/** * Returns the input if valid over the given white list and black list patterns else throws an * IdentityValidationException * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @param blackListPatterns a String array of black list pattern keys * @return input if valid over the given white list and black list patterns else throws an * IdentityValidationException * @throws IdentityValidationException if input is invalid for the he given white list and black list patterns */ public static String getValidInput(String input, String[] whiteListPatterns, String[] blackListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValid(input, whiteListPatterns, blackListPatterns)) { return input; } StringBuilder message = new StringBuilder(); message.append(msgSection1); message.append(String.format(msgSection2, getPatternString(whiteListPatterns))); message.append(msgSection4); message.append(String.format(msgSection3, getPatternString(blackListPatterns))); throw new IdentityValidationException(message.toString()); }
/** * Returns the input if valid over the given white list and black list patterns else throws an * IdentityValidationException * * @param input input * @param whiteListPatterns a String array of white list pattern keys * @param blackListPatterns a String array of black list pattern keys * @return input if valid over the given white list and black list patterns else throws an * IdentityValidationException */ public static String getValidInput(String input, String[] whiteListPatterns, String[] blackListPatterns) throws IdentityValidationException { if (StringUtils.isEmpty(input) || isValid(input, whiteListPatterns, blackListPatterns)) { return input; } StringBuilder message = new StringBuilder(); message.append(msgSection1); message.append(String.format(msgSection2, getPatternString(whiteListPatterns))); message.append(msgSection4); message.append(String.format(msgSection3, getPatternString(blackListPatterns))); throw new IdentityValidationException(message.toString()); }
@Override public boolean doPreSetUserClaimValues(String userName, Map<String, String> claims, String profileName, UserStoreManager userStoreManager) throws UserStoreException { if (!isEnable()) { return true; } if (log.isDebugEnabled()) { String userStoreDomain = UserCoreUtil.getDomainName(userStoreManager.getRealmConfiguration()); if (StringUtils.isBlank(userStoreDomain)) { userStoreDomain = UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME; } String tenantDomain = IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId()); log.debug("doPreSetUserClaimValues method executed in ProfileMgtEventListener for user: " + getFullQualifiedUsername(userName, userStoreDomain, tenantDomain)); } //The following black listed patterns contain possible invalid inputs for profile which could be used for a // stored XSS attack. String[] whiteListPatternKeys = {ALPHANUMERICS_ONLY, DIGITS_ONLY}; String[] blackListPatternKeys = {WHITESPACE_EXISTS, URI_RESERVED_EXISTS, HTML_META_EXISTS, XML_META_EXISTS, REGEX_META_EXISTS, URL}; if (!IdentityValidationUtil.isValid(profileName, whiteListPatternKeys, blackListPatternKeys)) { throw new UserStoreException("profile name contains invalid characters!"); } return true; }
@Override public boolean doPreSetUserClaimValues(String userName, Map<String, String> claims, String profileName, UserStoreManager userStoreManager) throws UserStoreException { if (!isEnable()) { return true; } if (log.isDebugEnabled()) { String userStoreDomain = UserCoreUtil.getDomainName(userStoreManager.getRealmConfiguration()); if (StringUtils.isBlank(userStoreDomain)) { userStoreDomain = UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME; } String tenantDomain = IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId()); log.debug("doPreSetUserClaimValues method executed in ProfileMgtEventListener for user: " + getFullQualifiedUsername(userName, userStoreDomain, tenantDomain)); } //The following black listed patterns contain possible invalid inputs for profile which could be used for a // stored XSS attack. String[] whiteListPatternKeys = {ALPHANUMERICS_ONLY, DIGITS_ONLY}; String[] blackListPatternKeys = {WHITESPACE_EXISTS, URI_RESERVED_EXISTS, HTML_META_EXISTS, XML_META_EXISTS, REGEX_META_EXISTS, URL}; if (!IdentityValidationUtil.isValid(profileName, whiteListPatternKeys, blackListPatternKeys)) { throw new UserStoreException("profile name contains invalid characters!"); } return true; }