Author: channa
Date: Sun Feb 10 01:47:09 2008
New Revision: 13511
Log:
Fixing redirect and adding check to ensure primary user creation can't be
called maliciously.
Modified:
trunk/mashup/java/modules/core/src/org/wso2/mashup/webapp/identity/RegistrationBean.java
trunk/mashup/java/modules/www/register_admin.jsp
Modified:
trunk/mashup/java/modules/core/src/org/wso2/mashup/webapp/identity/RegistrationBean.java
==============================================================================
---
trunk/mashup/java/modules/core/src/org/wso2/mashup/webapp/identity/RegistrationBean.java
(original)
+++
trunk/mashup/java/modules/core/src/org/wso2/mashup/webapp/identity/RegistrationBean.java
Sun Feb 10 01:47:09 2008
@@ -154,43 +154,50 @@
*/
public void createAdmin(HttpServletRequest request) throws MashupFault,
RegistryException {
- ServletContext context = request.getSession().getServletContext();
- JDBCRegistry jdbcRegistry = (JDBCRegistry) context.getAttribute(
- RegistryConstants.REGISTRY);
- Realm realm = (Realm)
context.getAttribute(RegistryConstants.REGISTRY_REALM);
- SecureRegistry registry =
RegistryUtils.createSecureRegistry(MashupConstants.SYSTEM_USER,
-
MashupConstants.SYSTEM_USER_PASSWORD,
-
jdbcRegistry, realm);
- try {
- // Get an instance of the user store admin and create the user.
- UserStoreAdmin userStoreAdmin = realm.getUserStoreAdmin();
- userStoreAdmin.addUser(userName, password);
-
- String adminName = "".equals(fullName.trim()) ? userName :
fullName;
- String adminEmail = "".equals(emailId.trim()) ? "none" : emailId;
-
- // Create the admin user profile.
- RegistryUtils.createUser(registry, realm, userName,
- adminName, adminEmail, "System
Administrator");
- // Assign primary user the 'admin' role and make primary.
- userStoreAdmin.addUserToRole(userName,
RegistryConstants.ADMIN_ROLE);
- RegistryUtils.makeUserPrimary(realm, userName);
- MashupUtils.setInitialSetupComplete(true);
-
- // Log user in as primary if option has been chosen.
- if
(MashupConstants.TRUE.equals(request.getParameter(MashupConstants.SIGNIN))) {
- MashupUtils.login(userName, password,
request.getSession().getId());
- SecureRegistry secureRegistry =
- RegistryUtils.createSecureRegistry(userName, password,
- jdbcRegistry,
realm);
-
request.getSession().setAttribute(MashupConstants.USER_REGISTRY,
secureRegistry);
+
+ // Recheck that the request to create the primary user is valid.
+ if (!MashupUtils.isInitialSetupComplete() &&
MashupUtils.isFromLocalHost(request)) {
+ ServletContext context = request.getSession().getServletContext();
+ JDBCRegistry jdbcRegistry = (JDBCRegistry) context.getAttribute(
+ RegistryConstants.REGISTRY);
+ Realm realm = (Realm)
context.getAttribute(RegistryConstants.REGISTRY_REALM);
+ SecureRegistry registry = RegistryUtils.createSecureRegistry(
+ MashupConstants.SYSTEM_USER,
MashupConstants.SYSTEM_USER_PASSWORD, jdbcRegistry,
+ realm);
+ try {
+ // Get an instance of the user store admin and create the user.
+ UserStoreAdmin userStoreAdmin = realm.getUserStoreAdmin();
+ userStoreAdmin.addUser(userName, password);
+
+ String adminName = "".equals(fullName.trim()) ? userName :
fullName;
+ String adminEmail = "".equals(emailId.trim()) ? "none" :
emailId;
+
+ // Create the admin user profile.
+ RegistryUtils.createUser(registry, realm, userName,
+ adminName, adminEmail, "System
Administrator");
+ // Assign primary user the 'admin' role and make primary.
+ userStoreAdmin.addUserToRole(userName,
RegistryConstants.ADMIN_ROLE);
+ RegistryUtils.makeUserPrimary(realm, userName);
+ MashupUtils.setInitialSetupComplete(true);
+
+ // Log user in as primary if option has been chosen.
+ if
(MashupConstants.TRUE.equals(request.getParameter(MashupConstants.SIGNIN))) {
+ MashupUtils.login(userName, password,
request.getSession().getId());
+ SecureRegistry secureRegistry =
+ RegistryUtils.createSecureRegistry(userName,
password,
+ jdbcRegistry,
realm);
+ request.getSession()
+ .setAttribute(MashupConstants.USER_REGISTRY,
secureRegistry);
+ }
+ } catch (UserManagerException e) {
+ log.error("Error creating admin user in user manager", e);
+ throw new MashupFault("Could not create admin user", e);
+ } catch (RegistryException e) {
+ log.error("Error adding admin user resources", e);
+ throw new MashupFault("Could not create admin user", e);
}
- } catch (UserManagerException e) {
- log.error("Error creating admin user in user manager", e);
- throw new MashupFault("Could not create admin user", e);
- } catch (RegistryException e) {
- log.error("Error adding admin user resources", e);
- throw new MashupFault("Could not create admin user", e);
+ } else {
+ log.error("Invalid attempt to create primary user.");
}
}
Modified: trunk/mashup/java/modules/www/register_admin.jsp
==============================================================================
--- trunk/mashup/java/modules/www/register_admin.jsp (original)
+++ trunk/mashup/java/modules/www/register_admin.jsp Sun Feb 10 01:47:09 2008
@@ -35,6 +35,7 @@
<%
if (MashupUtils.isInitialSetupComplete() ||
!MashupUtils.isFromLocalHost(request)) {
response.sendRedirect("index.jsp");
+ return;
}
if (!"true".equals(firstCall)) {
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
