0045960: We are sending credentials using GET - Openbravo Issue Tracking System

From a28ffe225d50f38c7b3cea68a368526f2cdde1ed Mon Sep 17 00:00:00 2001 From: Prakash M <prakash@qualiantech.com> Date: Fri, 25 Mar 2022 10:47:19 +0530 Subject: [PATCH] Backport of BUG 45167, 45960 * Ability to provide custom information on login * Changed Terminal Authentication request from GET to POST for security purpose * Included post method in MobileCoreLoginUtilsServlet --- .../mobile/core/login/LoginDataProvider.java | 32 ++++++++++ .../login/MobileCoreLoginUtilsServlet.java | 60 ++++++++++++++++++- 2 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 src/org/openbravo/mobile/core/login/LoginDataProvider.java diff --git a/src/org/openbravo/mobile/core/login/LoginDataProvider.java b/src/org/openbravo/mobile/core/login/LoginDataProvider.java new file mode 100644 index 00000000..cf71230e --- /dev/null +++ b/src/org/openbravo/mobile/core/login/LoginDataProvider.java @@ -0,0 +1,32 @@ +/* + ************************************************************************************ + * Copyright (C) 2020 Openbravo S.L.U. + * Licensed under the Openbravo Commercial License version 1.0 + * You may obtain a copy of the License at http://www.openbravo.com/legal/obcl.html + * or in the legal folder of this module distribution. + ************************************************************************************ + */ +package org.openbravo.mobile.core.login; + +import java.util.Map; + +/** + * Allows to provides extra data to be returned together with the default login data. + */ +public interface LoginDataProvider { + + /** + * Returns data that should be appended to the default login data returned by the + * MobileCoreLoginUtilsServlet servlet when it is invoked with the provided context. + * + * @param context + * context information like the current role or the command used in the request to the + * servlet which may be used by the provider to retrieve the data. + * + * + * @return a map with the data. The keys are the keys of the properties that will be added into + * the resulting object returned by the servlet and the values are objects with the data + * for each property. + */ + public Map<String, Object> getData(Map<String, String> context); +} diff --git a/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java b/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java index da0bb0bc..012464d7 100644 --- a/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java +++ b/src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java @@ -10,8 +10,12 @@ package org.openbravo.mobile.core.login; import java.io.IOException; import java.util.HashMap; +import java.util.Map; +import java.util.Map.Entry; import java.util.Properties; +import javax.enterprise.inject.Any; +import javax.enterprise.inject.Instance; import javax.inject.Inject; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -66,6 +70,10 @@ public class MobileCoreLoginUtilsServlet extends WebServiceAbstractServlet { @Inject private MobileDefaultsHandler defaultsHandler; + @Inject + @Any + private Instance<LoginDataProvider> dataProviders; + @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { @@ -97,12 +105,12 @@ public class MobileCoreLoginUtilsServlet extends WebServiceAbstractServlet { result = getCompanyLogo(request); } else if (command.equals("userImages")) { result = getUserImages(request); - } else if (command.equals("preLoginActions")) { - result = preLogin(request); } else if (command.equals("initActions")) { result = initActions(request); } + addExtraLoginData(result, request); + writeResult(response, result.toString()); } catch (JSONException e) { log.error(e.getMessage(), e); @@ -121,6 +129,54 @@ public class MobileCoreLoginUtilsServlet extends WebServiceAbstractServlet { } } + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws IOException, ServletException { + OBContext.setAdminMode(false); + try { + final String command = request.getParameter("command"); + JSONObject result = new JSONObject(); + + if (command.equals("preLoginActions")) { + result = preLogin(request); + } + + addExtraLoginData(result, request); + writeResult(response, result.toString()); + } catch (JSONException e) { + log.error(e.getMessage(), e); + writeResult(response, JsonUtils.convertExceptionToJson(e)); + } catch (Exception e) { + if (ExternalConnectionPool.getInstance().hasNoConnections(e)) { + log.error("Pool has run out of database connections", e); + writeTechnicalError(response, JsonUtils.convertExceptionToJson(e)); + } else { + log.error(e.getMessage(), e); + writeResult(response, JsonUtils.convertExceptionToJson(e)); + } + } finally { + OBContext.restorePreviousMode(); + OBContext.setOBContext((OBContext) null); + } + } + + private void addExtraLoginData(JSONObject result, HttpServletRequest request) + throws JSONException { + Map<String, String> context = getContextData(request); + for (LoginDataProvider dataProvider : dataProviders) { + for (Entry<String, Object> entry : dataProvider.getData(context).entrySet()) { + result.put(entry.getKey(), entry.getValue()); + } + } + } + + private Map<String, String> getContextData(HttpServletRequest request) { + Map<String, String> context = new HashMap<>(); + context.put("command", request.getParameter("command")); + context.put("moduleId", getModuleId()); + return context; + } + protected JSONObject getPrerrenderData(HttpServletRequest request) throws JSONException { JSONObject data = new JSONObject(); JSONObject item = null; -- 2.20.1

Notes
(0126444) hgbot (developer) 2021-03-02 08:03	Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/174 [^]

(0126445) hgbot (developer) 2021-03-02 08:04	Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.posterminal/-/merge_requests/330 [^]

(0126450) hgbot (developer) 2021-03-02 08:42	Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/174 [^]

(0126451) hgbot (developer) 2021-03-02 08:42	Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^] Changeset: ee625818a81de7d1ac99444ef7cf3b9a7aaf4e61 Author: Prakash M <prakash@qualiantech.com> Date: 2021-03-01T16:55:42+05:30 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/ee625818a81de7d1ac99444ef7cf3b9a7aaf4e61 [^] Fixed BUG-45960 : Changed Terminal Authentication request from GET to POST for security purpose * Included post method in MobileCoreLoginUtilsServlet --- M src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java ---

(0126452) hgbot (developer) 2021-03-02 08:43	Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.posterminal [^] Changeset: ade6e0956a8bfa6685761bcce7c5878af2796ae6 Author: Prakash M <prakash@qualiantech.com> Date: 2021-03-02T13:10:52+05:30 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.posterminal/-/commit/ade6e0956a8bfa6685761bcce7c5878af2796ae6 [^] Fixed BUG-45960 : Changed Terminal Authentication request from GET to POST for security purpose --- M web/org.openbravo.retail.posterminal/js/login/model/login-model.js ---

(0126453) hgbot (developer) 2021-03-02 08:43	Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.retail.posterminal/-/merge_requests/330 [^]

Issue History
Date Modified	Username	Field	Change
2021-02-26 13:14	migueldejuana	New Issue
2021-02-26 13:14	migueldejuana	Assigned To	=> prakashmurugesan88
2021-02-26 13:14	migueldejuana	OBNetwork customer	=> No
2021-02-26 13:14	migueldejuana	Triggers an Emergency Pack	=> No
2021-02-26 13:15	migueldejuana	Status	new => scheduled
2021-03-02 08:03	hgbot	Merge Request Status	=> open
2021-03-02 08:03	hgbot	Note Added: 0126444
2021-03-02 08:04	hgbot	Note Added: 0126445
2021-03-02 08:28	hgbot	Merge Request Status	open => approved
2021-03-02 08:42	hgbot	Resolution	open => fixed
2021-03-02 08:42	hgbot	Status	scheduled => closed
2021-03-02 08:42	hgbot	Note Added: 0126450
2021-03-02 08:42	hgbot	Fixed in Version	=> RR21Q2
2021-03-02 08:42	hgbot	Note Added: 0126451
2021-03-02 08:43	hgbot	Note Added: 0126452
2021-03-02 08:43	hgbot	Note Added: 0126453
2022-03-24 09:41	prakashmurugesan88	Status	closed => new
2022-03-24 09:41	prakashmurugesan88	Status	new => scheduled
2022-03-24 09:41	prakashmurugesan88	Status	scheduled => resolved
2022-03-24 09:41	prakashmurugesan88	Status	resolved => closed
2022-03-25 06:19	prakashmurugesan88	File Added: I45960_19Q3_MobileCore.patch
2022-03-25 06:19	prakashmurugesan88	File Added: I45960_19Q3_PosTerminal.patch