Merge pull request #33 from wet-boew/fix-redirect-v4

Fix redirect v4

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 [Download and/or Installation instructions](https://github.com/wet-boew/cdts-JavaTemplates/wiki/Installation)
 
+## v4.0.0
+
+- **SECURITY FIX** Removal of default redirect handlers for "leaving secure site" feature. Leaving secure site feature now relies solely on WET functionality. Unless these redirect handlers were explicitely referenced by client application there should be no impact. (Spring version: removal of endpoint "/gocwebtemplate_leavesecuresiteredirect"; JSP version: removal of action "leavesecuresiteredirect.action")
+- Bug fixes
+
 ## v3.0.0
 
 - **IMPORTANT** ALL LAYOUT DEFINITIONS UPDATED - All inline scripts and occurences of `document.write` were removed. 

builds/build.properties

@@ -3,4 +3,4 @@
 #
 # DO NOT EDIT build.properties DIRECTLY!
 #
-gocwebtemplate.build.version=3.0.0-SNAPSHOT
+gocwebtemplate.build.version=4.0.0-SNAPSHOT

gocwebtemplate-core/gocwebtemplate-core-base/pom.xml

@@ -10,7 +10,7 @@
   <parent>
     <groupId>ca.gc.gocwebtemplate</groupId>
     <artifactId>gocwebtemplate-core</artifactId>
-    <version>3.0.0-SNAPSHOT</version>
+    <version>4.0.0-SNAPSHOT</version>
     <relativePath>..</relativePath>
   </parent>
 

gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/Constants.java

@@ -13,7 +13,7 @@ public abstract class Constants {
 
     public static final String CACHE_KEY_STATICFILES_PREFIX = "GoC.Template.CacheKey";
 
-    public static final String WEB_TEMPLATE_DISTRIBUTION_VERSION = "3.0.0";
+    public static final String WEB_TEMPLATE_DISTRIBUTION_VERSION = "4.0.0";
 
     public static final String CDTS_DEFAULT_VERSION = "v4_1_0";
 

gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java

@@ -8,11 +8,6 @@
 import goc.webtemplate.Constants;
 
 public final class BaseUtil {
-	public static void doLeaveSecureSite(HttpServletRequest req, HttpServletResponse res) throws Exception {
-		String redirectUrl = URLDecoder.decode(req.getParameter("targetUrl"), "UTF-8");
-		res.sendRedirect(redirectUrl);
-	}
-
 	public static void doLocaleSwitch(HttpServletRequest req, HttpServletResponse res) throws Exception {
 		String currLang = req.getSession().getAttribute(Constants.CURRENT_LANG_SESSION_KEY) == null ? 
 									req.getLocale().getLanguage() : 
@@ -24,6 +19,10 @@ public static void doLocaleSwitch(HttpServletRequest req, HttpServletResponse re
 		}
 
 		String prevUrl = URLDecoder.decode(req.getParameter(Constants.QUERYSTRING_KEY), "UTF-8");
+
+		// Validate that the redirect link is relative to the host and NOT absolute or relative to scheme
+		if ((!prevUrl.startsWith("/")) || prevUrl.startsWith("//")) throw new Exception("Unauthorized return URL specified for language switching.");
+
 		res.sendRedirect(prevUrl);
 	}
 

gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/SetupBase.java

@@ -5,7 +5,6 @@
 import java.util.List;
 
 import goc.webtemplate.LeavingSecureSiteWarning;
-import goc.webtemplate.Utility;
 import goc.webtemplate.WebAnalyticsInfo;
 
 /**
@@ -39,7 +38,7 @@ public SetupBase(String subTheme, String jqueryEnv, LeavingSecureSiteWarning lss
         this.subTheme = subTheme;
         this.jqueryEnv = jqueryEnv;
         this.exitSecureSite = null;
-        if ((lssw != null) && lssw.isEnabled() && !Utility.isNullOrEmpty(lssw.getRedirectUrl())) {
+        if ((lssw != null) && lssw.isEnabled()) {
             this.exitSecureSite = new ExitSecureSite(lssw);
         }
         this.webAnalytics = webAnalytics;

gocwebtemplate-core/gocwebtemplate-core-jsp/pom.xml

@@ -10,7 +10,7 @@
   <parent>
     <groupId>ca.gc.gocwebtemplate</groupId>
     <artifactId>gocwebtemplate-core</artifactId>
-    <version>3.0.0-SNAPSHOT</version>
+    <version>4.0.0-SNAPSHOT</version>
     <relativePath>..</relativePath>
   </parent>
 

gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/BaseCoreBean.java

@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {
 
     @Override
     protected String getDefaultLeaveSecureSiteRedirectUrl() {
-        return "leavesecuresiteredirect.action";
+        return null;
     }
 
     @Override

gocwebtemplate-core/gocwebtemplate-core-spring/pom.xml

@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>ca.gc.gocwebtemplate</groupId>
 		<artifactId>gocwebtemplate-core</artifactId>
-		<version>3.0.0-SNAPSHOT</version>
+		<version>4.0.0-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java

@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {
 
     @Override
     protected String getDefaultLeaveSecureSiteRedirectUrl() {
-        return "gocwebtemplate_leavesecuresiteredirect";
+        return null;
     }
 
     @Override

gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java

@@ -10,15 +10,8 @@
 
 @Controller
 public class CoreController {
-
 	@GetMapping("/gocwebtemplate_switchlocale")
 	public void SwitchLocale(HttpServletRequest request, HttpServletResponse response) throws Exception {
 		BaseUtil.doLocaleSwitch(request, response);
 	}	
-
-	@GetMapping("/gocwebtemplate_leavesecuresiteredirect")
-	public void LeaveSecureSiteRedirect(HttpServletRequest request, HttpServletResponse response) throws Exception {
-		//Custom processing would go here
-		BaseUtil.doLeaveSecureSite(request, response);
-	}
 }

gocwebtemplate-core/pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>ca.gc.gocwebtemplate</groupId>
   <artifactId>gocwebtemplate-core</artifactId>
-  <version>3.0.0-SNAPSHOT</version>
+  <version>4.0.0-SNAPSHOT</version>
   <packaging>pom</packaging>
 
   <name>gocwebtemplate-core</name>

gocwebtemplate-sample-jsp/pom.xml

@@ -3,7 +3,7 @@
 
   <groupId>ca.gc.gocwebtemplate</groupId>
   <artifactId>gocwebtemplate-sample-jsp</artifactId>
-  <version>3.0.0-SNAPSHOT</version>
+  <version>4.0.0-SNAPSHOT</version>
   <packaging>war</packaging>
 
   <name>gocwebtemplate-sample-jsp</name>
@@ -14,7 +14,7 @@
     <m2eclipse.wtp.contextRoot>GoCWebTemplateSampleJSP</m2eclipse.wtp.contextRoot>    <!-- Set the context root for running locally here!  This will keep Eclipse from overriding weblogic.xml with the project's name on every Maven Update operations -->
 
     <java.version>1.8</java.version>
-    <webtemplate.version>3.0.0-SNAPSHOT</webtemplate.version>
+    <webtemplate.version>4.0.0-SNAPSHOT</webtemplate.version>
 
     <build_number>local</build_number>
     <maven.build.timestamp.format>yyyy/MM/dd HH:mm:ss</maven.build.timestamp.format>

gocwebtemplate-sample-jsp/src/main/java/goc/webtemplate/jsp/samplebeans/LeaveSecureSiteSampleBean.java

@@ -12,7 +12,6 @@ public void onWebTemplateInitialize() {
 
         lssw.setEnabled(true);
         lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-        lssw.setRedirectUrl("leavesecuresiteredirect.action");
         lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
         lssw.setCancelMessage("Don't leave");
         lssw.setYesMessage("Yes, leave this site");

gocwebtemplate-sample-jsp/src/main/resources/struts.xml

@@ -13,7 +13,6 @@
 		<result-types>
 			<result-type name="tiles" class="org.apache.struts2.views.tiles.TilesResult" />
 		</result-types>
-		<action name="leavesecuresiteredirect" class="goc.webtemplate.component.jsp.LeaveSecureSiteAction" method="execute"></action>
 		<action name="switchlocale" class="goc.webtemplate.component.jsp.SwitchLocaleAction" method="execute"></action>
 		<!--  ==============================================================  -->
 

gocwebtemplate-sample-jsp/src/main/webapp/ChangeLog.txt

@@ -1,3 +1,3 @@
 For the up to date release/change log, please refer to:
 
-  https://gccode.ssc-spc.gc.ca/iitb-dgiit/sds/GOCWebTemplates/JavaTemplates/releases
+  https://github.com/wet-boew/cdts-JavaTemplates/releases

gocwebtemplate-sample-jsp/src/main/webapp/samplecontents/leavesecuresitesamplecontent.jsp

@@ -17,8 +17,8 @@
 <ul>
     <li>display the message to the user in the form of a modal window</li>
     <li>display the message your application provides</li>
-    <li>allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
     <li>allow your application to exlude any domains from raising the warning</li>
+    <li>optionally, allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
 </ul>
 <h2>How it works</h2>
 <ul>
@@ -29,29 +29,21 @@
             <li>A "Yes" button appears on the window to allow the user to continue with the redirection to the selected link. (Text can be customized, see below.)</li>
         </ul>
    	</li>
-	<li>if the "Yes" button is clicked:
-        <ul>
-            <li>the user will first be redirect to the url set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically</li>
-            <li>the info of the linked that was clicked is part of the querystring to that url</li>
-            <li>in the redirect url provided earlier, attach the preRenderView event to the page and execute a custom bean method to perform the redirect</li>
-            <li>execute any clean up code your application requires</li>
-            <li>once executed the custom bean class will redirect the user to the url of the clicked link</li>
-            <li>the leave secure site feature is already provided by default as part of the GoC Web Template package, by default it will use the templates/leavesecuresiteredirect.xhtml page</li>
-            <li>by default the leave secure site redirect page will invoke the <code class="wb-prettify">leavesecuresiteredirect.action</code> Struts Action already pre-registered in struts.xml</li>
-        </ul>
+    <li>if the "Yes" button is clicked, the browser will be directed to the external link</li>
+    <li>optionally, a redirect url can be set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically.
+        If this is used, the browser will be directed to this page before leaving, where the application can terminate the user's session and let them proceed to the external link.
+        The external link will be presented to the user by placing an element <code class="wb-prettify">&lt;span class="wb-exitscript wb-exitscript-exiturlparam"&gt;&lt;/span&gt;</code> on the page.
+        For an example of a "middle page", refer to <a href="https://wet-boew.github.io/wet-boew/demos/exitscript/exitscript-en.html#wb-auto-3">scenario 3 link in the WET Documentation</a>.
     </li>
 </ul>
 <p>Here is a local link that will not display the warning: <a href="basesettingssample.action">Link to Local Page</a></p>
-<p>Here is an external link that will display the warning:<a href="https://gccode.ssc-spc.gc.ca/iitb-dgiit/sds/GOCWebTemplates/JavaTemplates/wikis/Redirect-Page">Link to External Page</a></p>
+<p>Here is an external link that will display the warning:<a href="https://github.com/wet-boew/cdts-JavaTemplates/wiki/Redirect-Page">Link to External Page</a></p>
 <h2>Steps to implement:</h2>
 <h3>Enable the leaving secure site feature</h3>
 <ul>
     <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"Enabled"</code> to <strong>"true"</strong></li>
     <li>Provide the message to be displayed by setting the <code class="wb-prettify">"Message"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
-    <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"RedirectUrl"</code> to your action class which will execute your clean up code and then redirect to the selected url.</li>
     <li>Set, via the cdn.properties or programmatically in your custom bean class, <code class="wb-prettify">"ExcludedDomain"</code> the list of domains you do not want to raise the warning</li>
-    <li>Optionally, provide a cancel message by setting the <code class="wb-prettify">"CancelMessage"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
-    <li>Optionally, provide a yes message by setting the <code class="wb-prettify">"YesMessage"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
 </ul>
 <div class="wb-prettify all-pre lang-vb linenums">
    	<pre>
@@ -62,7 +54,6 @@ public void onWebTemplateInitialize() {
 
     lssw.setEnabled(true);
     lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-    lssw.setRedirectUrl("leavesecuresiteredirect.action");
     lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
     lssw.setCancelMessage("Don't leave");
     lssw.setYesMessage("Yes, leave this site");
@@ -73,26 +64,4 @@ public void onWebTemplateInitialize() {
 }
    	</pre>
 </div>
-<h3>Created your custom "redirect" class</h3>
-<ul>
-    <li>Create a class and a public method will be invoked by the preRenderView event of the redirect url</li>
-    <li>enter your clean up code if required</li>
-    <li>redirect to the <code class="wb-prettify">"targetURL"</code> parameter value in the querystring</li>
-</ul>
-<div class="wb-prettify all-pre lang-vb linenums">
-    <h3>Code Sample for your Redirect action class</h3>
-    <pre>
-import java.net.URLDecoder;
-import javax.servlet.http.HttpServletRequest;
-import org.apache.struts2.ServletActionContext;
-
-public class LeaveSecureSiteAction {
-	public void execute() throws Exception {
-		HttpServletRequest currentReq = ServletActionContext.getRequest();
-		String redirectUrl = URLDecoder.decode(currentReq.getParameter("targetUrl"), "UTF-8");
-		ServletActionContext.getResponse().sendRedirect(redirectUrl);
-	}
-}
-   </pre>
-</div>
 <%@ include file="_sampleslist.jsp" %>

gocwebtemplate-sample-spring/pom.xml

@@ -3,15 +3,15 @@
 
 	<groupId>ca.gc.gocwebtemplate</groupId>
   	<artifactId>gocwebtemplate-sample-spring</artifactId>
-  	<version>3.0.0-SNAPSHOT</version>
+  	<version>4.0.0-SNAPSHOT</version>
   	<!--Change packaging type to "war" if your application must be deployable in a web container-->
  	<packaging>jar</packaging>
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<java.version>1.8</java.version>
 		<springboot.version>2.6.6</springboot.version>
-		<webtemplate.version>3.0.0-SNAPSHOT</webtemplate.version>
+		<webtemplate.version>4.0.0-SNAPSHOT</webtemplate.version>
 
 		<build_number>local</build_number>
 		<timestamp>${maven.build.timestamp}</timestamp>

gocwebtemplate-sample-spring/src/main/java/goc/webtemplate/spring/samplebeans/LeavingSecureSiteSampleBean.java

@@ -14,7 +14,6 @@ public void onWebTemplateInitialize() {
 
         lssw.setEnabled(true);
         lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-        lssw.setRedirectUrl("gocwebtemplate_leavesecuresiteredirect");
         lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
         lssw.setCancelMessage("Don't leave");
         lssw.setYesMessage("Yes, leave this site");

gocwebtemplate-sample-spring/src/main/resources/samples/LeavingSecureSiteSample.html

@@ -20,8 +20,8 @@ <h2>Leaving Secure Site Warning</h2>
 	    <ul>
 	        <li>display the message to the user in the form of a modal window</li>
 	        <li>display the message your application provides</li>
-	        <li>allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
-	        <li>allow your application to exlude any domains from raising the warning</li>
+            <li>allow your application to exlude any domains from raising the warning</li>
+	        <li>optionally, allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
 	    </ul>
 	    <h2>How it works</h2>
 	    <ul>
@@ -32,26 +32,20 @@ <h2>How it works</h2>
 	                <li>A "Yes" button appears on the window to allow the user to continue with the redirection to the selected link.</li>
 	            </ul>
         	</li>
-        	<li>if the "Yes" button is clicked:
-	            <ul>
-	                <li>the user will first be redirect to the url set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically</li>
-	                <li>the info of the linked that was clicked is part of the querystring to that url</li>
-	                <li>in the redirect url provided earlier, attach the preRenderView event to the page and execute a custom bean method to perform the redirect</li>
-	                <li>execute any clean up code your application requires</li>
-	                <li>once executed the custom method will redirect the user to the url of the clicked link</li>
-	                <li>the leave secure site feature is already provided by default as part of the GoC Web Template package</li>
-	                <li>by default the leave secure site redirect url will invoke the <code class="wb-prettify">LeaveSecureSiteRedirect</code> method found in the controller.</li>
-	            </ul>
+        	<li>if the "Yes" button is clicked, the browser will be directed to the external link</li>
+        	<li>optionally, a redirect url can be set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically.
+        	    If this is used, the browser will be directed to this page before leaving, where the application can terminate the user's session and let them proceed to the external link.
+        	    The external link will be presented to the user by placing an element <code class="wb-prettify">&lt;span class="wb-exitscript wb-exitscript-exiturlparam"&gt;&lt;/span&gt;</code> on the page.
+        	    For an example of a "middle page", refer to <a href="https://wet-boew.github.io/wet-boew/demos/exitscript/exitscript-en.html#wb-auto-3">scenario 3 link in the WET Documentation</a>.
 	        </li>
 	    </ul>
 	    <p>Here is a local link that will not display the warning: <a href="BaseSettingsSample">Link to Local Page</a></p>
-	    <p>Here is an external link that will display the warning: <a href="https://gccode.ssc-spc.gc.ca/iitb-dgiit/sds/GOCWebTemplates/JavaTemplates/wikis/Redirect-Page">Link to External Page</a></p>
+	    <p>Here is an external link that will display the warning: <a href="https://github.com/wet-boew/cdts-JavaTemplates/wiki/Redirect-Page">Link to External Page</a></p>
 	    <h2>Steps to implement:</h2>
 	    <h3>Enable the leaving secure site feature</h3>
 	    <ul>
 	        <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"Enabled"</code> to <strong>"true"</strong></li>
 	        <li>Provide the message to be displayed by setting the <code class="wb-prettify">"Message"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
-	        <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"RedirectUrl"</code> to your page which will execute your clean up code and then redirect to the selected url.</li>
 	        <li>Set, via the cdn.properties or programmatically in your custom bean class, <code class="wb-prettify">"ExcludedDomain"</code> the list of domains you do not want to raise the warning</li>
 	    </ul>
 	    <div class="wb-prettify all-pre lang-vb linenums">
@@ -63,7 +57,6 @@ <h3>Enable the leaving secure site feature</h3>
 
     lssw.setEnabled(true);
     lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-    lssw.setRedirectUrl("gocwebtemplate_leavesecuresiteredirect");
     lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
     lssw.setCancelMessage("Don't leave");
     lssw.setYesMessage("Yes, leave this site");
@@ -74,20 +67,6 @@ <h3>Enable the leaving secure site feature</h3>
 }
         </pre>
     	</div>
-	    <h3>Map your "redirect" url in the controller</h3>
-	    <ul>
-	        <li>The relative url <code class="wb-prettify">/gocwebtemplate_leavesecuresiteredirect</code> will map to the method that can be used to perform the redirect.</li>
-	    </ul>
-	    <div class="wb-prettify all-pre lang-vb linenums">
-	        <h4>Code Sample for your Redirect Controller method</h4>
-	        <pre>
-@GetMapping("/gocwebtemplate_leavesecuresiteredirect")
-public void LeaveSecureSiteRedirect(HttpServletRequest request, HttpServletResponse response) throws Exception {
-	//Custom processing would go here
-	BaseUtil.doLeaveSecureSite(request, response);
-}
-	        </pre>
-	     </div>
 	<div th:replace="_samplelist :: samplelist"></div>
 </section> 
 </body>