Fixes based on pentesting with ZAP.

mraible · Feb 12, 2013 · 9a45b74 · 9a45b74
1 parent 38c5598
commit 9a45b74
Show file tree

Hide file tree

Showing 10 changed files with 535 additions and 18 deletions.
diff --git a/pom.xml b/pom.xml
@@ -110,6 +110,7 @@
                 <configuration>
                     <webAppConfig>
                         <contextPath>/</contextPath>
+                        <defaultsDescriptor>src/test/resources/webdefault.xml</defaultsDescriptor>
                     </webAppConfig>
                     <connectors>
                         <connector implementation="org.eclipse.jetty.server.nio.SelectChannelConnector">

diff --git a/src/main/java/org/appfuse/examples/webapp/security/OptionsHeadersFilter.java b/src/main/java/org/appfuse/examples/webapp/security/OptionsHeadersFilter.java
@@ -16,7 +16,11 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
         response.setHeader("Access-Control-Allow-Credentials", "true");
 
-        chain.doFilter(req, res);
+        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1
+        response.setHeader("Pragma", "no-cache"); // HTTP 1.0
+        response.setDateHeader("Expires", 0); // Proxies
+
+        chain.doFilter(req, response);
     }
 
     public void init(FilterConfig filterConfig) {

diff --git a/src/main/java/org/appfuse/examples/webapp/user/UserFormController.java b/src/main/java/org/appfuse/examples/webapp/user/UserFormController.java
@@ -8,6 +8,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.appfuse.model.User;
+import org.appfuse.service.UserExistsException;
 import org.appfuse.service.UserManager;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.propertyeditors.CustomDateEditor;
@@ -16,6 +17,7 @@
 import org.springframework.context.support.MessageSourceAccessor;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
+import org.springframework.validation.ObjectError;
 import org.springframework.validation.Validator;
 import org.springframework.web.bind.ServletRequestDataBinder;
 import org.springframework.web.bind.annotation.InitBinder;
@@ -80,7 +82,12 @@ public String onSubmit(User user, BindingResult result, HttpServletRequest reque
             request.getSession().setAttribute("message",
                     getText("user.deleted", user.getFullName()));
         } else {
-            userManager.saveUser(user);
+            try {
+                userManager.saveUser(user);
+            } catch (UserExistsException uex) {
+                result.addError(new ObjectError("user", uex.getMessage()));
+                return "userform";
+            }
             request.getSession().setAttribute("message",
                     getText("user.saved", user.getFullName()));
         }

diff --git a/src/main/webapp/WEB-INF/security.xml b/src/main/webapp/WEB-INF/security.xml
@@ -12,7 +12,7 @@
         <intercept-url pattern="/app/users" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>
         <form-login login-page="/login" authentication-failure-url="/login?error=true"
                     login-processing-url="/j_security_check"/>
-        <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
+        <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" use-secure-cookie="true"/>
     </http>
 
     <authentication-manager alias="authenticationManager">

diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
@@ -168,4 +168,13 @@
         <error-code>500</error-code>
         <location>/error.jsp</location>
     </error-page>
+
+    <session-config>
+        <session-timeout>15</session-timeout>
+        <cookie-config>
+            <http-only>true</http-only>
+            <secure>true</secure>
+        </cookie-config>
+        <tracking-mode>COOKIE</tracking-mode>
+    </session-config>
 </web-app>
diff --git a/src/main/webapp/dataAccessFailure.jsp b/src/main/webapp/dataAccessFailure.jsp
@@ -5,11 +5,4 @@
     <c:out value="${requestScope.exception.message}"/>
 </p>
 
-<!--
-<% 
-Exception ex = (Exception) request.getAttribute("exception");
-ex.printStackTrace(new java.io.PrintWriter(out)); 
-%>
--->
-
 <a href="<c:url value='/'/>">&#171; Home</a>
diff --git a/src/main/webapp/error.jsp b/src/main/webapp/error.jsp
@@ -2,9 +2,4 @@
 
 <head><title>Doh!</title></head>
 
-An Error has occurred in this application.
-
-<% if (exception != null) { %>
-    Please check your log files for further information.
-    <% System.err.println(exception); %>
-<% } %>
+An Error has occurred in this application.
diff --git a/src/main/webapp/login.jsp b/src/main/webapp/login.jsp
@@ -6,7 +6,7 @@
     Please enter your username and password to login.
 </p>
 
-<form method="post" id="loginForm" class="form-signin" action="${ctx}/j_security_check">
+<form method="post" id="loginForm" class="form-signin" action="${ctx}/j_security_check" autocomplete="off">
     <h2 class="form-signin-heading">Sign In</h2>
 
     <c:if test="${param.error == 'true'}">

diff --git a/src/main/webapp/userform.jsp b/src/main/webapp/userform.jsp
@@ -11,7 +11,7 @@
         <div class="alert alert-error fade in">
             <a href="#" data-dismiss="alert" class="close">&times;</a>
             <c:forEach var="error" items="${status.errorMessages}">
-                <c:out value="${error}" escapeXml="false"/><br/>
+                <c:out value="${error}" escapeXml="true"/><br/>
             </c:forEach>
         </div>
     </c:if>