diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
index 6893eb1e886..5927c345dae 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
@@ -121,7 +121,8 @@
org.wso2.carbon.registry.core.*,
org.wso2.carbon.registry.common.*;version="${carbon.registry.imp.pkg.version.range}",
org.wso2.carbon.registry.indexing.*; version="${carbon.registry.imp.pkg.version.range}",
- org.wso2.carbon.base
+ org.wso2.carbon.base,
+ org.owasp.encoder
@@ -226,6 +227,10 @@
org.wso2.carbon
org.wso2.carbon.registry.core
+
+ org.wso2.orbit.org.owasp.encoder
+ encoder
+
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java
index 72fe8c958d3..1ae7b831162 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java
@@ -21,6 +21,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.owasp.encoder.Encode;
import org.w3c.dom.Document;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.core.authenticate.APITokenValidator;
@@ -42,7 +43,7 @@ public class AuthenticationFrameworkUtil {
public static void handleNoMatchAuthScheme(Request request, Response response, String httpVerb, String version,
String context) {
String msg = "Resource is not matched for HTTP Verb: '" + httpVerb + "', API context: '" + context +
- "', Version: '" + version + "' and RequestURI: '" + request.getRequestURI() + "'";
+ "', Version: '" + version + "' and RequestURI: '" + Encode.forHtml(request.getRequestURI()) + "'";
handleResponse(request, response, HttpServletResponse.SC_FORBIDDEN, msg);
}
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
index 93ab9c32a3b..feb5c77415f 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
@@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.owasp.encoder.Encode;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
@@ -151,11 +152,10 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
response.setHeader("WWW-Authenticate", msg);
}
if (log.isDebugEnabled()) {
- log.debug(msg + " , API : " + request.getRequestURI());
+ log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI()));
}
- AuthenticationFrameworkUtil
- .handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED,
- msg);
+ AuthenticationFrameworkUtil.
+ handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, msg);
break;
}
}
diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
index efbe30bc5b0..6d5138d3a2f 100644
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
@@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.owasp.encoder.Encode;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
@@ -57,13 +58,13 @@ public class PermissionAuthorizer {
requestPermission = registryBasedPermissionManager.getPermission(properties);
} catch (PermissionManagementException e) {
log.error(
- "Error occurred while fetching the permission for URI : " + requestUri + " ," +
+ "Error occurred while fetching the permission for URI : " + Encode.forJava(requestUri) + " ," +
" METHOD : " + requestMethod + ", msg = " + e.getMessage());
}
if (requestPermission == null) {
if (log.isDebugEnabled()) {
- log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
+ log.debug("Permission to request '" + Encode.forJava(requestUri) + "' is not defined in the configuration");
}
return WebappAuthenticator.Status.FAILURE;
}
diff --git a/pom.xml b/pom.xml
index 40e528385b0..c4f84666893 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1511,6 +1511,11 @@
jackson-annotations
${jackson-annotations.version}
+
+ org.wso2.orbit.org.owasp.encoder
+ encoder
+ ${owasp.encoder.version}
+
@@ -1880,6 +1885,7 @@
1.0.2
2.7.4
+ 1.2.0.wso2v1