feat(jans-auth): fix schema endpoint

[yurem]

closes #8671

Closes #8688,

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
AppSec Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request appear to be focused on improving the clarity and consistency of the responses from the ConfigRestWebServiceImpl and ConfigRestWebService classes, which handle various REST API requests related to configuration, issuers, schemas, and policies. The changes do not introduce any obvious security vulnerabilities, and the code is following good security practices, such as setting appropriate cache control headers and using standard Java EE annotations and context parameters.

While the changes seem to be primarily focused on enhancing the API responses, it's important to review the actual implementation of these endpoints to ensure that proper input validation, access control, and other security best practices are followed. As an application security engineer, I would recommend reviewing the rest of the codebase and the overall security architecture to identify any potential vulnerabilities or areas for improvement.

Files Changed:

1. jans-lock/lock-master/service/src/main/java/io/jans/lock/service/ws/rs/config/ConfigRestWebServiceImpl.java:

   • The response entities for different request types have been updated to include more descriptive status values.
   • The order of the processSchemaRequest and processPolicyRequest methods has been rearranged.
   • The code is using the ServerUtil.cacheControlWithNoStoreTransformAndPrivate() method and setting the PRAGMA header to NO_CACHE to prevent caching of sensitive information in the responses.

2. jans-lock/lock-master/service/src/main/java/io/jans/lock/service/ws/rs/config/ConfigRestWebService.java:

   • The order of the /config/policy and /config/schema endpoints has been swapped.
   • The code is using standard Java EE annotations to define the REST API endpoints, which is a secure and recommended approach.
   • The endpoints are using the GET HTTP method, which is appropriate for read-only operations, and returning JSON responses, which is a common and secure format for API communication.
   • The method signatures are using standard Java EE context parameters, which allows the implementation to access relevant request and security information.

Powered by DryRun Security

[mo-auto]

Error: Hi @yurem, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.