8000 fix(jans-lock): fix lock startup in jans-auth service mode by yurem · Pull Request #9062 · JanssenProject/jans · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(jans-lock): fix lock startup in jans-auth service mode #9062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 30, 2024
Merged

fix(jans-lock): fix lock startup in jans-auth service mode #9062

merged 2 commits into from
Jul 30, 2024

Conversation

yurem
Copy link
Contributor
@yurem yurem commented Jul 30, 2024
edited by moabu
Loading

closes #9061

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@dryrunsecurity DryRunSecurity
Copy link
dryrunsecurity bot commented Jul 30, 2024
edited
Loading

DryRun Security Summary

The changes made in this pull request to the LockUtil.java file focus on improving the security and reliability of the application's token handling and HTTP communication, including replacing the HttpService class, enhancing token handling, adding encryption and decryption functionality, improving endpoint handling, implementing better error handling, and including methods to handle JSON data.

Expand for full summary

Summary:

The changes made in this pull request to the LockUtil.java file appear to be focused on improving the security and reliability of the application's token handling and HTTP communication. The key security-related observations include:

  1. Dependency Changes: The replacement of the HttpService class with the BaseHttpService class may have security implications that should be reviewed to ensure that HTTP requests are still being handled securely.

  2. Token Handling: The changes focus on improving the token acquisition process, which is a positive step from a security perspective, as tokens are used to authenticate and authorize access to protected resources.

  3. Encryption and Decryption: The inclusion of functionality to decrypt the client password using the EncryptionService is an important security feature, as it ensures that sensitive information, such as passwords, are not stored in plaintext.

  4. Endpoint Handling: The code includes methods to retrieve the appropriate endpoint path and URL based on the configuration, which helps ensure that the application is interacting with the correct endpoints and not being misdirected to potentially malicious ones.

  5. Error Handling: The code includes error handling mechanisms, such as checking for null responses and handling exceptions, which is a good practice to prevent the application from crashing or exposing sensitive information in the event of an error.

  6. JSON Handling: The code includes methods to handle JSON data, and it's important to ensure that the JSON handling is done securely to prevent vulnerabilities like JSON injection or deserialization issues.

Files Changed:

  • jans-lock/lock-master/service/src/main/java/io/jans/lock/util/LockUtil.java: The changes in this file focus on improving the security and reliability of the application's token handling and HTTP communication. The key changes include replacing the HttpService class, improving token handling, adding encryption and decryption functionality, enhancing endpoint handling, implementing better error handling, and including methods to handle JSON data.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@yurem yurem requested review from yuriyz and yuremm July 30, 2024 15:27
@mo-auto mo-auto added the kind-bug Issue or PR is a bug in existing functionality label Jul 30, 2024
@yuriyz yuriyz enabled auto-merge (squash) July 30, 2024 15:30
@yuriyz yuriyz merged commit 9cda8e8 into main Jul 30, 2024
11 checks passed
@yuriyz yuriyz deleted the issue_9061 branch July 30, 2024 16:51
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
< 867B div class="js-details-container Details js-socket-channel js-updatable-content" data-channel="eyJjIjoicmVwbzozMDk3MjEwNTg6Y29tbWl0OjQ4ZTYxNmVmYzkxZmE4ZWViMGYzZjEwMzIwOWQyNGM2ODhlNDVlZjIiLCJ0IjoxNzQ2NTYzNDEzfQ==--e74d3fdd94460a181a0dda66db23283ec9d4f88dc2b663a25ee1fe40194ce5bc" data-url="/JanssenProject/jans/commit/48e616efc91fa8eeb0f3f103209d24c688e45ef2/show_partial?partial=commit%2Fcondensed_details">
@yurem
fix(jans-lock): fix lock startup in jans-auth service mode (#9062)
48e616e 
* fix(jans-lock): fix lock startup in jans-auth service mode

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

* fix(jans-lock): fix lock startup in jans-auth service mode

---------

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Former-commit-id: 9cda8e8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuriyz yuriyz yuriyz approved these changes

@yuremm yuremm yuremm approved these changes

Assignees
No one assigned
Labels
kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(jans-lock): fix lock startup in jans-auth service mode
4 participants
@yurem @yuriyz @yuremm @mo-auto
0