Review fields usable for search and orderBy

common/lib/src/main/java/org/apache/syncope/common/lib/search/SearchableFields.java

@@ -36,7 +36,7 @@
 public final class SearchableFields {
 
     private static final String[] ATTRIBUTES_NOTINCLUDED = {
-        "serialVersionUID", "password", "type", "udynMembershipCond"
+        "serialVersionUID", "password", "type", "udynMembershipCond", "securityAnswer", "token", "tokenExpireTime"
     };
 
     private static final Set<String> ANY_FIELDS = new HashSet<>();

core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnySearchDAO.java

@@ -30,7 +30,10 @@
 import javax.validation.constraints.Max;
 import javax.validation.constraints.Min;
 import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.collections4.ListUtils;
+import org.apache.commons.collections4.Predicate;
 import org.apache.commons.collections4.Transformer;
+import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.ClassUtils;
 import org.apache.commons.lang3.SerializationUtils;
 import org.apache.commons.lang3.tuple.Pair;
@@ -68,6 +71,10 @@
 
 public abstract class AbstractAnySearchDAO extends AbstractDAO<Any<?>> implements AnySearchDAO {
 
+    private static final String[] ORDER_BY_NOT_ALLOWED = {
+        "serialVersionUID", "password", "securityQuestion", "securityAnswer", "token", "tokenExpireTime"
+    };
+
     @Autowired
     protected RealmDAO realmDAO;
 
@@ -134,6 +141,16 @@ public <T extends Any<?>> List<T> search(
         return search(SyncopeConstants.FULL_ADMIN_REALMS, cond, -1, -1, orderBy, kind);
     }
 
+    protected List<OrderByClause> filterOrderBy(final List<OrderByClause> orderBy) {
+        return ListUtils.select(orderBy, new Predicate<OrderByClause>() {
+
+            @Override
+            public boolean evaluate(final OrderByClause clause) {
+                return !ArrayUtils.contains(ORDER_BY_NOT_ALLOWED, clause.getField());
+            }
+        });
+    }
+
     protected abstract <T extends Any<?>> List<T> doSearch(
             Set<String> adminRealms,
             SearchCond searchCondition,

core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/JPAAnySearchDAO.java

@@ -276,13 +276,13 @@ private StringBuilder buildOrderBy(final OrderBySupport obs) {
     }
 
     private OrderBySupport parseOrderBy(
-            final AnyTypeKind kind, final SearchSupport svs, final List<OrderByClause> orderByClauses) {
+            final AnyTypeKind kind, final SearchSupport svs, final List<OrderByClause> orderBy) {
 
         AnyUtils attrUtils = anyUtilsFactory.getInstance(kind);
 
         OrderBySupport obs = new OrderBySupport();
 
-        for (OrderByClause clause : orderByClauses) {
+        for (OrderByClause clause : filterOrderBy(orderBy)) {
             OrderBySupport.Item item = new OrderBySupport.Item();
 
             // Manage difference among external key attribute and internal JPA @Id

ext/elasticsearch/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/ElasticsearchAnySearchDAO.java

@@ -147,7 +147,7 @@ private void addSort(
 
         AnyUtils attrUtils = anyUtilsFactory.getInstance(kind);
 
-        for (OrderByClause clause : orderBy) {
+        for (OrderByClause clause : filterOrderBy(orderBy)) {
             String sortName = null;
 
             // Manage difference among external key attribute and internal JPA @Id

fit/core-reference/src/test/java/org/apache/syncope/fit/core/SearchITCase.java

@@ -29,6 +29,7 @@
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.IterableUtils;
 import org.apache.commons.collections4.Predicate;
+import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.syncope.client.lib.SyncopeClient;
 import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.patch.AnyObjectPatch;
@@ -406,6 +407,24 @@ public boolean evaluate(final UserTO user) {
         }));
     }
 
+    @Test
+    public void searchBySecurityAnswer() {
+        String securityAnswer = RandomStringUtils.randomAlphanumeric(10);
+        UserTO userTO = UserITCase.getUniqueSampleTO("securityAnswer@syncope.apache.org");
+        userTO.setSecurityQuestion("887028ea-66fc-41e7-b397-620d7ea6dfbb");
+        userTO.setSecurityAnswer(securityAnswer);
+
+        userTO = createUser(userTO).getEntity();
+        assertNotNull(userTO.getSecurityQuestion());
+
+        PagedResult<UserTO> matchingUsers = userService.search(
+                new AnyQuery.Builder().realm(SyncopeConstants.ROOT_REALM).
+                        fiql(SyncopeClient.getUserSearchConditionBuilder().
+                                is("securityAnswer").equalTo(securityAnswer).query()).build());
+        assertNotNull(matchingUsers);
+        assertTrue(matchingUsers.getResult().isEmpty());
+    }
+
     @Test
     public void assignable() {
         PagedResult<GroupTO> groups = groupService.search(new AnyQuery.Builder().realm("/even/two").page(1).size(1000).