Change form snippet requirment to be XHTML and obfuscate any sensitive data before transmitting

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Some of the ConnectorManagerGetServlet subclasses can put sensitive data 
in the formSnippet contained in the ConfigureResponse.
2. Call GetConnectorConfigToEdit on a connector instance that has sensitive 
data.
3. See the sensitive data in the response.

What is the expected output? What do you see instead?

Sensitive data should be obfuscated.

Notes:

Best way to parse the form snippet is as XHTML rather than try to parse as 
SGML or malformed HTML.  This will require that all ConnectorType 
implementation now create form snippets within the ConfigureResponse that 
is WELL FORMED XHTML.  Then the ConnectorManagerGetServlet can parse the 
form snippet and safely obfuscate any sensitive data without risking mangling 
the form.

Original issue reported on code.google.com by mgron...@gmail.com on 4 Apr 2009 at 3:14

[GoogleCodeExporter]

Fixed over the following changes:
1605, 1606, 1607, 1630, 1632, 1634, 1636, 1642, 1643

Summary:

Added code to obfuscate sensitive data being sent during update operations and 
added 
code to support parsing form snippet as XHTML using local DTD files.

Notes to Users:

Most Connectors release prior to this patch have been returning HTML and will 
not 
work with the version of the Connector Manager that includes this patch.  
Connector 
developers are updating the ConnectorType implementations to conform to this 
XHTML 
requirement and will be made available with the Connector Framework release 
containing this update.

Notes to Developers:

The formSnippet returned from the ConnectorType methods MUST BE WELL FORMED
XHTML.  In the past, the formSnippet could be HTML/SGML and didn't have to be
parsed by the Connector Manager.  With the addition of filter for sensitive data
within the formSnippet, the formSnippet is now passed through an XML parser
checking for well formed XHTML.  Malformed XHTML will not be passed back to the
caller.  This means a Connector can never be updated if the
ConnectorType.getPopulatedConfigForm() implementation is returning a malformed
XHTML formSnippet in the ConfigureResponse.  An XML parsing error is returned
instead.

If the formSnippet contains script the script code must be contained within a
CDATA block as shown below:

  <script language="JavaScript" type="text/javascript">
  <![CDATA[
  function checkSelect() {
    var opt = document.getElementById('Version');
    if (opt == 'version1') {
      alert('Version1 Selected');
    } else {
      alert('Version1 Not Selected');
    }
  }
  ]]>
  </script>
  <tr>
  <td colspan="1" rowspan="1"><div style="float: left;">Select
Version</div></td>
  <td colspan="1" rowspan="1"><select id="SPType" name="Version"
onchange="checkSelect();" size="1">
  <option selected="" value="version1">Version 1</option>
  <option value="version2">Version 2</option></select>
  </td>
  </tr>

TESTS PASSED:

- All Unit Tests
- Tested with GSA.  Created connector and passed several types of formSnippets.
  Observed tcp traffic and confirmed sensitive data obfuscated and formSnippets
  were kept intact.

Original comment by mgron...@gmail.com on 4 Apr 2009 at 3:25

• Changed state: Fixed
• Added labels: OpSys-All, Priority-Critical, Security, Type-Enhancement

[GoogleCodeExporter]

Original comment by mgron...@gmail.com on 4 Apr 2009 at 3:34

• Added labels: Milestone-Release_1.3.2