From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password

---
 pamapi/src/main/resources/config/application-pollex.yml                        |    1 +
 pamapi/src/main/resources/config/application-dev.yml                           |    1 +
 pamapi/src/main/resources/config/application-sit.yml                           |    1 +
 pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java            |    8 ++++++--
 pamapi/src/main/java/com/pollex/pam/service/OtpWebService.java                 |    8 ++++----
 pamapi/src/main/resources/config/application-uat.yml                           |    1 +
 pamapi/src/main/java/com/pollex/pam/config/ApplicationProperties.java          |   12 ++++++++++++
 pamapi/src/main/java/com/pollex/pam/security/token/OtpAuthenticationToken.java |    2 +-
 pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java              |   22 +++++++++++-----------
 pamapi/src/main/resources/config/application-prod.yml                          |    1 +
 10 files changed, 39 insertions(+), 18 deletions(-)

diff --git a/pamapi/src/main/java/com/pollex/pam/config/ApplicationProperties.java b/pamapi/src/main/java/com/pollex/pam/config/ApplicationProperties.java
index 371b675..a20d500 100644
--- a/pamapi/src/main/java/com/pollex/pam/config/ApplicationProperties.java
+++ b/pamapi/src/main/java/com/pollex/pam/config/ApplicationProperties.java
@@ -27,6 +27,7 @@
     private SendEmailProperties email;
     private String fileFolderPath;
     private String aesKey;
+    private String defaultPaxxword;
 
     public boolean isMockLogin() {
         return mockLogin;
@@ -125,6 +126,17 @@
 		this.aesKey = aesKey;
 	}
 	
+	@Override
+	public String getDefaultPaxxword() {
+		return defaultPaxxword;
+	}
+
+	public void setDefaultPaxxword(String defaultPaxxword) {
+		this.defaultPaxxword = defaultPaxxword;
+	}
+	
+	
+	
 	
 
 }
diff --git a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
index 6cff94b..3fdd62f 100644
--- a/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
+++ b/pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java
@@ -21,6 +21,7 @@
 import org.springframework.stereotype.Component;
 import org.springframework.util.ObjectUtils;
 
+import com.pollex.pam.business.config.AppProperties;
 import com.pollex.pam.business.domain.TokenBlackList;
 import com.pollex.pam.business.repository.TokenBlackListRepository;
 
@@ -44,6 +45,9 @@
 
     @Autowired
     TokenBlackListRepository tokenBlackListRepository;
+    
+    @Autowired
+	AppProperties applicationProperties;
 
     public TokenProvider(JHipsterProperties jHipsterProperties) {
         byte[] keyBytes;
@@ -95,8 +99,8 @@
             .filter(auth -> !auth.trim().isEmpty())
             .map(SimpleGrantedAuthority::new)
             .collect(Collectors.toList());
-
-        User principal = new User(claims.getSubject(), "", authorities);
+        System.out.println("applicationProperties.getDefaultPaxxword()+++++++++++===="+applicationProperties.getDefaultPaxxword());
+        User principal = new User(claims.getSubject(), applicationProperties.getDefaultPaxxword(), authorities);
         UsernamePasswordAuthenticationToken authInfo = new UsernamePasswordAuthenticationToken(principal, token, authorities);
         authInfo.setDetails(claims.get(AUTHORITIES_DETAILS));
 
diff --git a/pamapi/src/main/java/com/pollex/pam/security/token/OtpAuthenticationToken.java b/pamapi/src/main/java/com/pollex/pam/security/token/OtpAuthenticationToken.java
index a4c450c..8cbaf23 100644
--- a/pamapi/src/main/java/com/pollex/pam/security/token/OtpAuthenticationToken.java
+++ b/pamapi/src/main/java/com/pollex/pam/security/token/OtpAuthenticationToken.java
@@ -9,7 +9,7 @@
 
     private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
-    private final OtpAccount principle;
+    private transient OtpAccount principle;
     private String credentials;
 
     public OtpAuthenticationToken(OtpAccount principle, String credentials) {
diff --git a/pamapi/src/main/java/com/pollex/pam/service/OtpWebService.java b/pamapi/src/main/java/com/pollex/pam/service/OtpWebService.java
index 4b85a47..d3f1874 100644
--- a/pamapi/src/main/java/com/pollex/pam/service/OtpWebService.java
+++ b/pamapi/src/main/java/com/pollex/pam/service/OtpWebService.java
@@ -22,8 +22,8 @@
 
     public OtpResponseDTO sendByPhone(String phone) {
         OtpWeb otpWS = getOtpWebService();
-        log.debug("call OtpService sendOtpBySMS, url = {}, systemType = {}, service password = {}, phone = {}",
-            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), phone);
+//        log.debug("call OtpService sendOtpBySMS, url = {}, systemType = {}, service password = {}, phone = {}",
+//            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), phone);
 
         StringArray result =
             otpWS.sendOtpBySMS(applicationProperty.getOtpWebServicePassword(), applicationProperty.getOtpWebServiceSystemType(), phone);
@@ -44,8 +44,8 @@
 
     public OtpResponseDTO verifyOTP(String indexKey, String otpCode) {
         OtpWeb otpWS = getOtpWebService();
-        log.debug("call OtpService verifyOTP, url = {}, systemType = {}, service password = {}, indexKey = {}, otpCode = {}",
-            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), indexKey, otpCode);
+//        log.debug("call OtpService verifyOTP, url = {}, systemType = {}, service password = {}, indexKey = {}, otpCode = {}",
+//            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), indexKey, otpCode);
 
         StringArray result =
             otpWS.verifyOtp(applicationProperty.getOtpWebServicePassword(), applicationProperty.getOtpWebServiceSystemType(), indexKey, otpCode);
diff --git a/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java b/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java
index 50319a9..04bda6b 100644
--- a/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java
+++ b/pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java
@@ -65,17 +65,17 @@
         }
     }
 
-    /**
-     * {@code GET  /authenticate} : check if the user is authenticated, and return its login.
-     *
-     * @param request the HTTP request.
-     * @return the login if the user is authenticated.
-     */
-    @GetMapping("/authenticate")
-    public String isAuthenticated(HttpServletRequest request) {
-        log.debug("REST request to check if the current user is authenticated");
-        return request.getRemoteUser();
-    }
+//    /**
+//     * {@code GET  /authenticate} : check if the user is authenticated, and return its login.
+//     *
+//     * @param request the HTTP request.
+//     * @return the login if the user is authenticated.
+//     */
+//    @GetMapping("/authenticate")
+//    public String isAuthenticated(HttpServletRequest request) {
+//        log.debug("REST request to check if the current user is authenticated");
+//        return request.getRemoteUser();
+//    }
 
     /**
      * {@code GET  /account} : get the current user.
diff --git a/pamapi/src/main/resources/config/application-dev.yml b/pamapi/src/main/resources/config/application-dev.yml
index 14ce3bd..bc4db38 100644
--- a/pamapi/src/main/resources/config/application-dev.yml
+++ b/pamapi/src/main/resources/config/application-dev.yml
@@ -141,3 +141,4 @@
     method: 'POLLEX_GMAIL'
   file-folder-path: C://pam_file
   aes-key: PAMKEY1234567890
+  default-paxxword: 
diff --git a/pamapi/src/main/resources/config/application-pollex.yml b/pamapi/src/main/resources/config/application-pollex.yml
index 022e89a..c57a3fd 100644
--- a/pamapi/src/main/resources/config/application-pollex.yml
+++ b/pamapi/src/main/resources/config/application-pollex.yml
@@ -141,3 +141,4 @@
     method: 'POLLEX_GMAIL'
   file-folder-path: C://pam_file
   aes-key: PAMKEY1234567890
+  default-paxxword: 
diff --git a/pamapi/src/main/resources/config/application-prod.yml b/pamapi/src/main/resources/config/application-prod.yml
index 73f9399..66f50cc 100644
--- a/pamapi/src/main/resources/config/application-prod.yml
+++ b/pamapi/src/main/resources/config/application-prod.yml
@@ -154,3 +154,4 @@
     method: 'PAM_EMAIL_SERVICE'
   file-folder-path: /sfs_omo/AgentPhoto/
   aes-key: PAMKEY1234567890
+  default-paxxword: 
diff --git a/pamapi/src/main/resources/config/application-sit.yml b/pamapi/src/main/resources/config/application-sit.yml
index 75755f4..1bcbe41 100644
--- a/pamapi/src/main/resources/config/application-sit.yml
+++ b/pamapi/src/main/resources/config/application-sit.yml
@@ -131,3 +131,4 @@
     method: 'PAM_EMAIL_SERVICE'
   file-folder-path: /sfs_omo/AgentPhoto/
   aes-key: PAMKEY1234567890
+  default-paxxword: 
diff --git a/pamapi/src/main/resources/config/application-uat.yml b/pamapi/src/main/resources/config/application-uat.yml
index 03875c1..ef1d16f 100644
--- a/pamapi/src/main/resources/config/application-uat.yml
+++ b/pamapi/src/main/resources/config/application-uat.yml
@@ -131,3 +131,4 @@
     method: 'PAM_EMAIL_SERVICE'
   file-folder-path: /sfs_omo/AgentPhoto/
   aes-key: PAMKEY1234567890
+  default-paxxword: 

--
Gitblit v1.8.0