Add minor improvements

[O-sura]

• This PR adds some minor improvements to the validation logics

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0419c170-84c5-465b-a39a-30fab46b2fac

📥 Commits

Reviewing files that changed from the base of the PR and between 0c97d72 and 45a1878.

📒 Files selected for processing (6)

• all-in-one-apim/modules/distribution/product/src/main/extensions/password-recovery.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp

✅ Files skipped from review due to trivial changes (1)

• api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp

🚧 Files skipped from review as they are similar to previous changes (3)

• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp

---

📝 Walkthrough

Summary

This PR implements validation and normalization improvements for callback URL handling across authentication-related JSP pages in two distribution modules. Callback parameters are validated server-side before being used in forms, links, or hidden inputs; invalid or blank values are normalized to null and excluded from rendered form fields.

Changes

Core updates

• Added server-side callback handling using AuthenticationEndpointUtil.isValidMultiOptionURI().
• Normalized callback to null when blank, equal to the literal "null" (case-insensitive), or failing validation.
• Conditional rendering of hidden callback form fields only when the validated callback is present.
• Link/redirect generation updated to use the validated callback variable rather than raw request parameters.
• Moved HTML-attribute encoding of callback values to render time where applicable.
• Added/imported utility classes as needed and applied consistent validation patterns across affected JSPs.

Affected files

Changes applied to 6 JSPs across two modules:

all-in-one-apim module:

• all-in-one-apim/modules/distribution/product/src/main/extensions/password-recovery.jsp (+9/-0)
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp (+23/-8)
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp (+15/-2)

api-control-plane module:

• api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp (+9/-0)
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp (+23/-8)
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp (+15/-2)

Notes

• No public API or exported entity signatures were changed; updates are internal to JSP request handling and rendering logic.
• Changes address reviewer feedback (commit message: "Address coderabbit comments").

Walkthrough

Server-side validation for the callback request parameter was added across password recovery and self-registration JSP pages in both distributions. Callbacks are read unencoded, treated as invalid and set to null when blank, equal (case-insensitively) to the literal "null", or when AuthenticationEndpointUtil.isValidMultiOptionURI(callback) returns false. Hidden callback inputs and link hrefs now only use the validated value; HTML-encoding is applied at render time when the value is emitted.

Changes

Cohort / File(s)	Summary
Password Recovery Validation all-in-one-apim/modules/distribution/product/src/main/extensions/password-recovery.jsp, api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp	Imported AuthenticationEndpointUtil and added server-side validation for callback. callback is set to null when blank, equals "null" (case-insensitive), or fails isValidMultiOptionURI(); the hidden form field is rendered only when the validated callback remains non-null.
Self-Registration Username Request all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp, api-control-plane/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp	Added server-side normalization and validation for callback (using StringUtils.isBlank, literal "null" check, and AuthenticationEndpointUtil.isValidMultiOptionURI). Replaced earlier immediate HTML-encoding with encoding at render time. isCallBackUrlEmpty now uses StringUtils.isBlank(callback). The “go back” link and hidden fields use the validated callback, and callback is excluded when copying request parameters into hidden fields.
Self-Registration with Verification all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp, api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp	Switched to reading the raw callback parameter and added server-side validation: blank or "null" (case-insensitive) values are nulled, and values failing AuthenticationEndpointUtil.isValidMultiOptionURI() are set to null. Existing fallback to the user portal URL for blank callbacks remains. Hidden callback output is HTML-attribute-encoded at render time.

Estimated code review effort

Medium | ~30 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add minor improvements' is vague and does not clearly convey the specific nature of the changes, which involve adding callback parameter validation across multiple JSP files.	Consider a more descriptive title such as 'Add callback parameter validation to authentication JSP files' to better reflect the primary intent of the changeset.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description mentions 'minor improvements to the validation logics,' which aligns with the changeset's focus on callback parameter validation introduced across four JSP files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@all-in-one-apim/modules/distribution/product/src/main/extensions/password-recovery.jsp`:
- Around line 213-217: The callback value is not being normalized before
rendering the hidden field: ensure empty string and the literal "null" are
treated as null. In the JSP blocks that check callback (the if using
StringUtils.isBlank, StringUtils.equalsIgnoreCase(callback, "null"), and
AuthenticationEndpointUtil.isValidMultiOptionURI), change the logic to first
normalize callback by setting callback = null when StringUtils.isBlank(callback)
OR StringUtils.equalsIgnoreCase(callback, "null") OR
!AuthenticationEndpointUtil.isValidMultiOptionURI(callback); update both
occurrences (the current block around the first check and the similar block at
lines 219-223) so that only a non-blank, non-"null", valid multi-option URI
remains and the hidden field is not rendered with "" or "null".

In
`@all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp`:
- Around line 51-63: The code currently validates the callback into the local
variable callback (using AuthenticationEndpointUtil.isValidMultiOptionURI) but
later replays the original request parameter into the signup.do form, defeating
validation; update the form population logic so it does not write the raw
request parameter back — either omit replaying the "callback" parameter entirely
when generating hidden inputs (like reCaptcha is skipped) or always emit the
already-validated callback variable (and treat null/blank as absent). Locate the
form/output generation that iterates request parameters (the block that emits
inputs for signup.do) and change it to skip "callback" or substitute
request.getParameter("callback") with the validated callback variable and ensure
isCallBackUrlEmpty is respected. Ensure no other replay paths emit the
unvalidated callback.

In
`@all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp`:
- Around line 196-201: Normalize the callback string by treating the literal
"null" (case-insensitive) as null first, then validate the raw callback value
with AuthenticationEndpointUtil.isValidMultiOptionURI(callback) before
URL-encoding; only call
IdentityManagementEndpointUtil.getURLEncodedCallback(callback) after the raw
callback passes validation. In practice, update the block that currently uses
StringUtils.isBlank(callback), StringUtils.equalsIgnoreCase(callback, "null"),
IdentityManagementEndpointUtil.getURLEncodedCallback(callback) and
AuthenticationEndpointUtil.isValidMultiOptionURI(encodedCallback) so it first
sets callback = null when equalsIgnoreCase("null"), then calls
isValidMultiOptionURI(callback) on the raw value and only encodes with
getURLEncodedCallback(callback) if validation succeeds.

In
`@api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp`:
- Around line 213-217: The callback variable can be the empty string or the
literal "null" and still pass the subsequent null check, so before rendering the
hidden field ensure such values are normalized to null: update the code that
validates/uses callback (the callback variable, the block using StringUtils and
AuthenticationEndpointUtil.isValidMultiOptionURI) to first do if
(StringUtils.isBlank(callback) || StringUtils.equalsIgnoreCase(callback,
"null")) { callback = null; } and only then call
AuthenticationEndpointUtil.isValidMultiOptionURI(callback) (or null-check
afterwards) so blank/"null" values are not preserved; apply the same
normalization wherever callback is later used (including the block around the
hidden field rendering).

In
`@api-control-plane/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp`:
- Around line 51-63: The sanitized callback handling is being bypassed because
the original request parameter "callback" is re-added later; fix by normalizing
blank or "null" values to null (as done in the existing validation using
callback and isCallBackUrlEmpty), then when rebuilding parameters for
replay/skipping the parameter-map loop and when rendering the hidden field for
"callback" ensure you only output the sanitized callback (the validated callback
variable) and skip any replay of request.getParameter("callback"); modify the
parameter replay loop (the code that iterates request.getParameterMap() and
re-emits fields) to exclude the "callback" key and ensure the hidden input for
signup.do uses the validated callback value and is omitted when callback ==
null.

In
`@api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp`:
- Around line 196-201: Normalize and validate the raw callback value (not the
URL-encoded one) and treat the literal string "null" as blank: update the
condition around the callback handling to use a normalization like
StringUtils.trimToEmpty(callback) and check
StringUtils.isBlank(normalizedCallback) (or
StringUtils.equalsIgnoreCase(normalizedCallback, "null")) so the block runs only
for a meaningful value; then call
AuthenticationEndpointUtil.isValidMultiOptionURI(normalizedCallback) to validate
the raw callback and only after validation call
IdentityManagementEndpointUtil.getURLEncodedCallback(callback) to produce
encodedCallback; adjust assignments so invalid or blank/"null" callbacks are set
to null consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: afa66cb3-d16c-4af3-9a81-b5ffb1b11b56

📥 Commits

Reviewing files that changed from the base of the PR and between 86f5cae and d8f33a9.

📒 Files selected for processing (6)

• all-in-one-apim/modules/distribution/product/src/main/extensions/password-recovery.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp (1)

177-200: ⚠️ Potential issue | 🟡 Minor

Inconsistent handling between the two callback validation layers.

The callback is validated twice with different failure semantics: lines 178-185 forward to error.jsp when Utils.validateCallbackURL fails, whereas lines 196-200 silently nullify on isValidMultiOptionURI failure (falling back to the user portal URL at line 206). A callback that passes the first check but fails the second is therefore quietly rewritten rather than rejected. Consider either aligning both on the same outcome, or documenting why the second check is intentionally softer. Also, since the first block already guarantees callback is either blank or structurally valid, the "null" literal check is the primary new behavior added here.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp`
around lines 177 - 200, The code inconsistently handles callback validation:
after Utils.validateCallbackURL(...) rejects the request by forwarding to
"error.jsp", the later
AuthenticationEndpointUtil.isValidMultiOptionURI(callback) check silently nulls
the callback; change this to the same failure flow as the first check — when
callback is non-blank (and not the literal "null") but
AuthenticationEndpointUtil.isValidMultiOptionURI(callback) returns false, set
request attributes (error=true and errorMsg using
IdentityManagementEndpointUtil.i18n(...) with an appropriate message) and
forward to "error.jsp" instead of nullifying callback so
Utils.validateCallbackURL and isValidMultiOptionURI have consistent semantics.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp`:
- Around line 177-200: The code inconsistently handles callback validation:
after Utils.validateCallbackURL(...) rejects the request by forwarding to
"error.jsp", the later
AuthenticationEndpointUtil.isValidMultiOptionURI(callback) check silently nulls
the callback; change this to the same failure flow as the first check — when
callback is non-blank (and not the literal "null") but
AuthenticationEndpointUtil.isValidMultiOptionURI(callback) returns false, set
request attributes (error=true and errorMsg using
IdentityManagementEndpointUtil.i18n(...) with an appropriate message) and
forward to "error.jsp" instead of nullifying callback so
Utils.validateCallbackURL and isValidMultiOptionURI have consistent semantics.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 82b9f88f-d1ab-4e27-b318-a7cd116c47a6

📥 Commits

Reviewing files that changed from the base of the PR and between d8f33a9 and 0c97d72.

📒 Files selected for processing (3)

• api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-username-request.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/self-registration-with-verification.jsp

🚧 Files skipped from review as they are similar to previous changes (1)

• api-control-plane/modules/distribution/product/src/main/extensions/password-recovery.jsp