Feature/ee8 ee10 split#125
Open
vis-86 wants to merge 93 commits into
Open
Conversation
…mprove error handling, and configure RemoteAuthCryptoService.
…spend -- исправление замечаний
…spend -- исправление замечаний
fixes #119 - add events for user passwords reset, user block , user su…
… to `PlaintextPasswordEncoder` in `PlaintextPasswordEncoderTest`.
… ensure compatibility and runtime support.
Replaced implicit INNER JOIN on group_actions/groups with LEFT JOIN so actions not assigned to any group still appear in search results.
…e test - docs/migration-client-ee8-ee10.md line 47: separate filter package (client.session.*) from session abstractions (common.session); SessionMappingLocator and HttpSessionWrapper now correctly reference com.payneteasy.superfly.common.session - docs/migration-client-ee8-ee10.md line 74: fix module reference from superfly-client-core to superfly-common; add HashMapBackedSessionMapping - SessionApiLocationTest: 3 tests verifying package and code-source origin of the 3 session classes to prevent documentation drift
- Remove token pre-validation from SubsystemAuthenticationConverter (SRP fix) - Replace .equals() with MessageDigest.isEqual() for timing-safe token comparison - Add AccountStatusUserDetailsChecker to reject disabled subsystems - Catch UsernameNotFoundException to prevent subsystem name enumeration - Reject headers with control characters to prevent CRLF log injection - Add SecurityAuditApplicationListener: structured audit trail via LoggerSink and SLF4J WARN for both subsystem token and X509 auth channels - Enforce TLS 1.2/1.3 in AuthSSLProtocolSocketFactory; fix deprecated getSubjectDN() - Stop logging request body in SSOHttpServiceApiClient (credential leak fix) - Enforce HTTPS-only URLs in SSOHttpServiceApiClient.validateUrl() - Add unit, integration and OWASP attack-vector tests (A01/A02/A03/A07/A09)
…assword reset_password called int_create_event with 2 args; procedure expects 3. All other callers (ui_lock_user, ui_suspend_user) already pass null for subsystem_id. Added integration test to catch this class of mismatch.
…vent CDN jQuery (cdnjs.cloudflare.com) was blocked by Spring Security CSP script-src 'self'. Switched to ContextRelativeResourceReference so Wicket serves jquery-3.7.0.js from same origin. fastLiveFilter relied on keydown+setTimeout(0) to trigger change event — unreliable in modern browsers. Replaced with input+change event listeners.
… verifier Adds JDK-native SSL builder without Apache HttpClient dependency: - buildSocketFactory(keyStore, trustStore) — SSLContext from JKS files - buildTrustManager(trustStore) — X509TrustManager for diagnostics - buildCnHostnameVerifier(expectedCns) — verifies cert CN instead of hostname; safe with custom trustStore when CN ≠ deployment hostname (e.g. CN=superfly-server connecting to localhost) Includes unit tests via EasyMock for all three factory methods.
Covers two-step TLS verification (TrustManager vs HostnameVerifier), configuration scenarios (public cert / custom CA / localhost dev), JdkSslSocketFactoryBuilder API, keytool setup, and error diagnostics.
…int timeouts - add Endpoint enum for type-safe endpoint identification - add SSOClientConfig with per-endpoint HttpRequestParameters override (enables short timeout for AUTHENTICATE, long-poll timeout for GET_EVENTS) - refactor SSOHttpServiceApiClient: constructor-based DI for IHttpClient; class is now final, implements AutoCloseable (delegates to transport) - unify decode-path: ExceptionWrapper parsed for any non-200 status (fix: typed server exceptions like UserExistsException were lost for 4xx, replaced with generic SsoBadRequestException) - HTTPS validation moved from client to SSOClientConfig.normalizeBaseUrl - migrate tests to constructor injection (remove TestableHttpServiceApiClient subclass which exercised the protected getHttpClient() anti-pattern) This is SSO-1a from the SSO Client Production Reliability roadmap. paynet-side migration to the new constructor will follow in SSO-1b.
…ped 4xx/5xx - SSOClientConfigTest: parametersFor override/default, urlFor, HTTPS validation, null/empty/blank baseUrl, null subsystemName/defaultParameters - SSOHttpServiceApiClientTest: per-endpoint timeout routing (GET_EVENTS vs AUTHENTICATE vs default), AutoCloseable delegation to transport, ExceptionWrapper for status 400 / 500, fallback to status-based exception when wrapper is absent - docs/sso-http-client.md: architecture, per-endpoint timeouts guidance, mTLS, HTTPS-only safety, ExceptionWrapper handling, decorator pattern - README: link the new doc page Closes SSO-1a from the SSO Client Production Reliability roadmap.
…ooling (SSO-3) - ApacheHC5HttpClient: IHttpClient + AutoCloseable на Apache HC5 5.4.4 - Pool: maxConnTotal=50 / maxConnPerRoute=25 / idleEviction=30s - Per-request timeout через HttpClientContext - Exception mapping: ConnectTimeout→HttpConnectException, SocketTimeout→HttpReadException - Builder: optional SSLContext + HostnameVerifier для mTLS - JdkSslSocketFactoryBuilder.buildSslContext() → public - Транспорт в superfly-remote-api (единственный потребитель — SSOHttpServiceApiClient) - Убран http-client-impl из superfly-remote-api/pom.xml - 6 unit-тестов с JDK HttpServer
…eus/Grafana guides - Add micrometer-core dependency to superfly-web/pom.xml - Add MetricsConfiguration: SimpleMeterRegistry + MetricsSSOService as @primary bean Fix: inject SSOService via @qualifier('ssoServiceImpl') instead of concrete class (Spring wraps @service beans in JDK proxy under AOP/transactions) - Add MonitoringPage: health badge, per-operation table (calls/errors/latency), Bootstrap 4 accordion with Prometheus and Grafana integration guides - Register /monitoring route in SuperflyApplication - Add Monitoring nav item to BasePage
Spring's Introspector.decapitalize() preserves case when the first two letters are both uppercase: 'SSOServiceImpl' stays 'SSOServiceImpl', not 'ssoServiceImpl'. Fix the qualifier to match the actual bean name.
…rics (SSO-2) - Add micrometer-core to root pom dependencyManagement + version property - Add micrometer-core as optional dep to superfly-remote-api - MetricsSSOService: decorator over SSOService recording sso.call.duration timers (per operation+status), sso.errors.total counter, sso.last.success.epoch.ms gauge - SSOHealthSnapshot: immutable health snapshot (isHealthy based on last success timestamp + error rate threshold) - Tests: MetricsSSOServiceTest covering timer recording, error counting, health state - docs/sso-metrics.md: integration guide for Prometheus/Grafana
ApacheHC5HttpClient is one possible transport, not mandatory for all consumers. Library consumers that use JDK transport should not be forced to bundle httpclient5. Consumers using ApacheHC5HttpClient must declare httpclient5 explicitly in their own pom.xml. Mirrors the same approach used for micrometer-core (optional since SSO-2).
…lient-hc5 module - Create superfly-httpclient-hc5 module: dedicated HC5 transport artifact with http-client-api + httpclient5 (mandatory) + slf4j-api - Move ApacheHC5HttpClient + test from superfly-remote-api to new module (package unchanged: com.payneteasy.superfly.api.transport) - Remove httpclient5 dependency from superfly-remote-api entirely - Register new module in root pom.xml Consumers who need HC5 transport must now declare superfly-httpclient-hc5 explicitly; superfly-remote-api stays transport-agnostic (SSO-3)
…ment
Consumers (e.g. paynet) can now reference the artifact without specifying
a version — the root BOM manages it via ${project.version}.
…ntation - Fully remove `MetricsSSOService` class and associated Micrometer-based metrics. - Delete `SSOHealthSnapshot` utility class for health snapshot support. - Remove associated tests (e.g., `MetricsSSOServiceTest`) and `sso-metrics.md` documentation. - Cleanup `MetricsConfiguration` and related fragments in `superfly-web`. Discontinues SSO operational metric instrumentation and health snapshot capabilities.
Remove from git tracking (kept locally) the non-business artifacts: .ai-factory/, docs/plans/, .cursor/, .mcp.json, .run/Start.run.xml. AGENTS.md retained as shared project map.
…JSON-only transport Phase 1 of the EE8/EE10 split + dependency-hardening plan. - ExternalFormSecurityFilter: replace Hessian (HessianProxyFactory) transport with the JSON SSOHttpServiceApiClient over HttpClientImpl. The URL constructor is preserved for integrator compatibility (now builds the JSON client at /remoting/sso.service, HTTPS-enforced via SSOClientConfig); a new DI constructor accepts an injected SSOService. destroy() closes the client only when owned. - Remove dead server-side XML remoting: delete the obsolete remoting-servlet.xml (commented-out xremoting/hessian exporters) and give the remoting DispatcherServlet an explicit empty contextConfigLocation (handlers are inherited from the root WebConfig context). Drop the dead /remoting/*.hessian.service permitAll matchers; keep /remoting/sso.service (ROLE_SUBSYSTEM). - Remove xstream, xremoting-core and hessian from the POMs and prune the obsolete mxparser dependency-check suppression block (33 CVEs gone with xstream).
…rtz/c3p0/mchange - QuartzConfig -> ScheduledTasksConfig (@scheduled fixed-rate, intervals/args unchanged) - new TaskSchedulerConfig: shared dependency-free ThreadPoolTaskScheduler (@EnableScheduling), avoids the defaultNotifier <-> taskScheduler <-> sessionService startup cycle - DefaultNotifier: one-shot send via TaskScheduler instead of Quartz job - remove SchedulerUtils, SendNotificationOnceJob, BaseJob - drop org.quartz-scheduler:quartz from root/web/service poms (c3p0/mchange go transitively) - add SchedulingContextWiringTest regression guard for the wiring cycle Suppressions cleanup deferred to phase 5.
The XML referenced already-deleted factory-bean classes (PasswordEncoderFactoryBean, SaltSourceFactoryBean, LockoutStrategyFactoryBean, AccountPolicyFactoryBean, *StrategyFactoryBean, HOTPProviderFactoryBean) and could not be loaded. All beans it declared are already provided by Java config: @service impls, @OnPolicyCondition conditional @components (password/salt/lockout/account/strategy/policy-validation), and @bean (publicKeyCrypto/cryptoService/hotpProvider). velocityEngine comes from the @service VelocityEngineFactoryBean. Note: the commons-httpclient HttpClient bean (notifierHttpClient) used by SimpleSendStrategy was only defined here; migrating that call-site is phase 3 (commons-httpclient -> hc5).
…p context StubBeans was @configuration in package com.payneteasy.superfly.web.spring, so the app's broad @componentscan("com.payneteasy.superfly") picked it up when Start (a src/test class) runs with the test classpath, registering a stub 'userService' bean that collided with the @service 'userServiceImpl' (NoUniqueBeanDefinitionException on UserService). Dropping @configuration makes it invisible to component-scan while explicit register(StubBeans.class) still processes its @bean methods (lite mode), preserving the sessionService->notifier cycle-reproduction edge.
…s instead of `GetEventsRequest` - Refactored `InternalSSOService.getEvents()` to accept `Date lastEventTime`, `long waitTimeMs`, and `String subsystemIdentifier` as arguments. - Adjusted `SSOServiceImpl` and `InternalSSOServiceImpl` to align with the updated method signature. - Moved `obtainSubsystemIdentifier` method for improved method organization.
Phase 3 of EE8/EE10 split + dependency hardening. Replaces EOL commons-httpclient 3.1 (CVE-2012-5783, CVE-2020-13956) and the dead SSLv3 transport config with the IHttpClient/HttpClient5 stack. - superfly-service: notification send strategies use IHttpClient (ApacheHC5HttpClient) with form-encoded POST instead of commons-httpclient HttpClient/PostMethod - superfly-client-opt: HttpClientSpringConfiguration exposes an IHttpClient bean; remove HttpClientFactoryBean, StoresAndSSLConfig and the commons-only manual tools (SslTestMain, test-ssl.xml, HttpSecureProtocolTest) - superfly-httpclient-ssl module deleted; JDK SSL helpers (JdkSslSocketFactoryBuilder, AuthSSLX509KeyManager/TrustManager + test) relocated into superfly-httpclient-hc5 - superfly-web: BasicAuthorizationParser switches from org.apache.commons.ssl.Base64 (not-yet-commons-ssl, transitive) to java.util.Base64; add BasicAuthorizationParserTest - drop commons-httpclient and not-yet-commons-ssl from dependency management; prune obsolete commons-httpclient-3.1 suppressions superfly-demo (standalone, out of scope) still uses commons-httpclient.
…pload to patched versions - EE10: spring-security 6.4.11 -> 6.4.13, wicket 10.6.0 -> 10.9.1 - EE8: spring-security5 5.8.13 -> 5.8.16, wicket8 8.16.0 -> 8.18.0 - override commons-fileupload -> 1.6.0 (CVE-2025-48976, Wicket 8 transitive) - spring 6.2.18 / spring5 5.3.39 already at latest patch in their lines
… scan - prune suppressions.xml: drop 28 stale entries (jars removed/upgraded in phases 1-4: xstream/wicket7/spring-security 5.4-5.5/commons-fileupload 1.3/ bcpg-jdk15/mail-1.4/logback-ext-spring), keep 2 version-agnostic false positives (superfly-crypto->pgp, bcpg->openpgp) - bump jetty 12.0.32 -> 12.0.35 (CVE-2026-2332, request smuggling; test/provided) - suppress CVE-2016-1000027 (spring-web 5.3.x FP: HttpInvoker remoting removed) - suppress CVE-2026-22732 temporarily (no fixed spring-security artifact published yet; need >=5.8.24 / >=6.4.15) dependency-check gate: 0 unsuppressed CVSS>=9; all plan-targeted criticals gone
- ssl-mtls.md: superfly-httpclient-ssl module removed; SSL helpers now in superfly-httpclient-hc5 (com.payneteasy.httpclient.contrib.ssl). Switch examples from per-request HttpRequestParameters/HttpClientImpl to ApacheHC5HttpClient.Builder.sslContext()/buildSslContext(); drop deleted AuthSSLProtocolSocketFactory; replace non-existent SuperflySsoServiceConfig section with the actual @bean wiring pattern - httpclient-hc5.md: fix two stale superfly-httpclient-ssl references - AGENTS.md: update module tree (httpclient-ssl -> httpclient-hc5)
…ive re-leak EE8 wrapper modules (superfly-spring-security-ee8, superfly-wicket-ee8) are published libraries for external javax consumers, not the EE10 SSO runtime. Stop them from forcing vulnerable javax-5.x Spring / Wicket-8 onto consumers. - T1/T2: switch Spring 5.x / Spring Security 5.8.x / Wicket 8 deps to provided (version pins kept; internal superfly-* stay compile). The consumer now brings its own javax-compatible stack. - T3: version-pinned OWASP suppressions for the residual provided-stack findings (spring-*:5.3.x incl. spring-jcl, spring-security-*:5.8.x, wicket-core:8.x bundled jQuery); pinned so the in-line EE10 6.x stack is not masked. Bump suppression schema to 1.3 (vulnerabilityName support). - T4: maven-enforcer bannedDependencies guard in both EE8 poms — fails only if a framework dep re-leaks at compile/runtime scope (provided passes). - T6: document the provided-scope contract in docs/migration-client-ee8-ee10.md. Residual open OWASP findings reduced to out-of-scope/tracked only: commons-lang3 3.17 and spring-security 6.4.13.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.