Merge branch 'fix_vuln_kafka_upd' into kafka_upd

devicehive · Dec 14, 2023 · dbf7f72 · dbf7f72
2 parents e688811 + 82dc545
commit dbf7f72
Show file tree

Hide file tree

Showing 49 changed files with 440 additions and 226 deletions.
diff --git a/devicehive-auth/pom.xml b/devicehive-auth/pom.xml
@@ -67,12 +67,16 @@
             </exclusions>
         </dependency>
         <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-aop</artifactId>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
         </dependency>
     </dependencies>
     <build>

diff --git a/devicehive-auth/src/main/java/com/devicehive/application/AuthRpcClientConfig.java b/devicehive-auth/src/main/java/com/devicehive/application/AuthRpcClientConfig.java
@@ -30,6 +30,7 @@
 import com.devicehive.shim.kafka.serializer.ResponseSerializer;
 import com.devicehive.shim.kafka.topic.KafkaTopicService;
 import com.google.gson.Gson;
+import jakarta.annotation.PostConstruct;
 import org.apache.kafka.clients.producer.KafkaProducer;
 import org.apache.kafka.clients.producer.Producer;
 import org.apache.kafka.common.serialization.StringSerializer;
@@ -38,7 +39,6 @@
 import org.springframework.context.annotation.*;
 import org.springframework.core.env.Environment;
 
-import javax.annotation.PostConstruct;
 import java.net.InetAddress;
 import java.net.NetworkInterface;
 import java.net.SocketException;

diff --git a/devicehive-auth/src/main/java/com/devicehive/application/DeviceHiveAuthApplication.java b/devicehive-auth/src/main/java/com/devicehive/application/DeviceHiveAuthApplication.java
@@ -92,7 +92,7 @@ public Gson gson() {
     }
 
     @Bean
-    public Validator localValidator() {
+    public LocalValidatorFactoryBean localValidator() {
         return new LocalValidatorFactoryBean();
     }
 }
diff --git a/devicehive-auth/src/main/java/com/devicehive/application/filter/SwaggerFilter.java b/devicehive-auth/src/main/java/com/devicehive/application/filter/SwaggerFilter.java
@@ -20,16 +20,16 @@
  * #L%
  */
 
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebFilter;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.filter.OncePerRequestFilter;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.annotation.WebFilter;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URL;
 

diff --git a/devicehive-auth/src/main/java/com/devicehive/application/security/WebSecurityConfig.java b/devicehive-auth/src/main/java/com/devicehive/application/security/WebSecurityConfig.java
@@ -27,6 +27,7 @@
 import com.devicehive.model.ErrorResponse;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
+import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
@@ -36,57 +37,57 @@
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
-import javax.servlet.http.HttpServletResponse;
+
 
 @Configuration
 @EnableWebSecurity
 @Order(Ordered.HIGHEST_PRECEDENCE)
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
-    private Gson gson = new GsonBuilder().create();
+    private final Gson gson = new GsonBuilder().create();
 
+    private final SimpleCORSFilter simpleCORSFilter;
     private final JwtTokenAuthenticationProvider jwtTokenAuthenticationProvider;
 
-    public WebSecurityConfig(final JwtTokenAuthenticationProvider jwtTokenAuthenticationProvider) {
-        super();
+    public WebSecurityConfig(JwtTokenAuthenticationProvider jwtTokenAuthenticationProvider,
+                             SimpleCORSFilter simpleCORSFilter) {
+        this.simpleCORSFilter = simpleCORSFilter;
         this.jwtTokenAuthenticationProvider = jwtTokenAuthenticationProvider;
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
-                .csrf().disable()
-                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-                .and()
-                .authorizeRequests()
-                .antMatchers("/css/**", "/server/**", "/scripts/**", "/webjars/**", "/templates/**").permitAll()
-                .antMatchers("/*/swagger.json", "/*/swagger.yaml").permitAll()
-                .and()
-                .anonymous().disable()
-                .exceptionHandling()
-                .authenticationEntryPoint(unauthorizedEntryPoint());
+                .csrf(AbstractHttpConfigurer::disable)
+                .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/css/**", "/server/**", "/scripts/**",
+                                "/webjars/**", "/templates/**", "/*/swagger.json", "/*/swagger.yaml").permitAll()
+                        .anyRequest().authenticated()
+                )
+                .exceptionHandling(exception -> exception
+                        .authenticationEntryPoint(unauthorizedEntryPoint())
+                );
 
         http
-                .addFilterBefore(new SimpleCORSFilter(), BasicAuthenticationFilter.class)
-                .addFilterAfter(new HttpAuthenticationFilter(authenticationManager()), SimpleCORSFilter.class);
+                .addFilterBefore(simpleCORSFilter, BasicAuthenticationFilter.class)
+                .addFilterAfter(new HttpAuthenticationFilter(http.getSharedObject(AuthenticationManager.class)), SimpleCORSFilter.class);
+
+        return http.build();
     }
 
-    @Override
-    protected void configure(AuthenticationManagerBuilder auth) {
+    @Bean
+    public AuthenticationManager authenticationManagerBuilder(AuthenticationManagerBuilder auth) throws Exception {
         auth
                 .authenticationProvider(jwtTokenAuthenticationProvider)
                 .authenticationProvider(anonymousAuthenticationProvider());
-    }
-
-    @Bean
-    @Override
-    public AuthenticationManager authenticationManagerBean() throws Exception {
-        return super.authenticationManagerBean();
+        return auth.build();
     }
 
     @Bean
@@ -103,4 +104,4 @@ public AuthenticationEntryPoint unauthorizedEntryPoint() {
                     gson.toJson(new ErrorResponse(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage())));
         };
     }
-}
+}
diff --git a/...cehive-backend/src/main/java/com/devicehive/application/DeviceHiveBackendApplication.java b/...cehive-backend/src/main/java/com/devicehive/application/DeviceHiveBackendApplication.java
@@ -21,6 +21,7 @@
  */
 
 import org.springframework.boot.WebApplicationType;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.annotation.ComponentScan;

diff --git a/devicehive-backend/src/main/java/com/devicehive/application/RequestHandlersMapper.java b/devicehive-backend/src/main/java/com/devicehive/application/RequestHandlersMapper.java
@@ -35,10 +35,10 @@
 import com.devicehive.shim.api.Action;
 import com.devicehive.shim.api.server.RequestHandler;
 import com.google.common.collect.ImmutableMap;
+import jakarta.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.PostConstruct;
 import java.util.Map;
 
 @Component

diff --git a/devicehive-common-service/pom.xml b/devicehive-common-service/pom.xml
@@ -21,6 +21,11 @@
             <version>${project.parent.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${jackson-databind.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-jersey</artifactId>
@@ -60,6 +65,12 @@
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
         </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>4.0.1</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 
 </project>
diff --git a/...ehive-common-service/src/main/java/com/devicehive/auth/rest/HttpAuthenticationFilter.java b/...ehive-common-service/src/main/java/com/devicehive/auth/rest/HttpAuthenticationFilter.java
@@ -21,6 +21,12 @@
  */
 
 import com.devicehive.auth.HiveAuthentication;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.slf4j.MDC;
@@ -37,12 +43,7 @@
 import org.springframework.web.filter.GenericFilterBean;
 import org.springframework.web.util.UrlPathHelper;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.UnknownHostException;

diff --git a/devicehive-common-service/src/main/java/com/devicehive/auth/rest/SimpleCORSFilter.java b/devicehive-common-service/src/main/java/com/devicehive/auth/rest/SimpleCORSFilter.java
@@ -9,30 +9,29 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  * #L%
  */
-
 import org.springframework.web.filter.GenericFilterBean;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 public class SimpleCORSFilter extends GenericFilterBean {
 
     @Override
-    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException, ServletException {
         final HttpServletResponse resp = (HttpServletResponse) servletResponse;
         resp.setHeader("Access-Control-Allow-Credentials", "true");
         resp.setHeader("Access-Control-Allow-Origin", "*");

diff --git a/...service/src/main/java/com/devicehive/resource/exceptions/AccessDeniedExceptionMapper.java b/...service/src/main/java/com/devicehive/resource/exceptions/AccessDeniedExceptionMapper.java
@@ -21,9 +21,9 @@
  */
 
 import com.devicehive.model.ErrorResponse;
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.security.access.AccessDeniedException;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;

diff --git a/...rvice/src/main/java/com/devicehive/resource/exceptions/BadCredentialsExceptionMapper.java b/...rvice/src/main/java/com/devicehive/resource/exceptions/BadCredentialsExceptionMapper.java
@@ -21,9 +21,9 @@
  */
 
 import com.devicehive.model.ErrorResponse;
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.security.authentication.BadCredentialsException;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;

diff --git a/...ice/src/main/java/com/devicehive/resource/exceptions/InvalidPrincipalExceptionMapper.java b/...ice/src/main/java/com/devicehive/resource/exceptions/InvalidPrincipalExceptionMapper.java
@@ -22,8 +22,8 @@
 
 import com.devicehive.exceptions.InvalidPrincipalException;
 import com.devicehive.model.ErrorResponse;
+import jakarta.servlet.http.HttpServletRequest;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;

diff --git a/devicehive-common-service/src/main/java/com/devicehive/security/util/JwtSecretService.java b/devicehive-common-service/src/main/java/com/devicehive/security/util/JwtSecretService.java
@@ -22,11 +22,11 @@
 
 import com.devicehive.configuration.Constants;
 import com.devicehive.service.configuration.ConfigurationService;
+import jakarta.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 
-import javax.annotation.PostConstruct;
 import java.math.BigInteger;
 import java.security.SecureRandom;
 

diff --git a/devicehive-common-service/src/main/java/com/devicehive/service/BaseDeviceService.java b/devicehive-common-service/src/main/java/com/devicehive/service/BaseDeviceService.java
@@ -46,7 +46,7 @@
 import java.util.concurrent.CompletableFuture;
 
 import static com.devicehive.configuration.Messages.ACCESS_DENIED;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
+import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
 import static javax.ws.rs.core.Response.Status.NOT_FOUND;
 

diff --git a/devicehive-common-service/src/main/java/com/devicehive/service/BaseFilterService.java b/devicehive-common-service/src/main/java/com/devicehive/service/BaseFilterService.java
@@ -46,8 +46,8 @@
 import static com.devicehive.configuration.Messages.ACCESS_DENIED;
 import static com.devicehive.configuration.Messages.DEVICE_TYPES_NOT_FOUND;
 import static com.devicehive.configuration.Messages.NETWORKS_NOT_FOUND;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
-import static javax.servlet.http.HttpServletResponse.SC_NOT_FOUND;
+import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
+import static jakarta.servlet.http.HttpServletResponse.SC_NOT_FOUND;
 
 @Component
 public class BaseFilterService {

diff --git a/devicehive-common-service/src/main/java/com/devicehive/service/BaseNetworkService.java b/devicehive-common-service/src/main/java/com/devicehive/service/BaseNetworkService.java
@@ -57,11 +57,11 @@
 import java.util.stream.Collectors;
 
 import static com.devicehive.configuration.Messages.NETWORKS_NOT_FOUND;
+import static jakarta.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
+import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static java.util.Optional.empty;
 import static java.util.Optional.of;
 import static java.util.Optional.ofNullable;
-import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
-import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static org.springframework.util.CollectionUtils.isEmpty;
 
 @Component

diff --git a/...mmon-service/src/main/java/com/devicehive/service/configuration/ConfigurationService.java b/...mmon-service/src/main/java/com/devicehive/service/configuration/ConfigurationService.java
@@ -29,8 +29,9 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
 
-import javax.transaction.Transactional;
 import javax.validation.constraints.NotNull;
 import java.util.Optional;
 

diff --git a/devicehive-common-service/src/main/java/com/devicehive/service/helpers/HttpRestHelper.java b/devicehive-common-service/src/main/java/com/devicehive/service/helpers/HttpRestHelper.java
@@ -25,6 +25,7 @@
 import com.devicehive.model.ErrorResponse;
 import com.google.gson.Gson;
 import com.google.gson.JsonSyntaxException;
+import jakarta.annotation.PostConstruct;
 import org.apache.http.HttpEntity;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpGet;
@@ -39,7 +40,6 @@
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 
-import javax.annotation.PostConstruct;
 import javax.ws.rs.ServiceUnavailableException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;