diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41436f6c..d490bdb8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
[Download and/or Installation instructions](https://github.com/wet-boew/cdts-JavaTemplates/wiki/Installation)
+## v4.0.0
+
+- **SECURITY FIX** Removal of default redirect handlers for "leaving secure site" feature. Leaving secure site feature now relies solely on WET functionality. Unless these redirect handlers were explicitely referenced by client application there should be no impact. (Spring version: removal of endpoint "/gocwebtemplate_leavesecuresiteredirect"; JSP version: removal of action "leavesecuresiteredirect.action")
+- Bug fixes
+
## v3.0.0
- **IMPORTANT** ALL LAYOUT DEFINITIONS UPDATED - All inline scripts and occurences of `document.write` were removed.
diff --git a/builds/build.properties b/builds/build.properties
index 5da5c518..f3134029 100644
--- a/builds/build.properties
+++ b/builds/build.properties
@@ -3,4 +3,4 @@
#
# DO NOT EDIT build.properties DIRECTLY!
#
-gocwebtemplate.build.version=3.0.0-SNAPSHOT
+gocwebtemplate.build.version=4.0.0-SNAPSHOT
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/pom.xml b/gocwebtemplate-core/gocwebtemplate-core-base/pom.xml
index d93b4be2..2490ff74 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-base/pom.xml
+++ b/gocwebtemplate-core/gocwebtemplate-core-base/pom.xml
@@ -10,7 +10,7 @@
ca.gc.gocwebtemplate
gocwebtemplate-core
- 3.0.0-SNAPSHOT
+ 4.0.0-SNAPSHOT
..
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/Constants.java b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/Constants.java
index f07fd26b..c7e91029 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/Constants.java
+++ b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/Constants.java
@@ -13,7 +13,7 @@ public abstract class Constants {
public static final String CACHE_KEY_STATICFILES_PREFIX = "GoC.Template.CacheKey";
- public static final String WEB_TEMPLATE_DISTRIBUTION_VERSION = "3.0.0";
+ public static final String WEB_TEMPLATE_DISTRIBUTION_VERSION = "4.0.0";
public static final String CDTS_DEFAULT_VERSION = "v4_1_0";
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java
index e68e8da4..5d881732 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java
+++ b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java
@@ -8,11 +8,6 @@
import goc.webtemplate.Constants;
public final class BaseUtil {
- public static void doLeaveSecureSite(HttpServletRequest req, HttpServletResponse res) throws Exception {
- String redirectUrl = URLDecoder.decode(req.getParameter("targetUrl"), "UTF-8");
- res.sendRedirect(redirectUrl);
- }
-
public static void doLocaleSwitch(HttpServletRequest req, HttpServletResponse res) throws Exception {
String currLang = req.getSession().getAttribute(Constants.CURRENT_LANG_SESSION_KEY) == null ?
req.getLocale().getLanguage() :
@@ -24,6 +19,10 @@ public static void doLocaleSwitch(HttpServletRequest req, HttpServletResponse re
}
String prevUrl = URLDecoder.decode(req.getParameter(Constants.QUERYSTRING_KEY), "UTF-8");
+
+ // Validate that the redirect link is relative to the host and NOT absolute or relative to scheme
+ if ((!prevUrl.startsWith("/")) || prevUrl.startsWith("//")) throw new Exception("Unauthorized return URL specified for language switching.");
+
res.sendRedirect(prevUrl);
}
diff --git a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/SetupBase.java b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/SetupBase.java
index 35e83559..d5e28c9c 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/SetupBase.java
+++ b/gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/SetupBase.java
@@ -5,7 +5,6 @@
import java.util.List;
import goc.webtemplate.LeavingSecureSiteWarning;
-import goc.webtemplate.Utility;
import goc.webtemplate.WebAnalyticsInfo;
/**
@@ -39,7 +38,7 @@ public SetupBase(String subTheme, String jqueryEnv, LeavingSecureSiteWarning lss
this.subTheme = subTheme;
this.jqueryEnv = jqueryEnv;
this.exitSecureSite = null;
- if ((lssw != null) && lssw.isEnabled() && !Utility.isNullOrEmpty(lssw.getRedirectUrl())) {
+ if ((lssw != null) && lssw.isEnabled()) {
this.exitSecureSite = new ExitSecureSite(lssw);
}
this.webAnalytics = webAnalytics;
diff --git a/gocwebtemplate-core/gocwebtemplate-core-jsp/pom.xml b/gocwebtemplate-core/gocwebtemplate-core-jsp/pom.xml
index 72847cc7..ca23e48e 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-jsp/pom.xml
+++ b/gocwebtemplate-core/gocwebtemplate-core-jsp/pom.xml
@@ -10,7 +10,7 @@
ca.gc.gocwebtemplate
gocwebtemplate-core
- 3.0.0-SNAPSHOT
+ 4.0.0-SNAPSHOT
..
diff --git a/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/BaseCoreBean.java b/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/BaseCoreBean.java
index 10778c29..80cc20a9 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/BaseCoreBean.java
+++ b/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/BaseCoreBean.java
@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {
@Override
protected String getDefaultLeaveSecureSiteRedirectUrl() {
- return "leavesecuresiteredirect.action";
+ return null;
}
@Override
diff --git a/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/LeaveSecureSiteAction.java b/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/LeaveSecureSiteAction.java
deleted file mode 100644
index 59c9cf4b..00000000
--- a/gocwebtemplate-core/gocwebtemplate-core-jsp/src/main/java/goc/webtemplate/component/jsp/LeaveSecureSiteAction.java
+++ /dev/null
@@ -1,11 +0,0 @@
-package goc.webtemplate.component.jsp;
-
-import org.apache.struts2.ServletActionContext;
-
-import goc.webtemplate.component.BaseUtil;
-
-public class LeaveSecureSiteAction {
- public void execute() throws Exception {
- BaseUtil.doLeaveSecureSite(ServletActionContext.getRequest(), ServletActionContext.getResponse());
- }
-}
diff --git a/gocwebtemplate-core/gocwebtemplate-core-spring/pom.xml b/gocwebtemplate-core/gocwebtemplate-core-spring/pom.xml
index 72418a42..bf5282d9 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-spring/pom.xml
+++ b/gocwebtemplate-core/gocwebtemplate-core-spring/pom.xml
@@ -10,7 +10,7 @@
ca.gc.gocwebtemplate
gocwebtemplate-core
- 3.0.0-SNAPSHOT
+ 4.0.0-SNAPSHOT
..
diff --git a/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java b/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java
index 6d7ce548..24afb1a0 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java
+++ b/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java
@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {
@Override
protected String getDefaultLeaveSecureSiteRedirectUrl() {
- return "gocwebtemplate_leavesecuresiteredirect";
+ return null;
}
@Override
diff --git a/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java b/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java
index d341fec2..b0739652 100644
--- a/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java
+++ b/gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java
@@ -10,15 +10,8 @@
@Controller
public class CoreController {
-
@GetMapping("/gocwebtemplate_switchlocale")
public void SwitchLocale(HttpServletRequest request, HttpServletResponse response) throws Exception {
BaseUtil.doLocaleSwitch(request, response);
}
-
- @GetMapping("/gocwebtemplate_leavesecuresiteredirect")
- public void LeaveSecureSiteRedirect(HttpServletRequest request, HttpServletResponse response) throws Exception {
- //Custom processing would go here
- BaseUtil.doLeaveSecureSite(request, response);
- }
}
diff --git a/gocwebtemplate-core/pom.xml b/gocwebtemplate-core/pom.xml
index 618f5d1b..caaf438c 100644
--- a/gocwebtemplate-core/pom.xml
+++ b/gocwebtemplate-core/pom.xml
@@ -2,7 +2,7 @@
4.0.0
ca.gc.gocwebtemplate
gocwebtemplate-core
- 3.0.0-SNAPSHOT
+ 4.0.0-SNAPSHOT
pom
gocwebtemplate-core
diff --git a/gocwebtemplate-sample-jsp/pom.xml b/gocwebtemplate-sample-jsp/pom.xml
index 1cd0e5ef..53b8724d 100644
--- a/gocwebtemplate-sample-jsp/pom.xml
+++ b/gocwebtemplate-sample-jsp/pom.xml
@@ -3,7 +3,7 @@
ca.gc.gocwebtemplate
gocwebtemplate-sample-jsp
- 3.0.0-SNAPSHOT
+ 4.0.0-SNAPSHOT
war
gocwebtemplate-sample-jsp
@@ -14,7 +14,7 @@
GoCWebTemplateSampleJSP
1.8
- 3.0.0-SNAPSHOT
+ 4.0.0-SNAPSHOT
local
yyyy/MM/dd HH:mm:ss
diff --git a/gocwebtemplate-sample-jsp/src/main/java/goc/webtemplate/jsp/samplebeans/LeaveSecureSiteSampleBean.java b/gocwebtemplate-sample-jsp/src/main/java/goc/webtemplate/jsp/samplebeans/LeaveSecureSiteSampleBean.java
index 6bb7f2bd..d2b78e87 100644
--- a/gocwebtemplate-sample-jsp/src/main/java/goc/webtemplate/jsp/samplebeans/LeaveSecureSiteSampleBean.java
+++ b/gocwebtemplate-sample-jsp/src/main/java/goc/webtemplate/jsp/samplebeans/LeaveSecureSiteSampleBean.java
@@ -12,7 +12,6 @@ public void onWebTemplateInitialize() {
lssw.setEnabled(true);
lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
- lssw.setRedirectUrl("leavesecuresiteredirect.action");
lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
lssw.setCancelMessage("Don't leave");
lssw.setYesMessage("Yes, leave this site");
diff --git a/gocwebtemplate-sample-jsp/src/main/resources/struts.xml b/gocwebtemplate-sample-jsp/src/main/resources/struts.xml
index f63cf725..68d40f76 100644
--- a/gocwebtemplate-sample-jsp/src/main/resources/struts.xml
+++ b/gocwebtemplate-sample-jsp/src/main/resources/struts.xml
@@ -13,7 +13,6 @@
-
diff --git a/gocwebtemplate-sample-jsp/src/main/webapp/ChangeLog.txt b/gocwebtemplate-sample-jsp/src/main/webapp/ChangeLog.txt
index 98b71d35..cc55ab10 100644
--- a/gocwebtemplate-sample-jsp/src/main/webapp/ChangeLog.txt
+++ b/gocwebtemplate-sample-jsp/src/main/webapp/ChangeLog.txt
@@ -1,3 +1,3 @@
For the up to date release/change log, please refer to:
- https://gccode.ssc-spc.gc.ca/iitb-dgiit/sds/GOCWebTemplates/JavaTemplates/releases
+ https://github.com/wet-boew/cdts-JavaTemplates/releases
diff --git a/gocwebtemplate-sample-jsp/src/main/webapp/samplecontents/leavesecuresitesamplecontent.jsp b/gocwebtemplate-sample-jsp/src/main/webapp/samplecontents/leavesecuresitesamplecontent.jsp
index e58a939a..b1d29e45 100644
--- a/gocwebtemplate-sample-jsp/src/main/webapp/samplecontents/leavesecuresitesamplecontent.jsp
+++ b/gocwebtemplate-sample-jsp/src/main/webapp/samplecontents/leavesecuresitesamplecontent.jsp
@@ -17,8 +17,8 @@
- display the message to the user in the form of a modal window
- display the message your application provides
- - allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)
- allow your application to exlude any domains from raising the warning
+ - optionally, allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)
How it works
@@ -29,29 +29,21 @@
- A "Yes" button appears on the window to allow the user to continue with the redirection to the selected link. (Text can be customized, see below.)
- if the "Yes" button is clicked:
-
- - the user will first be redirect to the url set in
"leavingSecureSiteRedirectUrl" via either the cdn.properties file or programmatically
- - the info of the linked that was clicked is part of the querystring to that url
- - in the redirect url provided earlier, attach the preRenderView event to the page and execute a custom bean method to perform the redirect
- - execute any clean up code your application requires
- - once executed the custom bean class will redirect the user to the url of the clicked link
- - the leave secure site feature is already provided by default as part of the GoC Web Template package, by default it will use the templates/leavesecuresiteredirect.xhtml page
- - by default the leave secure site redirect page will invoke the
leavesecuresiteredirect.action Struts Action already pre-registered in struts.xml
-
+ if the "Yes" button is clicked, the browser will be directed to the external link
+ optionally, a redirect url can be set in "leavingSecureSiteRedirectUrl" via either the cdn.properties file or programmatically.
+ If this is used, the browser will be directed to this page before leaving, where the application can terminate the user's session and let them proceed to the external link.
+ The external link will be presented to the user by placing an element <span class="wb-exitscript wb-exitscript-exiturlparam"></span> on the page.
+ For an example of a "middle page", refer to scenario 3 link in the WET Documentation.
Here is a local link that will not display the warning: Link to Local Page
-Here is an external link that will display the warning:Link to External Page
+Here is an external link that will display the warning:Link to External Page
Steps to implement:
Enable the leaving secure site feature
- Set, via the cdn.properties file or programmatically in your custom bean class,
"Enabled" to "true"
- Provide the message to be displayed by setting the
"Message" programmatically via the setLeavingSecureSiteWarning method in your custom bean class.
- - Set, via the cdn.properties file or programmatically in your custom bean class,
"RedirectUrl" to your action class which will execute your clean up code and then redirect to the selected url.
- Set, via the cdn.properties or programmatically in your custom bean class,
"ExcludedDomain" the list of domains you do not want to raise the warning
- - Optionally, provide a cancel message by setting the
"CancelMessage" programmatically via the setLeavingSecureSiteWarning method in your custom bean class.
- - Optionally, provide a yes message by setting the
"YesMessage" programmatically via the setLeavingSecureSiteWarning method in your custom bean class.
@@ -62,7 +54,6 @@ public void onWebTemplateInitialize() {
lssw.setEnabled(true);
lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
- lssw.setRedirectUrl("leavesecuresiteredirect.action");
lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
lssw.setCancelMessage("Don't leave");
lssw.setYesMessage("Yes, leave this site");
@@ -73,26 +64,4 @@ public void onWebTemplateInitialize() {
}
-Created your custom "redirect" class
-
- - Create a class and a public method will be invoked by the preRenderView event of the redirect url
- - enter your clean up code if required
- - redirect to the
"targetURL" parameter value in the querystring
-
-
-
Code Sample for your Redirect action class
-
-import java.net.URLDecoder;
-import javax.servlet.http.HttpServletRequest;
-import org.apache.struts2.ServletActionContext;
-
-public class LeaveSecureSiteAction {
- public void execute() throws Exception {
- HttpServletRequest currentReq = ServletActionContext.getRequest();
- String redirectUrl = URLDecoder.decode(currentReq.getParameter("targetUrl"), "UTF-8");
- ServletActionContext.getResponse().sendRedirect(redirectUrl);
- }
-}
-
-
Leaving Secure Site Warning
- display the message to the user in the form of a modal window
- display the message your application provides
- - allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)
- - allow your application to exlude any domains from raising the warning
+ - allow your application to exlude any domains from raising the warning
+ - optionally, allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)
How it works
@@ -32,26 +32,20 @@ How it works
- A "Yes" button appears on the window to allow the user to continue with the redirection to the selected link.
- if the "Yes" button is clicked:
-
- - the user will first be redirect to the url set in
"leavingSecureSiteRedirectUrl" via either the cdn.properties file or programmatically
- - the info of the linked that was clicked is part of the querystring to that url
- - in the redirect url provided earlier, attach the preRenderView event to the page and execute a custom bean method to perform the redirect
- - execute any clean up code your application requires
- - once executed the custom method will redirect the user to the url of the clicked link
- - the leave secure site feature is already provided by default as part of the GoC Web Template package
- - by default the leave secure site redirect url will invoke the
LeaveSecureSiteRedirect method found in the controller.
-
+ if the "Yes" button is clicked, the browser will be directed to the external link
+ optionally, a redirect url can be set in "leavingSecureSiteRedirectUrl" via either the cdn.properties file or programmatically.
+ If this is used, the browser will be directed to this page before leaving, where the application can terminate the user's session and let them proceed to the external link.
+ The external link will be presented to the user by placing an element <span class="wb-exitscript wb-exitscript-exiturlparam"></span> on the page.
+ For an example of a "middle page", refer to scenario 3 link in the WET Documentation.
Here is a local link that will not display the warning: Link to Local Page
- Here is an external link that will display the warning: Link to External Page
+ Here is an external link that will display the warning: Link to External Page
Steps to implement:
Enable the leaving secure site feature
- Set, via the cdn.properties file or programmatically in your custom bean class,
"Enabled" to "true"
- Provide the message to be displayed by setting the
"Message" programmatically via the setLeavingSecureSiteWarning method in your custom bean class.
- - Set, via the cdn.properties file or programmatically in your custom bean class,
"RedirectUrl" to your page which will execute your clean up code and then redirect to the selected url.
- Set, via the cdn.properties or programmatically in your custom bean class,
"ExcludedDomain" the list of domains you do not want to raise the warning
@@ -63,7 +57,6 @@
Enable the leaving secure site feature
lssw.setEnabled(true);
lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
- lssw.setRedirectUrl("gocwebtemplate_leavesecuresiteredirect");
lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
lssw.setCancelMessage("Don't leave");
lssw.setYesMessage("Yes, leave this site");
@@ -74,20 +67,6 @@ Enable the leaving secure site feature
}
- Map your "redirect" url in the controller
-
- - The relative url
/gocwebtemplate_leavesecuresiteredirect will map to the method that can be used to perform the redirect.
-
-
-
Code Sample for your Redirect Controller method
-
-@GetMapping("/gocwebtemplate_leavesecuresiteredirect")
-public void LeaveSecureSiteRedirect(HttpServletRequest request, HttpServletResponse response) throws Exception {
- //Custom processing would go here
- BaseUtil.doLeaveSecureSite(request, response);
-}
-
-
diff --git a/pom.xml b/pom.xml
index 58cdcde6..2f2e3641 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,7 +2,7 @@