From 819f3c9a239391c2e25052d47ab294f89ad1f773 Mon Sep 17 00:00:00 2001 From: Maninda Date: Tue, 17 Jan 2017 17:41:24 +0530 Subject: [PATCH] Made web apps to be extracted and replace the web.xml files and pack again for fixing security issues --- modules/core/distribution/pom.xml | 117 +++++ .../core/distribution/src/assembly/bin.xml | 27 +- .../web-xml/api#certificate-mgt#v1.0/web.xml | 118 +++++ .../web-xml/api#identity#entitlement/web.xml | 127 ++++++ .../web-xml/api#scep-mgt#v1.0/web.xml | 92 ++++ .../api-application-registration/web.xml | 103 +++++ .../web-xml/authenticationendpoint/web.xml | 280 ++++++++++++ .../web-xml/client-registration#v0.11/web.xml | 87 ++++ .../resources/web-apps/web-xml/oauth2/web.xml | 100 +++++ .../web-xml/secured-websocket/web.xml | 61 +++ .../web-apps/web-xml/shindig/web.xml | 423 ++++++++++++++++++ 11 files changed, 1518 insertions(+), 17 deletions(-) create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/api-application-registration/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/oauth2/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/secured-websocket/web.xml create mode 100644 modules/core/distribution/src/repository/resources/web-apps/web-xml/shindig/web.xml diff --git a/modules/core/distribution/pom.xml b/modules/core/distribution/pom.xml index 18aebbd8..4e5ada12 100644 --- a/modules/core/distribution/pom.xml +++ b/modules/core/distribution/pom.xml @@ -527,6 +527,9 @@ run + + + clean_target install @@ -566,6 +569,120 @@ run + + + + replace-web-xmls-in-war-files + prepare-package + + run + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/modules/core/distribution/src/assembly/bin.xml b/modules/core/distribution/src/assembly/bin.xml index 989a06b8..2b382f33 100644 --- a/modules/core/distribution/src/assembly/bin.xml +++ b/modules/core/distribution/src/assembly/bin.xml @@ -1348,75 +1348,68 @@ 755 - + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml new file mode 100644 index 00000000..7a8a130a --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#certificate-mgt#v1.0/web.xml @@ -0,0 +1,118 @@ + + + + Certificate-Webapp + + JAX-WS/JAX-RS Certificate Management Endpoint + JAX-WS/JAX-RS Servlet + CXFServlet + + org.apache.cxf.transport.servlet.CXFServlet + + + swagger.security.filter + ApiAuthorizationFilterImpl + + 1 + + + CXFServlet + /* + + + 60 + + + + isAdminService + false + + + doAuthentication + true + + + + + managed-api-enabled + true + + + managed-api-owner + admin + + + + + CertificateMgt-Admin + /* + + + CONFIDENTIAL + + + + + ApiOriginFilter + org.wso2.carbon.certificate.mgt.cert.jaxrs.api.util.ApiOriginFilter + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + + ApiOriginFilter + /* + + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml new file mode 100644 index 00000000..86c22b52 --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#identity#entitlement/web.xml @@ -0,0 +1,127 @@ + + + + + + Entitlement-Service-Provider + + + + ApiOriginFilter + org.wso2.carbon.identity.entitlement.endpoint.filter.ApiOriginFilter + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + + ApiOriginFilter + /* + + + + EntitlementServlet + EntitlementServlet + Entitlement Endpoints + org.apache.cxf.transport.servlet.CXFServlet + 1 + + + + swagger.api.basepath + https://localhost:9443/entitlement + + + + + EntitlementServlet + /* + + + + 60 + + true + + + + + + secured services + /decision/* + + + + + + CONFIDENTIAL + + + + + org.wso2.carbon.identity.entitlement.endpoint.impl.ApplicationInitializer + + + + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml new file mode 100644 index 00000000..36b8b98e --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api#scep-mgt#v1.0/web.xml @@ -0,0 +1,92 @@ + + + + Certificate-Webapp + + JAX-WS/JAX-RS Certificate Management Endpoint + JAX-WS/JAX-RS Servlet + CXFServlet + + org.apache.cxf.transport.servlet.CXFServlet + + + + CXFServlet + /* + + + 60 + + + + isAdminService + false + + + doAuthentication + true + + + + + managed-api-enabled + true + + + managed-api-owner + admin + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/api-application-registration/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api-application-registration/web.xml new file mode 100644 index 00000000..c4a51a4a --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/api-application-registration/web.xml @@ -0,0 +1,103 @@ + + + + + WSO2 IoT Server + WSO2 IoT Server + + + CXFServlet + org.apache.cxf.transport.servlet.CXFServlet + 1 + + + + CXFServlet + /* + + + isAdminService + false + + + doAuthentication + true + + + + + managed-api-enabled + true + + + managed-api-owner + admin + + + + ApiPermissionFilter + org.wso2.carbon.apimgt.application.extension.api.filter.ApiPermissionFilter + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + + ApiPermissionFilter + /* + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml new file mode 100644 index 00000000..466e8313 --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/authenticationendpoint/web.xml @@ -0,0 +1,280 @@ + + + + + + + + + + + + + + + + + + + + + AccountRecoveryRESTEndpointURL + https://localhost:9443/t/tenant-domain/api/identity/user/v0.9/ + + + + + + displayScopes + true + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + HttpHeaderSecurityFilter + * + + + + AuthenticationEndpointFilter + + org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthenticationEndpointFilter + + + + + AuthenticationEndpointFilter + /* + + + + + org.wso2.carbon.identity.application.authentication.endpoint.util.listener.AuthenticationEndpointContextListener + + + + + retry.do + /retry.jsp + + + + claims.do + /requested-claims.jsp + + + + oauth2_login.do + /login.jsp + + + + oauth2_authz.do + /oauth2_authz.jsp + + + + oauth2_consent.do + /oauth2_consent.jsp + + + + oauth2_logout_consent.do + /oauth2_logout_consent.jsp + + + + oauth2_logout.do + /logout.jsp + + + + oauth2_error.do + /oauth2_error.jsp + + + + samlsso_login.do + /login.jsp + + + + samlsso_logout.do + /logout.jsp + + + + samlsso_redirect.do + /login.jsp + + + + samlsso_notification.do + /samlsso_notification.jsp + + + + openid_login.do + /login.jsp + + + + openid_profile.do + /openid_profile.jsp + + + + passivests_login.do + /login.jsp + + + + tenantlistrefresher.do + /tenant_refresh_endpoint.jsp + + + + registration.do + /registration.jsp + + + + retry.do + /retry.do + + + + oauth2_login.do + /oauth2_login.do + + + + oauth2_authz.do + /oauth2_authz.do + + + + oauth2_consent.do + /oauth2_consent.do + + + + oauth2_logout_consent.do + /oauth2_logout_consent.do + + + + oauth2_logout.do + /oauth2_logout.do + + + + oauth2_error.do + /oauth2_error.do + + + + samlsso_login.do + /samlsso_login.do + + + + samlsso_logout.do + /samlsso_logout.do + + + + samlsso_redirect.do + /samlsso_redirect.do + + + + samlsso_notification.do + /samlsso_notification.do + + + + openid_login.do + /openid_login.do + + + + openid_profile.do + /openid_profile.do + + + + passivests_login.do + /passivests_login.do + + + + tenantlistrefresher.do + /tenantlistrefresher.do + + + + registration.do + /registration.do + + + + claims.do + /claims.do + + + + java.lang.Throwable + /generic-exception-response.jsp + + + + + true + + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml new file mode 100644 index 00000000..0befeb9c --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/client-registration#v0.11/web.xml @@ -0,0 +1,87 @@ + + + + +JAX-WS/JAX-RS Device Registration Agent Endpoint +JAX-WS/JAX-RS Servlet + + contextConfigLocation + WEB-INF/beans.xml + + + + org.springframework.web.context.ContextLoaderListener + + + + JAX-WS/JAX-RS Device Registration Agent Endpoint + JAX-WS/JAX-RS Servlet + CXFServlet + + org.apache.cxf.transport.servlet.CXFServlet + + 1 + + + CXFServlet + /* + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/oauth2/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/oauth2/web.xml new file mode 100644 index 00000000..d7d02a3d --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/oauth2/web.xml @@ -0,0 +1,100 @@ + + + + + + OAuth2 Endpoints + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + + + OAuth2Endpoints + org.apache.cxf.transport.servlet.CXFServlet + 1 + + + + + + + + + + + OAuth2Endpoints + /* + + + + + true + + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/secured-websocket/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/secured-websocket/web.xml new file mode 100644 index 00000000..4e114231 --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/secured-websocket/web.xml @@ -0,0 +1,61 @@ + + + + + Output WebSocket + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + diff --git a/modules/core/distribution/src/repository/resources/web-apps/web-xml/shindig/web.xml b/modules/core/distribution/src/repository/resources/web-apps/web-xml/shindig/web.xml new file mode 100644 index 00000000..ead0c0d4 --- /dev/null +++ b/modules/core/distribution/src/repository/resources/web-apps/web-xml/shindig/web.xml @@ -0,0 +1,423 @@ + + + + Shindig + + + + + guice-modules + + org.apache.shindig.common.PropertiesModule: + org.apache.shindig.gadgets.DefaultGuiceModule: + org.apache.shindig.social.core.config.SocialApiGuiceModule: + org.apache.shindig.social.sample.SampleModule: + org.apache.shindig.gadgets.oauth.OAuthModule: + org.apache.shindig.gadgets.oauth2.OAuth2Module: + org.apache.shindig.gadgets.oauth2.OAuth2MessageModule: + org.apache.shindig.gadgets.oauth2.handler.OAuth2HandlerModule: + org.apache.shindig.gadgets.oauth2.persistence.sample.OAuth2PersistenceModule: + org.apache.shindig.common.cache.ehcache.EhCacheModule: + org.apache.shindig.sample.shiro.ShiroGuiceModule: + org.apache.shindig.sample.container.SampleContainerGuiceModule: + org.apache.shindig.extras.ShindigExtrasGuiceModule: + org.apache.shindig.gadgets.admin.GadgetAdminModule: + org.wso2.carbon.dashboard.shindig.features.WSO2ShindigFeaturesModule + + + + + + system.properties + + + + + + + HttpHeaderSecurityFilter + org.apache.catalina.filters.HttpHeaderSecurityFilter + + hstsEnabled + false + + + antiClickJackingOption + SAMEORIGIN + + + + + + ContentTypeBasedCachePreventionFilter + org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter + + patterns + "text/html*","application/json*","text/plain*" + + + filterAction + enforce + + + httpHeaders + Cache-Control: no-store, no-cache, must-revalidate, private + + + + + HttpHeaderSecurityFilter + /* + + + + ContentTypeBasedCachePreventionFilter + /* + + + + HttpHeaderSecurityFilter + * + + + + hostFilter + org.apache.shindig.common.servlet.HostFilter + + + hostFilter + /gadgets/ifr + /gadgets/js/* + /gadgets/proxy/* + /gadgets/concat + /gadgets/makeRequest + /rpc/* + /rest/* + + + + ShiroFilter + org.apache.shiro.web.servlet.IniShiroFilter + + config + + + + + + + + authFilter + org.apache.shindig.auth.AuthenticationServletFilter + + + + etagFilter + org.apache.shindig.gadgets.servlet.ETagFilter + + + + + ShiroFilter + /oauth/authorize + + + + ShiroFilter + /oauth2/authorize + + + + ShiroFilter + *.jsp + + + + authFilter + /social/* + /gadgets/ifr + /gadgets/makeRequest + /gadgets/proxy + /gadgets/api/rpc/* + /gadgets/api/rest/* + /rpc/* + /rest/* + + + + etagFilter + * + + + + org.apache.shindig.common.servlet.GuiceServletContextListener + + + + + xml-to-html + + org.wso2.carbon.dashboard.shindig.extensions.WSO2GadgetRenderingServlet + + + + + accel + + org.apache.shindig.gadgets.servlet.HtmlAccelServlet + + + + + + proxy + + org.apache.shindig.gadgets.servlet.ProxyServlet + + + + + + makeRequest + + org.apache.shindig.gadgets.servlet.MakeRequestServlet + + + + + + concat + + org.apache.shindig.gadgets.servlet.ConcatProxyServlet + + + + + + oauthCallback + + org.apache.shindig.gadgets.servlet.OAuthCallbackServlet + + + + + + oauth2callback + + org.apache.shindig.gadgets.servlet.OAuth2CallbackServlet + + + + + + metadata + + org.apache.shindig.gadgets.servlet.RpcServlet + + + + + + js + org.apache.shindig.gadgets.servlet.JsServlet + + + + restapiServlet + + org.apache.shindig.protocol.DataServiceServlet + + + handlers + org.apache.shindig.handlers + + + + + + jsonRpcServlet + + org.apache.shindig.protocol.JsonRpcServlet + + + handlers + org.apache.shindig.handlers + + + + + + sampleOAuth + + org.apache.shindig.social.sample.oauth.SampleOAuthServlet + + + + + + OAuth2Servlet + + org.apache.shindig.social.core.oauth2.OAuth2Servlet + + + + + rpcSwf + + org.apache.shindig.gadgets.servlet.RpcSwfServlet + + + + + js + /gadgets/js/* + + + + proxy + /gadgets/proxy/* + + + + makeRequest + /gadgets/makeRequest + + + + jsonRpcServlet + /rpc/* + /gadgets/api/rpc/* + /social/rpc/* + + + + restapiServlet + /rest/* + /gadgets/api/rest/* + /social/rest/* + + + + concat + /gadgets/concat + + + + oauthCallback + /gadgets/oauthcallback + + + + oauth2callback + /gadgets/oauth2callback + + + + xml-to-html + /gadgets/ifr + + + + accel + /gadgets/accel + + + + metadata + /gadgets/metadata + + + + sampleOAuth + /oauth/* + + + + OAuth2Servlet + /oauth2/* + + + + rpcSwf + /xpc* + + + + 404 + /error-pages/error404.html + + + + 401 + /error-pages/error401.html + + + + 403 + /error-pages/error403.html + + + + 405 + /error-pages/error405.html + + + + 500 + /error-pages/error500.html + +