Merge pull request #34 from wet-boew/fix-redirect-v2

ahmad-shahid · web-flow · commit 4008697ebca6 · 2023-11-15T09:56:45.000-05:00
Fix redirect v2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 [Download and/or Installation instructions](https://github.com/wet-boew/cdts-JavaTemplates/wiki/Installation)
 
+## v2.7.0
+
+- **SECURITY FIX** Removal of default redirect handlers for "leaving secure site" feature. Leaving secure site feature now relies solely on WET functionality. Unless these redirect handlers were explicitely referenced by client application there should be no impact. (Spring version: removal of endpoint "/gocwebtemplate_leavesecuresiteredirect"; JSP version: removal of action "leavesecuresiteredirect.action")
+- Bug fixes
+
 ## v2.6.0
 
 - **IMPORTANT** The GCWeb site footer has been updated to reflect the changes introduced in WET footer version 4. These changes will be applied automatically. For more information, please visit the WET documentation: https://wet-boew.github.io/GCWeb/sites/footers/footers-en.html
diff --git a/builds/build.properties b/builds/build.properties
@@ -3,4 +3,4 @@
 #
 # DO NOT EDIT build.properties DIRECTLY!
 #
-gocwebtemplate.build.version=2.6.0-SNAPSHOT
+gocwebtemplate.build.version=2.7.0-SNAPSHOT
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/pom.xml b/gocwebtemplate-core/gocwebtemplate-core-base/pom.xml
@@ -10,7 +10,7 @@
   <parent>
     <groupId>ca.gc.gocwebtemplate</groupId>
     <artifactId>gocwebtemplate-core</artifactId>
-    <version>2.6.0-SNAPSHOT</version>
+    <version>2.7.0-SNAPSHOT</version>
     <relativePath>..</relativePath>
   </parent>
   
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/Constants.java b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/Constants.java
@@ -13,7 +13,7 @@ public abstract class Constants {
     
     public static final String CACHE_KEY_STATICFILES_PREFIX = "GoC.Template.CacheKey";
     
-    public static final String WEB_TEMPLATE_DISTRIBUTION_VERSION = "2.6.0";
+    public static final String WEB_TEMPLATE_DISTRIBUTION_VERSION = "2.7.0";
 
     public static final String CDTS_DEFAULT_VERSION = "v4_0_47";
     
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java
@@ -8,11 +8,6 @@
 import goc.webtemplate.Constants;
 
 public final class BaseUtil {
-	public static void doLeaveSecureSite(HttpServletRequest req, HttpServletResponse res) throws Exception {
-		String redirectUrl = URLDecoder.decode(req.getParameter("targetUrl"), "UTF-8");
-		res.sendRedirect(redirectUrl);
-	}
-	
 	public static void doLocaleSwitch(HttpServletRequest req, HttpServletResponse res) throws Exception {
 		String currLang = req.getSession().getAttribute(Constants.CURRENT_LANG_SESSION_KEY) == null ? 
 									req.getLocale().getLanguage() : 
@@ -24,6 +19,10 @@ public static void doLocaleSwitch(HttpServletRequest req, HttpServletResponse re
 		}
 		
 		String prevUrl = URLDecoder.decode(req.getParameter(Constants.QUERYSTRING_KEY), "UTF-8");
+
+		// Validate that the redirect link is relative to the host and NOT absolute or relative to scheme
+		if ((!prevUrl.startsWith("/")) || prevUrl.startsWith("//")) throw new Exception("Unauthorized return URL specified for language switching.");
+
 		res.sendRedirect(prevUrl);
 	}
 	
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/RefFooter.java b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/RefFooter.java
@@ -4,11 +4,8 @@
 
 import goc.webtemplate.LeavingSecureSiteWarning;
 
-import goc.webtemplate.Utility;
 import goc.webtemplate.WebAnalyticsInfo;
 
-import goc.webtemplate.component.JsonValueUtils;
-
 /**
  * Objects of this class are meant to be serialized to a JSON object to be passed
  * as parameter to the 'wet.builder.refFooter' JavaScript function in the template
@@ -39,7 +36,7 @@ public RefFooter(String cdnEnv, ExitSecureSite exitSecureSite, String jqueryEnv,
     public RefFooter(String cdnEnv, LeavingSecureSiteWarning lssw, String jqueryEnv, String localPath, WebAnalyticsInfo webAnalyticsInfo, boolean isApplication) {
         this.cdnEnv = cdnEnv;
         this.exitSecureSite = null;
-        if ((lssw != null) && lssw.isEnabled() && !Utility.isNullOrEmpty(lssw.getRedirectUrl())) {
+        if ((lssw != null) && lssw.isEnabled()) {
             this.exitSecureSite = new ExitSecureSite(lssw);
         }
         this.jqueryEnv = jqueryEnv;
diff --git a/gocwebtemplate-core/gocwebtemplate-core-jsp/pom.xml b/gocwebtemplate-core/gocwebtemplate-core-jsp/pom.xml
@@ -10,7 +10,7 @@
   <parent>
     <groupId>ca.gc.gocwebtemplate</groupId>
     <artifactId>gocwebtemplate-core</artifactId>
-    <version>2.6.0-SNAPSHOT</version>
+    <version>2.7.0-SNAPSHOT</version>
     <relativePath>..</relativePath>
   </parent>
   
diff --git a/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/BaseCoreBean.java b/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/BaseCoreBean.java
@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {
     
     @Override
     protected String getDefaultLeaveSecureSiteRedirectUrl() {
-        return "leavesecuresiteredirect.action";
+        return null;
     }
     
     @Override
diff --git a/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/LeaveSecureSiteAction.java b/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/LeaveSecureSiteAction.java
diff --git a/gocwebtemplate-core/gocwebtemplate-core-spring/pom.xml b/gocwebtemplate-core/gocwebtemplate-core-spring/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>ca.gc.gocwebtemplate</groupId>
 		<artifactId>gocwebtemplate-core</artifactId>
-		<version>2.6.0-SNAPSHOT</version>
+		<version>2.7.0-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	
diff --git a/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java b/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java
@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {
     
     @Override
     protected String getDefaultLeaveSecureSiteRedirectUrl() {
-        return "gocwebtemplate_leavesecuresiteredirect";
+        return null;
     }
     
     @Override
diff --git a/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java b/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java
@@ -10,15 +10,8 @@
 
 @Controller
 public class CoreController {
-	
 	@GetMapping("/gocwebtemplate_switchlocale")
 	public void SwitchLocale(HttpServletRequest request, HttpServletResponse response) throws Exception {
 		BaseUtil.doLocaleSwitch(request, response);
 	}	
-	
-	@GetMapping("/gocwebtemplate_leavesecuresiteredirect")
-	public void LeaveSecureSiteRedirect(HttpServletRequest request, HttpServletResponse response) throws Exception {
-		//Custom processing would go here
-		BaseUtil.doLeaveSecureSite(request, response);
-	}
 }
diff --git a/gocwebtemplate-core/pom.xml b/gocwebtemplate-core/pom.xml
@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>ca.gc.gocwebtemplate</groupId>
   <artifactId>gocwebtemplate-core</artifactId>
-  <version>2.6.0-SNAPSHOT</version>
+  <version>2.7.0-SNAPSHOT</version>
   <packaging>pom</packaging>
   
   <name>gocwebtemplate-core</name>
diff --git a/gocwebtemplate-sample-jsp/pom.xml b/gocwebtemplate-sample-jsp/pom.xml
@@ -3,7 +3,7 @@
   
   <groupId>ca.gc.gocwebtemplate</groupId>
   <artifactId>gocwebtemplate-sample-jsp</artifactId>
-  <version>2.6.0-SNAPSHOT</version>
+  <version>2.7.0-SNAPSHOT</version>
   <packaging>war</packaging>
   
   <name>gocwebtemplate-sample-jsp</name>
@@ -14,7 +14,7 @@
     <m2eclipse.wtp.contextRoot>GoCWebTemplateSampleJSP</m2eclipse.wtp.contextRoot>    <!-- Set the context root for running locally here!  This will keep Eclipse from overriding weblogic.xml with the project's name on every Maven Update operations -->
     
     <java.version>1.8</java.version>
-    <webtemplate.version>2.6.0-SNAPSHOT</webtemplate.version>
+    <webtemplate.version>2.7.0-SNAPSHOT</webtemplate.version>
         
     <build_number>local</build_number>
     <maven.build.timestamp.format>yyyy/MM/dd HH:mm:ss</maven.build.timestamp.format>
diff --git a/gocwebtemplate-sample-jsp/src/main/java/goc/webtemplate/jsp/samplebeans/LeaveSecureSiteSampleBean.java b/gocwebtemplate-sample-jsp/src/main/java/goc/webtemplate/jsp/samplebeans/LeaveSecureSiteSampleBean.java
@@ -12,7 +12,6 @@ public void onWebTemplateInitialize() {
 
         lssw.setEnabled(true);
         lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-        lssw.setRedirectUrl("leavesecuresiteredirect.action");
         lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
         lssw.setCancelMessage("Don't leave");
         lssw.setYesMessage("Yes, leave this site");
diff --git a/gocwebtemplate-sample-jsp/src/main/resources/struts.xml b/gocwebtemplate-sample-jsp/src/main/resources/struts.xml
@@ -13,7 +13,6 @@
 		<result-types>
 			<result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult" />
 		</result-types>
-		<action name="leavesecuresiteredirect" class="goc.webtemplate.component.jsp.LeaveSecureSiteAction" method="execute"></action>
 		<action name="switchlocale" class="goc.webtemplate.component.jsp.SwitchLocaleAction" method="execute"></action>
 		<!--  ==============================================================  -->
 		
diff --git a/gocwebtemplate-sample-jsp/src/main/webapp/ChangeLog.txt b/gocwebtemplate-sample-jsp/src/main/webapp/ChangeLog.txt
@@ -1,3 +1,3 @@
 For the up to date release/change log, please refer to:
 
-  https://gccode.ssc-spc.gc.ca/iitb-dgiit/sds/GOCWebTemplates/JavaTemplates/releases
+  https://github.com/wet-boew/cdts-JavaTemplates/releases
diff --git a/gocwebtemplate-sample-jsp/src/main/webapp/samplecontents/leavesecuresitesamplecontent.jsp b/gocwebtemplate-sample-jsp/src/main/webapp/samplecontents/leavesecuresitesamplecontent.jsp
@@ -1,4 +1,4 @@
-<h1>GoC Web Template Samples - Leaving Secure Site</h1>
+<h1 id="wb-cont">GoC Web Template Samples - Leaving Secure Site</h1>
 <p>In certain scenarios (ex: secure sites) we want to notify the user that the link or action they have just performed will exit the current secured site/session and it is possible that data could be lost. The message allows the user to cancel the redirect or continue with the redirect.</p>
 <h2>Pre-requisite</h2>
 <p>To override the Default GoC Web Template look &amp; feel, you will have to create a custom bean class that extends the <code class="wb-prettify">goc.webtemplate.component.jsp.BaseCoreBean</code> class, and then override the various methods made available to alter the look &amp; feel of the web page.</p>
@@ -17,8 +17,8 @@
 <ul>
     <li>display the message to the user in the form of a modal window</li>
     <li>display the message your application provides</li>
-    <li>allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
     <li>allow your application to exlude any domains from raising the warning</li>
+    <li>optionally, allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
 </ul>
 <h2>How it works</h2>
 <ul>
@@ -29,29 +29,21 @@
             <li>A "Yes" button appears on the window to allow the user to continue with the redirection to the selected link. (Text can be customized, see below.)</li>
         </ul>
    	</li>
-	<li>if the "Yes" button is clicked:
-        <ul>
-            <li>the user will first be redirect to the url set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically</li>
-            <li>the info of the linked that was clicked is part of the querystring to that url</li>
-            <li>in the redirect url provided earlier, attach the preRenderView event to the page and execute a custom bean method to perform the redirect</li>
-            <li>execute any clean up code your application requires</li>
-            <li>once executed the custom bean class will redirect the user to the url of the clicked link</li>
-            <li>the leave secure site feature is already provided by default as part of the GoC Web Template package, by default it will use the templates/leavesecuresiteredirect.xhtml page</li>
-            <li>by default the leave secure site redirect page will invoke the <code class="wb-prettify">leavesecuresiteredirect.action</code> Struts Action already pre-registered in struts.xml</li>
-        </ul>
+    <li>if the "Yes" button is clicked, the browser will be directed to the external link</li>
+    <li>optionally, a redirect url can be set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically.
+        If this is used, the browser will be directed to this page before leaving, where the application can terminate the user's session and let them proceed to the external link.
+        The external link will be presented to the user by placing an element <code class="wb-prettify">&lt;span class="wb-exitscript wb-exitscript-exiturlparam"&gt;&lt;/span&gt;</code> on the page.
+        For an example of a "middle page", refer to <a href="https://wet-boew.github.io/wet-boew/demos/exitscript/exitscript-en.html#wb-auto-3">scenario 3 link in the WET Documentation</a>.
     </li>
 </ul>
 <p>Here is a local link that will not display the warning: <a href="basesettingssample.action">Link to Local Page</a></p>
-<p>Here is an external link that will display the warning:<a href="https://gccode.ssc-spc.gc.ca/iitb-dgiit/sds/GOCWebTemplates/JavaTemplates/wikis/Redirect-Page">Link to External Page</a></p>
+<p>Here is an external link that will display the warning:<a href="https://github.com/wet-boew/cdts-JavaTemplates/wiki/Redirect-Page">Link to External Page</a></p>
 <h2>Steps to implement:</h2>
 <h3>Enable the leaving secure site feature</h3>
 <ul>
     <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"Enabled"</code> to <strong>"true"</strong></li>
     <li>Provide the message to be displayed by setting the <code class="wb-prettify">"Message"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
-    <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"RedirectUrl"</code> to your action class which will execute your clean up code and then redirect to the selected url.</li>
     <li>Set, via the cdn.properties or programmatically in your custom bean class, <code class="wb-prettify">"ExcludedDomain"</code> the list of domains you do not want to raise the warning</li>
-    <li>Optionally, provide a cancel message by setting the <code class="wb-prettify">"CancelMessage"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
-    <li>Optionally, provide a yes message by setting the <code class="wb-prettify">"YesMessage"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
 </ul>
 <div class="wb-prettify all-pre lang-vb linenums">
    	<pre>
@@ -62,7 +54,6 @@ public void onWebTemplateInitialize() {
 
     lssw.setEnabled(true);
     lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-    lssw.setRedirectUrl("leavesecuresiteredirect.action");
     lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
     lssw.setCancelMessage("Don't leave");
     lssw.setYesMessage("Yes, leave this site");
@@ -73,26 +64,4 @@ public void onWebTemplateInitialize() {
 }
    	</pre>
 </div>
-<h3>Created your custom "redirect" class</h3>
-<ul>
-    <li>Create a class and a public method will be invoked by the preRenderView event of the redirect url</li>
-    <li>enter your clean up code if required</li>
-    <li>redirect to the <code class="wb-prettify">"targetURL"</code> parameter value in the querystring</li>
-</ul>
-<div class="wb-prettify all-pre lang-vb linenums">
-    <h3>Code Sample for your Redirect action class</h3>
-    <pre>
-import java.net.URLDecoder;
-import javax.servlet.http.HttpServletRequest;
-import org.apache.struts2.ServletActionContext;
-
-public class LeaveSecureSiteAction {
-	public void execute() throws Exception {
-		HttpServletRequest currentReq = ServletActionContext.getRequest();
-		String redirectUrl = URLDecoder.decode(currentReq.getParameter("targetUrl"), "UTF-8");
-		ServletActionContext.getResponse().sendRedirect(redirectUrl);
-	}
-}
-   </pre>
-</div>
 <%@ include file="_sampleslist.jsp" %>
diff --git a/gocwebtemplate-sample-spring/pom.xml b/gocwebtemplate-sample-spring/pom.xml
@@ -3,15 +3,15 @@
 
 	<groupId>ca.gc.gocwebtemplate</groupId>
   	<artifactId>gocwebtemplate-sample-spring</artifactId>
-  	<version>2.6.0-SNAPSHOT</version>
+  	<version>2.7.0-SNAPSHOT</version>
   	<!--Change packaging type to "war" if your application must be deployable in a web container-->
  	<packaging>jar</packaging>
  
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<java.version>1.8</java.version>
 		<springboot.version>2.6.6</springboot.version>
-		<webtemplate.version>2.6.0-SNAPSHOT</webtemplate.version>
+		<webtemplate.version>2.7.0-SNAPSHOT</webtemplate.version>
 		
 		<build_number>local</build_number>
 		<timestamp>${maven.build.timestamp}</timestamp>
diff --git a/gocwebtemplate-sample-spring/src/main/java/goc/webtemplate/spring/samplebeans/LeavingSecureSiteSampleBean.java b/gocwebtemplate-sample-spring/src/main/java/goc/webtemplate/spring/samplebeans/LeavingSecureSiteSampleBean.java
@@ -14,7 +14,6 @@ public void onWebTemplateInitialize() {
 
         lssw.setEnabled(true);
         lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-        lssw.setRedirectUrl("gocwebtemplate_leavesecuresiteredirect");
         lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
         lssw.setCancelMessage("Don't leave");
         lssw.setYesMessage("Yes, leave this site");
diff --git a/gocwebtemplate-sample-spring/src/main/resources/samples/LeavingSecureSiteSample.html b/gocwebtemplate-sample-spring/src/main/resources/samples/LeavingSecureSiteSample.html
diff --git a/pom.xml b/pom.xml

Original file line number	Diff line number	Diff line change
`@@ -3,4 +3,4 @@`
`3`	`3`	`#`
`4`	`4`	`# DO NOT EDIT build.properties DIRECTLY!`
`5`	`5`	`#`
`6`		`-gocwebtemplate.build.version=2.6.0-SNAPSHOT`
	`6`	`+gocwebtemplate.build.version=2.7.0-SNAPSHOT`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {`
`35`	`35`
`36`	`36`	`@Override`
`37`	`37`	`protected String getDefaultLeaveSecureSiteRedirectUrl() {`
`38`		`- return "leavesecuresiteredirect.action";`
	`38`	`+ return null;`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`@Override`