPSHOT + 2.4.0-SNAPSHOT jar gCube Portal Manager diff --git a/src/main/java/org/gcube/common/portal/PortalContext.java b/src/main/java/org/gcube/common/portal/PortalContext.java index 5b2fbe5..e15f32c 100644 --- a/src/main/java/org/gcube/common/portal/PortalContext.java +++ b/src/main/java/org/gcube/common/portal/PortalContext.java @@ -13,6 +13,7 @@ import javax.portlet.RenderRequest; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; +import org.apache.commons.codec.binary.StringUtils; import org.gcube.common.authorization.client.exceptions.ObjectNotFound; import org.gcube.common.authorization.library.provider.SecurityTokenProvider; import org.gcube.common.authorization.library.provider.UserInfo; @@ -57,6 +58,7 @@ public class PortalContext { * Scope separators used in linear syntax. */ protected static final String SCOPE_SEPARATOR = "/"; + private static final String REGEX_ISNUMBER = "\\d+"; private final static String DEFAULT_ROLE = "OrganizationMember"; public static final String CONFIGURATION_FOLDER = "conf"; @@ -152,7 +154,7 @@ public class PortalContext { public GCubeUser getCurrentUser(HttpServletRequest httpServletRequest) { String userIdNo = httpServletRequest.getHeader(USER_ID_ATTR_NAME); long userId = -1; - if (userIdNo != null) { + if (userIdNo != null && userIdNo.matches(REGEX_ISNUMBER)) { try { _log.debug("The userIdNo is " + userIdNo); userId = Long.parseLong(userIdNo); @@ -202,7 +204,7 @@ public class PortalContext { * @return the scope (context) */ public String getCurrentScope(String scopeGroupId) { - if (scopeGroupId != null) { + if (scopeGroupId != null && scopeGroupId.matches(REGEX_ISNUMBER)) { long groupId = -1; try { groupId = Long.parseLong(scopeGroupId); @@ -252,7 +254,7 @@ public class PortalContext { */ public String getCurrentGroupName(HttpServletRequest httpServletRequest) { String groupIdNo = httpServletRequest.getHeader(VRE_ID_ATTR_NAME); - if (groupIdNo != null) { + if (groupIdNo != null && groupIdNo.matches(REGEX_ISNUMBER)) { long groupId = -1; try { groupId = Long.parseLong(groupIdNo); @@ -285,7 +287,7 @@ public class PortalContext { */ public long getCurrentGroupId(HttpServletRequest httpServletRequest) { String groupIdNo = httpServletRequest.getHeader(VRE_ID_ATTR_NAME); - if (groupIdNo != null) { + if (groupIdNo != null && groupIdNo.matches(REGEX_ISNUMBER)) { long groupId = -1; try { groupId = Long.parseLong(groupIdNo); @@ -324,7 +326,7 @@ public class PortalContext { } else { String toReturn = readTokenPropertyFile(); - _log.debug("getCurrentToken devMode into IDE detected, returning scope: " + toReturn.toString()); + _log.debug("getCurrentToken devMode into IDE detected, returning token: " + toReturn.toString()); _log.debug("The PortalBeanLocatorUtil stacktrace (java.lang.Exception) is acceptable in dev"); return toReturn; } @@ -376,7 +378,7 @@ public class PortalContext { public String getCurrentUserToken(HttpServletRequest httpServletRequest) { String groupIdNo = httpServletRequest.getHeader(VRE_ID_ATTR_NAME); String userToken = null; - if (groupIdNo != null) { + if (groupIdNo != null && groupIdNo.matches(REGEX_ISNUMBER)) { String scope = getCurrentScope(httpServletRequest); String username = getCurrentUser(httpServletRequest).getUsername(); try {