OO-4152: secure transformers, more getter / setters

src/main/java/de/bps/olat/portal/institution/InstitutionPortlet.java

@@ -20,6 +20,7 @@
 package de.bps.olat.portal.institution;
 
 import java.io.File;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -39,6 +40,7 @@ import org.olat.core.util.WebappHelper;
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.naming.NoNameCoder;
 import com.thoughtworks.xstream.io.xml.XppDriver;
+import com.thoughtworks.xstream.security.ExplicitTypePermission;
 
 
 public class InstitutionPortlet extends AbstractPortlet {
@@ -121,9 +123,7 @@ public class InstitutionPortlet extends AbstractPortlet {
 		this.cssWrapperClass = cssWrapperClass;
 	}
 
-	/**
-	 * @see org.olat.gui.control.generic.portal.Portlet#disposeRunComponent(boolean)
-	 */
+	@Override
 	public void disposeRunComponent() {
 		if (runCtr != null) {
 			runCtr.dispose();
@@ -143,7 +143,7 @@ public class InstitutionPortlet extends AbstractPortlet {
 		InstitutionConfiguration configuration = (InstitutionConfiguration)xstream.fromXML(configurationFile);
 		
 		for(InstitutionPortletEntry institution: configuration.getInstitution()) {
-			String shortName = institution.shortname;
+			String shortName = institution.getShortname();
 			if (shortName == null) { 
 				throw new StartupException("Institution portlet startup: No shortname given for one entry!");
 			}
@@ -162,9 +162,19 @@ public class InstitutionPortlet extends AbstractPortlet {
 	public static InstitutionPortletEntry getInstitutionPortletEntry(String institution) {
 		return (InstitutionPortletEntry) institutions.get(institution);
 	}
+	
 		
 	public static XStream getInstitutionConfigXStream() {
 		XStream xstream = new XStream(new XppDriver(new NoNameCoder()));
+		
+		XStream.setupDefaultSecurity(xstream);
+		Class<?>[] types = new Class[] {
+				InstitutionConfiguration.class, Value.class, PolymorphLinkElement.class, PolymorphLink.class,
+				InstitutionPortletEntry.class, InstitutionPortletSupervisorEntry.class, InstitutionPortlet.class,
+				ArrayList.class
+		};
+		xstream.addPermission(new ExplicitTypePermission(types));
+		
 		xstream.alias("configuration", InstitutionConfiguration.class);
 		xstream.addImplicitCollection(InstitutionConfiguration.class, "institution", "institution", InstitutionPortletEntry.class);
 		xstream.alias("institution", InstitutionPortletEntry.class);
@@ -209,12 +219,12 @@ public class InstitutionPortlet extends AbstractPortlet {
  */
 class InstitutionPortletEntry {
 
-	public List<InstitutionPortletSupervisorEntry> supervisor;
-	public List<PolymorphLink> polymorphlink;
-	public Value logo;
-	public Value name;
-	public Value url;
-	public String shortname;
+	private List<InstitutionPortletSupervisorEntry> supervisor;
+	private List<PolymorphLink> polymorphlink;
+	private Value logo;
+	private Value name;
+	private Value url;
+	private String shortname;
 
 	/**
 	 * @param institutionName Name of the inst.
@@ -230,21 +240,21 @@ class InstitutionPortletEntry {
 	 * @return Returns the institutionLogo.
 	 */
 	public String getInstitutionLogo() {
-		return logo == null ? null : logo.value;
+		return logo == null ? null : logo.getValue();
 	}
 
 	/**
 	 * @return Returns the institutionName.
 	 */
 	public String getInstitutionName() {
-		return name == null ? null : name.value;
+		return name == null ? null : name.getValue();
 	}
 
 	/**
 	 * @return Returns the institutionUrl.
 	 */
 	public String getInstitutionUrl() {
-		return url == null ? null : url.value;
+		return url == null ? null : url.getValue();
 	}
 
 	/**
@@ -263,6 +273,54 @@ class InstitutionPortletEntry {
 		}
 		return polymorphlink;
 	}
+
+	public List<InstitutionPortletSupervisorEntry> getSupervisor() {
+		return supervisor;
+	}
+
+	public void setSupervisor(List<InstitutionPortletSupervisorEntry> supervisor) {
+		this.supervisor = supervisor;
+	}
+
+	public List<PolymorphLink> getPolymorphlink() {
+		return polymorphlink;
+	}
+
+	public void setPolymorphlink(List<PolymorphLink> polymorphlink) {
+		this.polymorphlink = polymorphlink;
+	}
+
+	public Value getLogo() {
+		return logo;
+	}
+
+	public void setLogo(Value logo) {
+		this.logo = logo;
+	}
+
+	public Value getName() {
+		return name;
+	}
+
+	public void setName(Value name) {
+		this.name = name;
+	}
+
+	public Value getUrl() {
+		return url;
+	}
+
+	public void setUrl(Value url) {
+		this.url = url;
+	}
+
+	public String getShortname() {
+		return shortname;
+	}
+
+	public void setShortname(String shortname) {
+		this.shortname = shortname;
+	}
 }
 
 /**
@@ -275,11 +333,11 @@ class InstitutionPortletEntry {
  * @author Lars Eberle (<a href="http://www.bps-system.de/">BPS Bildungsportal Sachsen GmbH</a>)
  */
 class InstitutionPortletSupervisorEntry {
-	public Value phone;
-	public Value email;
-	public Value person;
-	public Value url;
-	public Value blog;
+	private Value phone;
+	private Value email;
+	private Value person;
+	private Value url;
+	private Value blog;
 
 	/**
 	 * @param supervisorName The supervisors name. 
@@ -293,37 +351,77 @@ class InstitutionPortletSupervisorEntry {
 	}
 	
 	public String getSupervisorBlog() {
-		return blog == null ? null : blog.value;
+		return blog == null ? null : blog.getValue();
 	}
 
 	/**
 	 * @return Returns the supervisorMail.
 	 */
 	public String getSupervisorMail() {
-		return email == null ? null : email.value;
+		return email == null ? null : email.getValue();
 	}
 
 	/**
 	 * @return Returns the supervisorPhone.
 	 */
 	public String getSupervisorPhone() {
-		return phone == null ? null : phone.value;
+		return phone == null ? null : phone.getValue();
 	}
 
 	public String getSupervisorPerson() {
-		return person == null ? null : person.value;
+		return person == null ? null : person.getValue();
 	}
 
 	public String getSupervisorURL() {
-		return url == null ? null : url.value;
+		return url == null ? null : url.getValue();
+	}
+
+	public Value getPhone() {
+		return phone;
+	}
+
+	public void setPhone(Value phone) {
+		this.phone = phone;
+	}
+
+	public Value getEmail() {
+		return email;
+	}
+
+	public void setEmail(Value email) {
+		this.email = email;
+	}
+
+	public Value getPerson() {
+		return person;
+	}
+
+	public void setPerson(Value person) {
+		this.person = person;
+	}
+
+	public Value getUrl() {
+		return url;
+	}
+
+	public void setUrl(Value url) {
+		this.url = url;
+	}
+
+	public Value getBlog() {
+		return blog;
+	}
+
+	public void setBlog(Value blog) {
+		this.blog = blog;
 	}
 }
 
 class PolymorphLink {
-	public String defaultId;
-	public String linkType;
-	public String linkText;
-	public List<PolymorphLinkElement> element;
+	private String defaultId;
+	private String linkType;
+	private String linkText;
+	private List<PolymorphLinkElement> element;
 
 	protected String getDefaultLink() {
 		return this.defaultId;
@@ -368,12 +466,36 @@ class PolymorphLink {
 	}
 	
 	protected boolean hasConditions() {
-		return (element != null && element.size() > 0);
+		return (element != null && !element.isEmpty());
 	}
 
 	protected String getLinkText() {
 		return linkText;
 	}
+
+	public String getDefaultId() {
+		return defaultId;
+	}
+
+	public void setDefaultId(String defaultId) {
+		this.defaultId = defaultId;
+	}
+
+	public List<PolymorphLinkElement> getElement() {
+		return element;
+	}
+
+	public void setElement(List<PolymorphLinkElement> element) {
+		this.element = element;
+	}
+
+	public void setLinkType(String linkType) {
+		this.linkType = linkType;
+	}
+
+	public void setLinkText(String linkText) {
+		this.linkText = linkText;
+	}
 }
 
 class PolymorphLinkElement {
@@ -381,16 +503,16 @@ class PolymorphLinkElement {
 	protected static final String STARTS_WITH = "starts_with";
 	protected static final String CONTAINS = "contains";
 
-	public String id;
-	public String cond;
-	public String value;
-	public String attribute;
+	private String id;
+	private String cond;
+	private String value;
+	private String attribute;
 
 	public PolymorphLinkElement() {
 		//
 	}
 
-	protected int getAttrib() {
+	public int getAttrib() {
 		if ("orgunit".equals(attribute)) {
 			return 0;
 		} else if ("studysubject".equals(attribute)) {
@@ -399,11 +521,15 @@ class PolymorphLinkElement {
 		return -1;
 	}
 
-	protected String getValue() {
+	public String getValue() {
 		return value;
 	}
+	
+	public void setValue(String value) {
+		this.value = value;
+	}
 
-	protected int getCondition() {
+	public int getCondition() {
 		if (STARTS_WITH.equals(cond)) {
 			return 0;
 		} else if (EQUALS.equals(cond)) {
@@ -414,13 +540,33 @@ class PolymorphLinkElement {
 		return -1;
 	}
 
-	protected String getId() {
+	public String getId() {
 		return id;
 	}
+
+	public void setId(String id) {
+		this.id = id;
+	}
+
+	public String getCond() {
+		return cond;
+	}
+
+	public void setCond(String cond) {
+		this.cond = cond;
+	}
+
+	public String getAttribute() {
+		return attribute;
+	}
+
+	public void setAttribute(String attribute) {
+		this.attribute = attribute;
+	}
 }
 
 class Value {
-	public String value;
+	private String value;
 
 	public String getValue() {
 		return value;
@@ -437,7 +583,7 @@ class Value {
 }
 
 class InstitutionConfiguration {
-	public List<InstitutionPortletEntry> institution;
+	private List<InstitutionPortletEntry> institution;
 	
 	public List<InstitutionPortletEntry> getInstitution() {
 		if(institution == null) {
@@ -445,4 +591,8 @@ class InstitutionConfiguration {
 		}
 		return institution;
 	}
+
+	public void setInstitution(List<InstitutionPortletEntry> institution) {
+		this.institution = institution;
+	}
 }

src/main/java/org/olat/commons/coordinate/cluster/jms/ClusterAdminControllerCluster.java

@@ -31,10 +31,6 @@ import java.util.Date;
 import java.util.List;
 import java.util.Map;
 
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 import org.olat.admin.user.UserSearchController;
 import org.olat.basesecurity.events.SingleIdentityChosenEvent;
 import org.olat.commons.coordinate.cluster.ClusterCoordinator;
@@ -45,7 +41,6 @@ import org.olat.core.gui.components.Component;
 import org.olat.core.gui.components.htmlheader.jscss.JSAndCSSComponent;
 import org.olat.core.gui.components.link.Link;
 import org.olat.core.gui.components.link.LinkFactory;
-import org.olat.core.gui.components.panel.OncePanel;
 import org.olat.core.gui.components.panel.Panel;
 import org.olat.core.gui.components.velocity.VelocityContainer;
 import org.olat.core.gui.control.Controller;
@@ -55,7 +50,6 @@ import org.olat.core.gui.control.controller.BasicController;
 import org.olat.core.id.Identity;
 import org.olat.core.id.OLATResourceable;
 import org.olat.core.util.Formatter;
-import org.olat.core.util.WebappHelper;
 import org.olat.core.util.cache.CacheWrapper;
 import org.olat.core.util.coordinate.Coordinator;
 import org.olat.core.util.coordinate.CoordinatorManager;
@@ -272,6 +266,7 @@ public class ClusterAdminControllerCluster extends BasicController {
 			long start = System.nanoTime();
 			for (int i = 0; i < cnt; i++) {
 				CoordinatorManager.getInstance().getCoordinator().getSyncer().doInSync(ORES_TEST, new SyncerExecutor(){
+					@Override
 					public void execute() {
 						// empty
 					}});
@@ -287,35 +282,6 @@ public class ClusterAdminControllerCluster extends BasicController {
 			usc = new UserSearchController(ureq, getWindowControl(), true);
 			listenTo(usc);
 			getWindowControl().pushAsModalDialog(usc.getInitialComponent());
-		} else if ((source == nodeInfoVc) && (event.getCommand().equals("switchToNode"))) {
-			String nodeIdStr = ureq.getHttpReq().getParameter("nodeId");
-			if (nodeIdStr.length()==1) {
-				nodeIdStr = "0"+nodeIdStr;
-			}
-			Cookie[] cookies = ureq.getHttpReq().getCookies();
-			for (int i = 0; i < cookies.length; i++) {
-				Cookie cookie = cookies[i];
-				if ("JSESSIONID".equals(cookie.getName())) {
-					String redirectedButInvalidSessionId = cookie.getValue();
-					redirectedButInvalidSessionId = redirectedButInvalidSessionId.substring(0, redirectedButInvalidSessionId.length()-2) + nodeIdStr;
-					logInfo("redirecting session to node "+nodeIdStr+", new sessionid="+redirectedButInvalidSessionId);
-					cookie.setValue(redirectedButInvalidSessionId);
-					replaceCookie(ureq.getHttpReq(), ureq.getHttpResp(), cookie);
-
-					// OLAT-5165: make sure we can always bypass the dmz reject mechanism (for 5min that is)
-					Cookie newCookie = new Cookie("bypassdmzreject", String.valueOf(System.currentTimeMillis()));
-					newCookie.setMaxAge(5 * 60); // 5min lifetime
-					newCookie.setPath(WebappHelper.getServletContextPath());
-					newCookie.setSecure(ureq.getHttpReq().isSecure());
-					newCookie.setComment("cookie allowing olat admin users to bypass dmz rejects");
-					ureq.getHttpResp().addCookie(newCookie);
-
-					OncePanel oncePanel = new OncePanel("refresh");
-					oncePanel.setContent(createVelocityContainer("refresh"));
-					mainVc.put("refresh", oncePanel);
-					break;
-				}
-			}
 		} else if (source == toggleStartStop) {
 			clusBus.resetStats();
 			updatePerfInfos();
@@ -324,12 +290,8 @@ public class ClusterAdminControllerCluster extends BasicController {
 			updatePerfInfos();
 		}
 	}
-
-  private void replaceCookie(HttpServletRequest request, HttpServletResponse response, Cookie cookie) {
-  	// for a generalized version of this, use org/apache/tomcat/util/http/ServerCookie.java
-  	response.setHeader("Set-Cookie", cookie.getName()+"="+cookie.getValue()+"; Path="+request.getContextPath()+(request.isSecure()?"":"; Secure"));
-  }
   
+	@Override
 	public void event(UserRequest ureq, Controller source, Event event) {
 		if (source == usc) {
 			getWindowControl().pop();
@@ -343,7 +305,7 @@ public class ClusterAdminControllerCluster extends BasicController {
 		}
 	}
 	
-	void sleep (int milis) {
+	private void sleep (int milis) {
 		try {
 			Thread.sleep(milis);
 		} catch (InterruptedException e) {
@@ -351,7 +313,7 @@ public class ClusterAdminControllerCluster extends BasicController {
 		}
 	}
 	
-	void updateCacheInfo() {
+	private void updateCacheInfo() {
 		CacheWrapper<String,String> cw = CoordinatorManager.getInstance().getCoordinator().getCacher().getCache(this.getClass().getSimpleName(), "cachetest");
 		Object val = cw.get("akey");
 		cachetest.contextPut("cacheval", val==null? "-null-": val);

src/main/java/org/olat/commons/coordinate/cluster/jms/_content/nodeinfos.html

@@ -6,19 +6,12 @@
 #else
 	<legend>Node: $stat.nodeId</legend>
 #end
-	
 	<table class="table table-condensed table-striped">
 		<tr>
 			<td>Startup:</td><td>$!stat.config.startupTime</td>
 			<td>Messages received: </td><td>$stat.numOfReceivedMessages</td>
 			<td>Latest received Id: </td><td>$stat.latestReceivedMsgId</td>
 			<td>Count of missed messages: </td><td>$stat.numOfMissedMsgs</td>
-
-#if ($thisNodeId==$stat.nodeId)
-			<td>$r.translate("you.are.on.this.node")</td>
-#else
-			<td class="text-left"><a $r.hrefAndOnclick("switchToNode",false,false,"nodeId",$stat.nodeId)>$r.translate("switch.to.node")</a></td>
-#end
 		</tr>
 	</table>
 </fieldset>

src/main/java/org/olat/core/util/openxml/OpenXMLUtils.java

@@ -36,15 +36,14 @@ import javax.xml.stream.XMLStreamWriter;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Result;
 import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
-import org.olat.core.commons.services.image.Size;
 import org.apache.logging.log4j.Logger;
+import org.olat.core.commons.services.image.Size;
 import org.olat.core.logging.Tracing;
 import org.olat.core.util.StringHelper;
 import org.olat.core.util.io.ShieldOutputStream;
@@ -172,13 +171,7 @@ public class OpenXMLUtils {
 			DocumentBuilder builder = factory.newDocumentBuilder();
 			Document doc = builder.parse(in);
 			return doc;
-		} catch (ParserConfigurationException e) {
-			log.error("", e);
-			return null;
-		} catch (IOException e) {
-			log.error("", e);
-			return null;
-		} catch (SAXException e) {
+		} catch (ParserConfigurationException | IOException | SAXException e) {
 			log.error("", e);
 			return null;
 		}
@@ -194,13 +187,7 @@ public class OpenXMLUtils {
 			DocumentBuilder builder = factory.newDocumentBuilder();
 			Document doc = builder.parse(new InputSource(new StringReader(in)));
 			return doc;
-		} catch (ParserConfigurationException e) {
-			log.error("", e);
-			return null;
-		} catch (IOException e) {
-			log.error("", e);
-			return null;
-		} catch (SAXException e) {
+		} catch (ParserConfigurationException | IOException | SAXException e) {
 			log.error("", e);
 			return null;
 		}
@@ -210,6 +197,7 @@ public class OpenXMLUtils {
 		try {
 			// Use a Transformer for output
 			TransformerFactory tFactory = TransformerFactory.newInstance();
+			tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer transformer = tFactory.newTransformer();
 			if(indent) {
 				transformer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -219,13 +207,8 @@ public class OpenXMLUtils {
 			DOMSource source = new DOMSource(document);
 			Result result = new StreamResult(out);
 			transformer.transform(source, result);
-		} catch (TransformerConfigurationException e) {
-			log.error("", e);
-		} catch (TransformerFactoryConfigurationError e) {
-			log.error("", e);
-		} catch (TransformerException e) {
+		} catch (TransformerFactoryConfigurationError | TransformerException e) {
 			log.error("", e);
 		}
 	}
-
 }

src/main/java/org/olat/group/area/BGAreaManagerImpl.java

@@ -151,7 +151,7 @@ public class BGAreaManagerImpl implements BGAreaManager {
 	@Override
 	public void addBGToBGArea(BusinessGroup group, BGArea area) {
 		BGtoAreaRelation bgAreaRel = new BGtoAreaRelationImpl(area, group);
-		dbInstance.saveObject(bgAreaRel);
+		dbInstance.getCurrentEntityManager().persist(bgAreaRel);
 	}
 
 	@Override
@@ -300,9 +300,6 @@ public class BGAreaManagerImpl implements BGAreaManager {
 		return count.intValue();
 	}
 
-	/**
-	 * @see org.olat.group.area.BGAreaManager#findBGAreasOfBGContext(org.olat.group.context.BGContext)
-	 */
 	@Override
 	public List<BGArea> findBGAreasInContext(OLATResource resource) {
 		StringBuilder sb = new StringBuilder();

src/main/java/org/olat/group/manager/BusinessGroupImportExport.java

@@ -21,7 +21,6 @@ package org.olat.group.manager;
 
 import java.io.File;
 import java.io.FileOutputStream;
-import java.io.IOException;
 import java.lang.reflect.Field;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -36,7 +35,6 @@ import org.olat.core.commons.persistence.DB;
 import org.olat.core.logging.AssertException;
 import org.olat.core.logging.OLATRuntimeException;
 import org.olat.core.logging.Tracing;
-import org.olat.core.util.FileUtils;
 import org.olat.core.util.StringHelper;
 import org.olat.group.BusinessGroup;
 import org.olat.group.BusinessGroupModule;
@@ -57,7 +55,7 @@ public class BusinessGroupImportExport {
 	
 	private static final Logger log = Tracing.createLoggerFor(BusinessGroupImportExport.class);
 
-	private final GroupXStream xstream = new GroupXStream();
+	private static final GroupXStream xstream = new GroupXStream();
 
 	private final DB dbInstance;
 	private final BGAreaManager areaManager;
@@ -83,9 +81,9 @@ public class BusinessGroupImportExport {
 		root.getAreas().setGroups(new ArrayList<Area>());
 		for (BGArea area : areas) {
 			Area newArea = new Area();
-			newArea.key = area.getKey();
-			newArea.name = area.getName();
-			newArea.description = Collections.singletonList(area.getDescription());
+			newArea.setKey(area.getKey());
+			newArea.setName(area.getName());
+			newArea.setDescription(Collections.singletonList(area.getDescription()));
 			root.getAreas().getGroups().add(newArea);
 		}
 
@@ -102,22 +100,22 @@ public class BusinessGroupImportExport {
 	
 	private Group exportGroup(File fExportFile, BusinessGroup group, String groupName, boolean runtimeDatas) {
 		Group newGroup = new Group();
-		newGroup.key = group.getKey();
-		newGroup.name = StringHelper.containsNonWhitespace(groupName) ? groupName : group.getName();
+		newGroup.setKey(group.getKey());
+		newGroup.setName(StringHelper.containsNonWhitespace(groupName) ? groupName : group.getName());
 		if (group.getMinParticipants() != null) {
-			newGroup.minParticipants = group.getMinParticipants();
+			newGroup.setMinParticipants(group.getMinParticipants());
 		}
 		if (group.getMaxParticipants() != null) {
-			newGroup.maxParticipants = group.getMaxParticipants();
+			newGroup.setMaxParticipants(group.getMaxParticipants());
 		}
 		if (group.getWaitingListEnabled() != null) {
-			newGroup.waitingList = group.getWaitingListEnabled();
+			newGroup.setWaitingList(group.getWaitingListEnabled());
 		}
 		if (group.getAutoCloseRanksEnabled() != null) {
-			newGroup.autoCloseRanks = group.getAutoCloseRanksEnabled();
+			newGroup.setAutoCloseRanks(group.getAutoCloseRanksEnabled());
 		}
 		if(StringHelper.containsNonWhitespace(group.getDescription())) {
-			newGroup.description = Collections.singletonList(group.getDescription());
+			newGroup.setDescription(Collections.singletonList(group.getDescription()));
 		}
 		// collab tools
 
@@ -134,20 +132,19 @@ public class BusinessGroupImportExport {
 				log.error("", e);
 			}
 		}
-		newGroup.tools = toolsConfig;
+		newGroup.setTools(toolsConfig);
 
 		Long calendarAccess = ct.lookupCalendarAccess();
 		if (calendarAccess != null) {
-			newGroup.calendarAccess = calendarAccess;
+			newGroup.setCalendarAccess(calendarAccess);
 		}
-		//fxdiff VCRP-8: collaboration tools folder access control
 		Long folderAccess = ct.lookupFolderAccess();
 		if(folderAccess != null) {
-			newGroup.folderAccess = folderAccess;
+			newGroup.setFolderAccess(folderAccess);
 		}
 		String info = ct.lookupNews();
 		if (info != null && !info.trim().equals("")) {
-			newGroup.info = info.trim();
+			newGroup.setInfo(info.trim());
 		}
 
 		log.debug("fExportFile.getParent()=" + fExportFile.getParent());
@@ -156,36 +153,27 @@ public class BusinessGroupImportExport {
 		}
 		// export membership
 		List<BGArea> bgAreas = areaManager.findBGAreasOfBusinessGroup(group);
-		newGroup.areaRelations = new ArrayList<String>();
+		newGroup.setAreaRelations(new ArrayList<String>());
 		for (BGArea areaRelation : bgAreas) {
-			newGroup.areaRelations.add(areaRelation.getName());
+			newGroup.getAreaRelations().add(areaRelation.getName());
 		}
 		// export properties
 		boolean showOwners = group.isOwnersVisibleIntern();
 		boolean showParticipants = group.isParticipantsVisibleIntern();
 		boolean showWaitingList = group.isWaitingListVisibleIntern();
 
-		newGroup.showOwners = showOwners;
-		newGroup.showParticipants = showParticipants;
-		newGroup.showWaitingList = showWaitingList;
+		newGroup.setShowOwners(showOwners);
+		newGroup.setShowParticipants(showParticipants);
+		newGroup.setShowWaitingList(showWaitingList);
 		return newGroup;
 	}
 	
 	private void saveGroupConfiguration(File fExportFile, OLATGroupExport root) {
-		FileOutputStream fOut = null;
-		try {
-			fOut = new FileOutputStream(fExportFile);
+		try(FileOutputStream fOut = new FileOutputStream(fExportFile)) {
 			xstream.toXML(root, fOut);
-		} catch (IOException ioe) {
-			throw new OLATRuntimeException(
-					"Error writing group configuration during group export.",
-					ioe);
 		} catch (Exception cfe) {
-			throw new OLATRuntimeException(
-					"Error writing group configuration during group export.",
-					cfe);
-		} finally {
-			FileUtils.closeSafely(fOut);
+			log.error("", cfe);
+			throw new OLATRuntimeException("Error writing group configuration during group export.", cfe);
 		}
 	}
 
@@ -213,11 +201,11 @@ public class BusinessGroupImportExport {
 		int dbCount = 0;
 		if (groupConfig.getAreas() != null && groupConfig.getAreas().getGroups() != null) {
 			for (Area area : groupConfig.getAreas().getGroups()) {
-				String areaName = area.name;
-				String areaDesc = (area.description != null && !area.description.isEmpty()) ? area.description.get(0) : "";
+				String areaName = area.getName();
+				String areaDesc = (area.getDescription() != null && !area.getDescription().isEmpty()) ? area.getDescription().get(0) : "";
 				BGArea newArea = areaManager.createAndPersistBGArea(areaName, areaDesc, re.getOlatResource());
 				if(areaSet.add(newArea)) {
-					env.getAreas().add(new BGAreaReference(newArea, area.key, area.name));
+					env.getAreas().add(new BGAreaReference(newArea, area.getKey(), area.getName()));
 				}
 				
 				if(dbCount++ % 25 == 0) {
@@ -230,47 +218,49 @@ public class BusinessGroupImportExport {
 		if (groupConfig.getGroups() != null && groupConfig.getGroups().getGroups() != null) {
 			for (Group group : groupConfig.getGroups().getGroups()) {
 				// create group
-				String groupName = group.name;
-				String groupDesc = (group.description != null && !group.description.isEmpty()) ? group.description.get(0) : "";
+				String groupName = group.getName();
+				String groupDesc = (group.getDescription() != null && !group.getDescription().isEmpty()) ? group.getDescription().get(0) : "";
 
 				// get min/max participants
-				int groupMinParticipants = group.minParticipants == null ? -1 : group.minParticipants.intValue();
-				int groupMaxParticipants = group.maxParticipants == null ? -1 : group.maxParticipants.intValue();
+				int groupMinParticipants = group.getMinParticipants() == null ? -1 : group.getMinParticipants().intValue();
+				int groupMaxParticipants = group.getMaxParticipants() == null ? -1 : group.getMaxParticipants().intValue();
 
 				// waiting list configuration
 				boolean waitingList = false;
-				if (group.waitingList != null) {
-					waitingList = group.waitingList.booleanValue();
+				if (group.getWaitingList() != null) {
+					waitingList = group.getWaitingList().booleanValue();
 				}
 				boolean enableAutoCloseRanks = false;
-				if (group.autoCloseRanks != null) {
-					enableAutoCloseRanks = group.autoCloseRanks.booleanValue();
+				if (group.getAutoCloseRanks() != null) {
+					enableAutoCloseRanks = group.getAutoCloseRanks().booleanValue();
 				}
 				
 				// get properties
 				boolean showOwners = true;
 				boolean showParticipants = true;
 				boolean showWaitingList = true;
-				if (group.showOwners != null) {
-					showOwners = group.showOwners;
+				if (group.getShowOwners() != null) {
+					showOwners = group.getShowOwners().booleanValue();
 				}
-				if (group.showParticipants != null) {
-					showParticipants = group.showParticipants;
+				if (group.getShowParticipants() != null) {
+					showParticipants = group.getShowParticipants().booleanValue();
 				}
-				if (group.showWaitingList != null) {
-					showWaitingList = group.showWaitingList;
+				if (group.getShowWaitingList() != null) {
+					showWaitingList = group.getShowWaitingList().booleanValue();
 				}
 				
 				BusinessGroup newGroup = businessGroupService.createBusinessGroup(null, groupName, groupDesc, groupMinParticipants, groupMaxParticipants, waitingList, enableAutoCloseRanks, re);
+				dbInstance.commit();
 				//map the group
-				env.getGroups().add(new BusinessGroupReference(newGroup, group.key, group.name));
+				env.getGroups().add(new BusinessGroupReference(newGroup, group.getKey(), group.getName()));
 				// get tools config
 				String[] availableTools = CollaborationToolsFactory.getInstance().getAvailableTools().clone();
-				CollabTools toolsConfig = group.tools;
+				CollabTools toolsConfig = group.getTools();
 				CollaborationTools ct = CollaborationToolsFactory.getInstance().getOrCreateCollaborationTools(newGroup);
 				for (int i = 0; i < availableTools.length; i++) {
 					try {
-						Field field = toolsConfig.getClass().getField(availableTools[i]);
+						Field field = toolsConfig.getClass().getDeclaredField(availableTools[i]);
+						field.setAccessible(true);
 						Boolean val = field.getBoolean(toolsConfig);
 						if (val != null) {
 							ct.setToolEnabled(availableTools[i], val);
@@ -281,19 +271,19 @@ public class BusinessGroupImportExport {
 						log.error("", e);
 					}
 				}
-				if (group.calendarAccess != null) {
-					Long calendarAccess = group.calendarAccess;
+				if (group.getCalendarAccess() != null) {
+					Long calendarAccess = group.getCalendarAccess();
 					ct.saveCalendarAccess(calendarAccess);
 				}
-				if(group.folderAccess != null) {
-				  ct.saveFolderAccess(group.folderAccess);				  
+				if(group.getFolderAccess() != null) {
+				  ct.saveFolderAccess(group.getFolderAccess());				  
 				}
-				if (group.info != null) {
-					ct.saveNews(group.info);
+				if (group.getInfo() != null) {
+					ct.saveNews(group.getInfo());
 				}
 
 				// get memberships
-				List<String> memberships = group.areaRelations;
+				List<String> memberships = group.getAreaRelations();
 				if(memberships != null && memberships.size() > 0) {
 					Set<String> uniqueMemberships = new HashSet<>(memberships);
 					for (String membership : uniqueMemberships) {
@@ -311,6 +301,8 @@ public class BusinessGroupImportExport {
 			
 				if(dbCount++ % 3 == 0) {
 					dbInstance.commitAndCloseSession();
+				} else {
+					dbInstance.commit();
 				}
 			}
 		}

src/main/java/org/olat/group/manager/GroupXStream.java

@@ -28,6 +28,7 @@ import java.util.List;
 import org.olat.core.util.xml.XStreamHelper;
 
 import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.security.ExplicitTypePermission;
 
 /**
  * 
@@ -45,6 +46,14 @@ public class GroupXStream {
 	
 	public GroupXStream() {
 		xstream = XStreamHelper.createXStreamInstance();
+		
+		XStream.setupDefaultSecurity(xstream);
+		Class<?>[] types = new Class[] {
+				CollabTools.class, Group.class, Area.class, AreaCollection.class, GroupCollection.class,
+				OLATGroupExport.class, ArrayList.class
+		};
+		xstream.addPermission(new ExplicitTypePermission(types));
+		
 		xstream.alias("OLATGroupExport", OLATGroupExport.class);
 		xstream.alias("AreaCollection", AreaCollection.class);
 		xstream.alias("GroupCollection", GroupCollection.class);
@@ -153,36 +162,244 @@ class GroupCollection {
 }
 
 class Area {
-	public Long key;
-	public String name;
-	public List<String> description;
+	private Long key;
+	private String name;
+	private List<String> description;
+	
+	public Long getKey() {
+		return key;
+	}
+	
+	public void setKey(Long key) {
+		this.key = key;
+	}
+	
+	public String getName() {
+		return name;
+	}
+	
+	public void setName(String name) {
+		this.name = name;
+	}
+	
+	public List<String> getDescription() {
+		return description;
+	}
+	
+	public void setDescription(List<String> description) {
+		this.description = description;
+	}
 }
 
 class Group {
-	public Long key;
-	public String name;
-	public Integer minParticipants;
-	public Integer maxParticipants;
-	public Boolean waitingList;
-	public Boolean autoCloseRanks;
-	public Boolean showOwners;
-	public Boolean showParticipants;
-	public Boolean showWaitingList;
-	public List<String> description;
-	public CollabTools tools;
-	public List<String> areaRelations;
-	public Long calendarAccess;
-	public String info;
-	public Long folderAccess;
+	private Long key;
+	private String name;
+	private Integer minParticipants;
+	private Integer maxParticipants;
+	private Boolean waitingList;
+	private Boolean autoCloseRanks;
+	private Boolean showOwners;
+	private Boolean showParticipants;
+	private Boolean showWaitingList;
+	private List<String> description;
+	private CollabTools tools;
+	private List<String> areaRelations;
+	private Long calendarAccess;
+	private String info;
+	private Long folderAccess;
+	
+	public Long getKey() {
+		return key;
+	}
+	
+	public void setKey(Long key) {
+		this.key = key;
+	}
+	
+	public String getName() {
+		return name;
+	}
+	
+	public void setName(String name) {
+		this.name = name;
+	}
+	
+	public Integer getMinParticipants() {
+		return minParticipants;
+	}
+	
+	public void setMinParticipants(Integer minParticipants) {
+		this.minParticipants = minParticipants;
+	}
+	
+	public Integer getMaxParticipants() {
+		return maxParticipants;
+	}
+	
+	public void setMaxParticipants(Integer maxParticipants) {
+		this.maxParticipants = maxParticipants;
+	}
+	
+	public Boolean getWaitingList() {
+		return waitingList;
+	}
+	
+	public void setWaitingList(Boolean waitingList) {
+		this.waitingList = waitingList;
+	}
+	
+	public Boolean getAutoCloseRanks() {
+		return autoCloseRanks;
+	}
+	
+	public void setAutoCloseRanks(Boolean autoCloseRanks) {
+		this.autoCloseRanks = autoCloseRanks;
+	}
+	
+	public Boolean getShowOwners() {
+		return showOwners;
+	}
+	
+	public void setShowOwners(Boolean showOwners) {
+		this.showOwners = showOwners;
+	}
+	
+	public Boolean getShowParticipants() {
+		return showParticipants;
+	}
+	
+	public void setShowParticipants(Boolean showParticipants) {
+		this.showParticipants = showParticipants;
+	}
+	
+	public Boolean getShowWaitingList() {
+		return showWaitingList;
+	}
+	
+	public void setShowWaitingList(Boolean showWaitingList) {
+		this.showWaitingList = showWaitingList;
+	}
+	
+	public List<String> getDescription() {
+		return description;
+	}
+	
+	public void setDescription(List<String> description) {
+		this.description = description;
+	}
+	
+	public CollabTools getTools() {
+		return tools;
+	}
+	
+	public void setTools(CollabTools tools) {
+		this.tools = tools;
+	}
+	
+	public List<String> getAreaRelations() {
+		return areaRelations;
+	}
+	
+	public void setAreaRelations(List<String> areaRelations) {
+		this.areaRelations = areaRelations;
+	}
+	
+	public Long getCalendarAccess() {
+		return calendarAccess;
+	}
+	
+	public void setCalendarAccess(Long calendarAccess) {
+		this.calendarAccess = calendarAccess;
+	}
+	
+	public String getInfo() {
+		return info;
+	}
+	
+	public void setInfo(String info) {
+		this.info = info;
+	}
+	
+	public Long getFolderAccess() {
+		return folderAccess;
+	}
+	
+	public void setFolderAccess(Long folderAccess) {
+		this.folderAccess = folderAccess;
+	}
 }
 
 class CollabTools {
-	public boolean hasNews;
-	public boolean hasContactForm;
-	public boolean hasCalendar;
-	public boolean hasFolder;
-	public boolean hasForum;
-	public boolean hasChat;
-	public boolean hasWiki;
-	public boolean hasPortfolio;
+	private boolean hasNews;
+	private boolean hasContactForm;
+	private boolean hasCalendar;
+	private boolean hasFolder;
+	private boolean hasForum;
+	private boolean hasChat;
+	private boolean hasWiki;
+	private boolean hasPortfolio;
+	
+	public boolean isHasNews() {
+		return hasNews;
+	}
+	
+	public void setHasNews(boolean hasNews) {
+		this.hasNews = hasNews;
+	}
+	
+	public boolean isHasContactForm() {
+		return hasContactForm;
+	}
+	
+	public void setHasContactForm(boolean hasContactForm) {
+		this.hasContactForm = hasContactForm;
+	}
+	
+	public boolean isHasCalendar() {
+		return hasCalendar;
+	}
+	
+	public void setHasCalendar(boolean hasCalendar) {
+		this.hasCalendar = hasCalendar;
+	}
+	
+	public boolean isHasFolder() {
+		return hasFolder;
+	}
+	
+	public void setHasFolder(boolean hasFolder) {
+		this.hasFolder = hasFolder;
+	}
+	
+	public boolean isHasForum() {
+		return hasForum;
+	}
+	
+	public void setHasForum(boolean hasForum) {
+		this.hasForum = hasForum;
+	}
+	
+	public boolean isHasChat() {
+		return hasChat;
+	}
+	
+	public void setHasChat(boolean hasChat) {
+		this.hasChat = hasChat;
+	}
+	
+	public boolean isHasWiki() {
+		return hasWiki;
+	}
+	
+	public void setHasWiki(boolean hasWiki) {
+		this.hasWiki = hasWiki;
+	}
+	
+	public boolean isHasPortfolio() {
+		return hasPortfolio;
+	}
+	
+	public void setHasPortfolio(boolean hasPortfolio) {
+		this.hasPortfolio = hasPortfolio;
+	}
 }
\ No newline at end of file

src/main/java/org/olat/ims/qti/render/LocalizedXSLTransformer.java

@@ -206,9 +206,16 @@ public class LocalizedXSLTransformer {
 		TransformerFactory tfactory = null;
 		try {
 			tfactory = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl", null);
-		} catch (TransformerFactoryConfigurationError e) {
+			tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+		} catch (TransformerFactoryConfigurationError | TransformerConfigurationException e) {
 			log.error("", e);
-			tfactory = TransformerFactory.newInstance();
+			try {
+				tfactory = TransformerFactory.newInstance();
+				tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			} catch (TransformerConfigurationException | TransformerFactoryConfigurationError e1) {
+				log.error("", e);
+			}
 		}
 		return tfactory;
 	}

src/main/java/org/olat/ims/qti21/ui/components/AssessmentTestComponentRenderer.java

@@ -29,6 +29,7 @@ import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
@@ -820,6 +821,7 @@ public class AssessmentTestComponentRenderer extends AssessmentObjectComponentRe
 	public static void printDocument(Element doc, OutputStream out) {
 		try {
 			TransformerFactory tf = TransformerFactory.newInstance();
+			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer transformer = tf.newTransformer();
 			transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "no");
 			transformer.setOutputProperty(OutputKeys.METHOD, "xml");

src/main/java/org/olat/restapi/system/ProcSamplerJob.java

@@ -134,6 +134,7 @@ public class ProcSamplerJob extends QuartzJobBean {
 		// Use a Transformer for output
 		try(OutputStream out = new FileOutputStream(xmlFile)) {
 			TransformerFactory tFactory = TransformerFactory.newInstance();
+			tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			Transformer transformer = tFactory.newTransformer();
 			transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 			transformer.transform(new DOMSource(doc), new StreamResult(out));

src/main/java/org/olat/shibboleth/ShibbolethAuthenticationController.java

@@ -194,6 +194,7 @@ public class ShibbolethAuthenticationController extends AuthenticationController
 		Cookie cookie = null;
 		try {
 			cookie = new Cookie(IDP_HOMESITE_COOKIE, URLEncoder.encode(homeSite, "utf-8"));
+			cookie.setHttpOnly(true);
 		} catch (UnsupportedEncodingException e) {/* utf-8 is always present */}
 		cookie.setMaxAge(100 * 24 * 60 * 60); // 100 days lifetime
 		cookie.setPath(WebappHelper.getServletContextPath());

src/test/java/de/bps/olat/portal/institution/InstitutionPortletTest.java

@@ -48,8 +48,8 @@ public class InstitutionPortletTest {
 		InputStream input = InstitutionPortletTest.class.getResourceAsStream("olat_portals_institution.xml");
 		InstitutionConfiguration obj = (InstitutionConfiguration)xstream.fromXML(input);
 
-		assertEquals("Test-Uni", obj.institution.get(0).shortname);
-		assertEquals("360448",  obj.institution.get(0).polymorphlink.get(0).defaultId);
+		assertEquals("Test-Uni", obj.getInstitution().get(0).getShortname());
+		assertEquals("360448",  obj.getInstitution().get(0).getPolymorphlink().get(0).getDefaultId());
 	}
 
 }

src/test/java/org/olat/group/manager/BusinessGroupImportExportXStreamTest.java

@@ -57,7 +57,7 @@ public class BusinessGroupImportExportXStreamTest {
 		assertNotNull(export.getGroups().getGroups());
 		assertEquals(2, export.getGroups().getGroups().size());
 		
-		assertEquals("Form Group 2", export.getGroups().getGroups().get(1).name);
+		assertEquals("Form Group 2", export.getGroups().getGroups().get(1).getName());
 		
 		String output = xstream.toXML(export);
 		assertNotNull(output);
@@ -75,7 +75,7 @@ public class BusinessGroupImportExportXStreamTest {
 		assertNotNull(export.getGroups().getGroups());
 		assertEquals(2, export.getGroups().getGroups().size());
 		
-		assertEquals("Test Right 2", export.getGroups().getGroups().get(1).name);
+		assertEquals("Test Right 2", export.getGroups().getGroups().get(1).getName());
 		
 		String output = xstream.toXML(export);
 		assertNotNull(output);