Skip to content

Linnea Samila / Moya

Go to a project
Commit 893d0fdc by Tuukka Kivilahti
Options

Merge branch 'hostnamefix' into 'master' 

Logging for hostname privilege escalation

See merge request !217
2 parents b1c2c9b5 ed4b0317
Inline Side-by-side
Showing with 28 additions and 3 deletions
code/moya-beans-client/ejbModule/fi/codecrew/moya/beans/LoggingBeanLocal.java
...@@ -37,4 +37,6 @@ public interface LoggingBeanLocal { ...@@ -37,4 +37,6 @@ public interface LoggingBeanLocal {
void sendMessage(MoyaEventType type, EventUser user, Object... message); void sendMessage(MoyaEventType type, EventUser user, Object... message);
void sendMessage(MoyaEventType type, Object... message);
} }
code/moya-beans/ejbModule/fi/codecrew/moya/beans/moyamessage/MoyaEventSender.java
...@@ -81,4 +81,14 @@ public class MoyaEventSender implements LoggingBeanLocal { ...@@ -81,4 +81,14 @@ public class MoyaEventSender implements LoggingBeanLocal {
} }
@Override
public void sendMessage(MoyaEventType type, Object... message) {
StringBuilder sb = new StringBuilder();
for (Object m : message) {
sb.append(m);
}
sendMessage(type, permbean.getCurrentUser(), sb.toString());
}
} }
code/moya-parent/pom.xml
...@@ -72,7 +72,7 @@ ...@@ -72,7 +72,7 @@
<dependency> <dependency>
<groupId>fi.iudex</groupId> <groupId>fi.iudex</groupId>
<artifactId>utils-standalone</artifactId> <artifactId>utils-standalone</artifactId>
<version>1.0.11</version> <version>1.0.12</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>net.sf.barcode4j</groupId> <groupId>net.sf.barcode4j</groupId>
...@@ -124,14 +124,13 @@ ...@@ -124,14 +124,13 @@
<dependency> <dependency>
<groupId>fi.iudex</groupId> <groupId>fi.iudex</groupId>
<artifactId>jerklib</artifactId> <artifactId>jerklib</artifactId>
<version>1.0.2</version> <version>1.0.4</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>net.matlux</groupId> <groupId>net.matlux</groupId>
<artifactId>jvm-breakglass</artifactId> <artifactId>jvm-breakglass</artifactId>
<version>0.0.7</version> <version>0.0.7</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.wordnik</groupId> <groupId>com.wordnik</groupId>
<artifactId>swagger-annotations</artifactId> <artifactId>swagger-annotations</artifactId>
......
code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
...@@ -40,11 +40,13 @@ import org.slf4j.Logger; ...@@ -40,11 +40,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.slf4j.MDC; import org.slf4j.MDC;
import fi.codecrew.moya.beans.LoggingBeanLocal;
import fi.codecrew.moya.beans.RestBeanLocal; import fi.codecrew.moya.beans.RestBeanLocal;
import fi.codecrew.moya.beans.SessionMgmtBeanLocal; import fi.codecrew.moya.beans.SessionMgmtBeanLocal;
import fi.codecrew.moya.clientutils.BortalLocalContextHolder; import fi.codecrew.moya.clientutils.BortalLocalContextHolder;
import fi.codecrew.moya.model.User; import fi.codecrew.moya.model.User;
import fi.codecrew.moya.rest.RestApplicationEntrypoint; import fi.codecrew.moya.rest.RestApplicationEntrypoint;
import fi.codecrew.moya.utilities.moyamessage.MoyaEventType;
/** /**
* Servlet Filter implementation class HostnameFilter * Servlet Filter implementation class HostnameFilter
...@@ -59,6 +61,8 @@ public class HostnameFilter implements Filter { ...@@ -59,6 +61,8 @@ public class HostnameFilter implements Filter {
@EJB @EJB
private RestBeanLocal restauth; private RestBeanLocal restauth;
@EJB
private LoggingBeanLocal logbean;
@Override @Override
public void init(FilterConfig config) throws ServletException { public void init(FilterConfig config) throws ServletException {
...@@ -279,6 +283,16 @@ public class HostnameFilter implements Filter { ...@@ -279,6 +283,16 @@ public class HostnameFilter implements Filter {
if (sessionHostname == null) { if (sessionHostname == null) {
session.setAttribute(SESSION_HOSTNAMESTORE, hostname); session.setAttribute(SESSION_HOSTNAMESTORE, hostname);
} else if (!hostname.equals(sessionHostname)) { } else if (!hostname.equals(sessionHostname)) {
Principal principal = httpRequest.getUserPrincipal();
String login = null;
if (principal != null) {
login = principal.getName();
}
logbean.sendMessage(MoyaEventType.USER_PERMISSION_VIOLATION,
"Hostname mismatch privilege escalation! User '", login,
"' tried to change hostname from '", sessionHostname,
"' to '", hostname, ",");
throw new RuntimeException("Hostname mismatch!"); throw new RuntimeException("Hostname mismatch!");
} }
......
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!