diff options
author | Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> | 2014-01-28 16:05:21 +0100 |
---|---|---|
committer | Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> | 2014-01-28 16:05:21 +0100 |
commit | d0c59a890be350ff1c39901e7fa94bf68c048065 (patch) | |
tree | 10aef75582d15acf1c4f67d2a702e55c1b7d74fb | |
parent | 7623d9b081af23191f307e1f06df7ce5508bf925 (diff) | |
download | pdf-as-4-d0c59a890be350ff1c39901e7fa94bf68c048065.tar.gz pdf-as-4-d0c59a890be350ff1c39901e7fa94bf68c048065.tar.bz2 pdf-as-4-d0c59a890be350ff1c39901e7fa94bf68c048065.zip |
URL Whitelist + Basic Design
9 files changed, 190 insertions, 88 deletions
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java index 6609e51d..c7520347 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java @@ -2,6 +2,9 @@ package at.gv.egiz.pdfas.web.config; import java.io.File; import java.io.FileInputStream; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; import java.util.Properties; import org.slf4j.Logger; @@ -24,12 +27,21 @@ public class WebConfiguration { public static final String KEYSTORE_ALIAS = "ks.key.alias"; public static final String KEYSTORE_KEY_PASS = "ks.key.pass"; + public static final String WHITELIST_ENABLED = "whitelist.enabled"; + public static final String WHITELIST_VALUE_PRE = "whitelist.url."; + private static Properties properties = new Properties(); private static final Logger logger = LoggerFactory .getLogger(WebConfiguration.class); + private static List<String> whiteListregEx = new ArrayList<String>(); + public static void configure(String config) { + + properties.clear(); + whiteListregEx.clear(); + try { properties.load(new FileInputStream(config)); } catch(Exception e) { @@ -37,6 +49,23 @@ public class WebConfiguration { throw new RuntimeException(e); } + if(isWhiteListEnabled()) { + Iterator<Object> keyIt = properties.keySet().iterator(); + while(keyIt.hasNext()) { + Object keyObj = keyIt.next(); + if(keyObj != null) { + String key = keyObj.toString(); + if(key.startsWith(WHITELIST_VALUE_PRE)) { + String whitelist_expr = properties.getProperty(key); + if(whitelist_expr != null) { + whiteListregEx.add(whitelist_expr); + logger.debug("URL Whitelist: " + whitelist_expr); + } + } + } + } + } + String pdfASDir = getPdfASDir(); if(pdfASDir == null) { logger.error("Please configure pdf as working directory in the web configuration"); @@ -107,9 +136,34 @@ public class WebConfiguration { } return false; } - - public static boolean isProvidePdfURLinWhitelist(String url) { - //TODO implement whitelisting for pdfURLS + + public static boolean isWhiteListEnabled() { + String value = properties.getProperty(WHITELIST_ENABLED); + if(value != null) { + if(value.equals("true")) { + return true; + } + } return false; } + + public static synchronized boolean isProvidePdfURLinWhitelist(String url) { + if(isWhiteListEnabled()) { + + Iterator<String> patterns = whiteListregEx.iterator(); + while(patterns.hasNext()) { + String pattern = patterns.next(); + try { + if(url.matches(pattern)) { + return true; + } + } catch(Throwable e) { + logger.error("Error in matching regex: " + pattern, e); + } + } + + return false; + } + return true; + } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/exception/PdfAsSecurityLayerException.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/exception/PdfAsSecurityLayerException.java new file mode 100644 index 00000000..e499302d --- /dev/null +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/exception/PdfAsSecurityLayerException.java @@ -0,0 +1,14 @@ +package at.gv.egiz.pdfas.web.exception; + +public class PdfAsSecurityLayerException extends Exception { + + /** + * + */ + private static final long serialVersionUID = -4632774270754873043L; + + public PdfAsSecurityLayerException(String info, int errorcode) { + super("SecurityLayer Error: [" + errorcode + "] " + info); + } + +} diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java index 2f62269b..1059738e 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java @@ -76,7 +76,6 @@ public class PdfAsHelper { private static ObjectFactory of = new ObjectFactory(); static { - // TODO: read from config file logger.debug("Creating PDF-AS"); pdfAs = PdfAsFactory.createPdfAs(new File(WebConfiguration.getPdfASDir())); logger.debug("Creating PDF-AS done"); diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java index 9532e074..cb404b66 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java @@ -5,6 +5,7 @@ import java.net.MalformedURLException; import java.net.URL; import at.gv.egiz.pdfas.common.utils.StreamUtils; +import at.gv.egiz.pdfas.web.config.WebConfiguration; import at.gv.egiz.pdfas.web.exception.PdfAsWebException; public class RemotePDFFetcher { @@ -16,16 +17,25 @@ public class RemotePDFFetcher { } catch (MalformedURLException e) { throw new PdfAsWebException("Not a valid URL!", e); } - if(url.getProtocol().equals("http") || url.getProtocol().equals("https")) { - - try { - InputStream is = url.openStream(); - return StreamUtils.inputStreamToByteArray(is); - } catch (Exception e) { - throw new PdfAsWebException("Failed to fetch pdf document!", e); + if (WebConfiguration.isProvidePdfURLinWhitelist(url.toExternalForm())) { + if (url.getProtocol().equals("http") + || url.getProtocol().equals("https")) { + + try { + InputStream is = url.openStream(); + return StreamUtils.inputStreamToByteArray(is); + } catch (Exception e) { + throw new PdfAsWebException( + "Failed to fetch pdf document!", e); + } + } else { + throw new PdfAsWebException( + "Failed to fetch pdf document protocol " + + url.getProtocol() + " is not supported"); } } else { - throw new PdfAsWebException("Failed to fetch pdf document protocol " + url.getProtocol() + " is not supported"); + throw new PdfAsWebException( + "Failed to fetch pdf document " + url.toExternalForm() + " is not allowed"); } } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java index a0fe3e80..7847d840 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java @@ -6,10 +6,12 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import javax.xml.bind.JAXBElement; -import at.gv.egiz.pdfas.lib.api.StatusRequest; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.pdfas.web.exception.PdfAsSecurityLayerException; import at.gv.egiz.pdfas.web.helper.PdfAsHelper; import at.gv.egiz.sl.CreateCMSSignatureResponseType; import at.gv.egiz.sl.ErrorResponseType; @@ -22,6 +24,9 @@ import at.gv.egiz.sl.util.SLMarschaller; public class DataURLServlet extends HttpServlet { private static final long serialVersionUID = 1L; + private static final Logger logger = LoggerFactory + .getLogger(DataURLServlet.class); + /** * @see HttpServlet#HttpServlet() */ @@ -64,11 +69,18 @@ public class DataURLServlet extends HttpServlet { PdfAsHelper.injectSignature(request, response, createCMSSignatureResponseType, getServletContext()); } else if(jaxbObject.getValue() instanceof ErrorResponseType) { ErrorResponseType errorResponseType = (ErrorResponseType)jaxbObject.getValue(); - // TODO: store error and redirect user - System.out.println("ERROR: " + errorResponseType.getErrorCode() + " " + errorResponseType.getInfo()); + logger.error("SecurityLayer: " + errorResponseType.getErrorCode() + " " + errorResponseType.getInfo()); + throw new PdfAsSecurityLayerException(errorResponseType.getInfo(), + errorResponseType.getErrorCode()); + + } else { + throw new PdfAsSecurityLayerException("Unknown SL response", + 9999); } } catch (Exception e) { - e.printStackTrace(); + PdfAsHelper.setSessionException(request, response, e.getMessage(), + e); + PdfAsHelper.gotoError(getServletContext(), request, response); } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java index fe436566..ef8e058f 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java @@ -8,9 +8,9 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.swing.text.html.HTML; -import org.apache.commons.lang3.StringEscapeUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import at.gv.egiz.pdfas.web.config.WebConfiguration; import at.gv.egiz.pdfas.web.helper.HTMLFormater; @@ -21,7 +21,10 @@ import at.gv.egiz.pdfas.web.helper.PdfAsHelper; */ public class ErrorPage extends HttpServlet { private static final long serialVersionUID = 1L; - + + private static final Logger logger = LoggerFactory + .getLogger(ErrorPage.class); + /** * @see HttpServlet#HttpServlet() */ @@ -61,7 +64,7 @@ public class ErrorPage extends HttpServlet { .getSessionException(request, response); String message = PdfAsHelper.getSessionErrMessage(request, response); - if (errorURL != null) { + if (errorURL != null && WebConfiguration.isProvidePdfURLinWhitelist(errorURL)) { String template = PdfAsHelper.getErrorRedirectTemplateSL(); template = template.replace("##ERROR_URL##", errorURL); @@ -81,6 +84,9 @@ public class ErrorPage extends HttpServlet { response.getWriter().write(template); response.getWriter().close(); } else { + if(!WebConfiguration.isProvidePdfURLinWhitelist(errorURL)) { + logger.warn(errorURL + " is not allowed by whitelist"); + } response.setContentType("text/html"); PrintWriter pw = response.getWriter(); diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java index e1387fce..194a9a63 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java @@ -8,7 +8,11 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.gv.egiz.pdfas.common.exceptions.PdfAsException; +import at.gv.egiz.pdfas.web.config.WebConfiguration; import at.gv.egiz.pdfas.web.helper.PdfAsHelper; /** @@ -17,6 +21,9 @@ import at.gv.egiz.pdfas.web.helper.PdfAsHelper; public class ProvidePDFServlet extends HttpServlet { private static final long serialVersionUID = 1L; + private static final Logger logger = LoggerFactory + .getLogger(ProvidePDFServlet.class); + /** * @see HttpServlet#HttpServlet() */ @@ -47,7 +54,12 @@ public class ProvidePDFServlet extends HttpServlet { try { String invokeURL = PdfAsHelper.getInvokeURL(request, response); - if (invokeURL == null) { + if (invokeURL == null || WebConfiguration.isProvidePdfURLinWhitelist(invokeURL)) { + + if(!WebConfiguration.isProvidePdfURLinWhitelist(invokeURL)) { + logger.warn(invokeURL + " is not allowed by whitelist"); + } + // Deliver to Browser directly! response.setContentType("text/html"); PrintWriter pw = response.getWriter(); diff --git a/pdf-as-web/src/main/webapp/WEB-INF/decorators/default_layout.jsp b/pdf-as-web/src/main/webapp/WEB-INF/decorators/default_layout.jsp index 1179d48c..045fd2b9 100644 --- a/pdf-as-web/src/main/webapp/WEB-INF/decorators/default_layout.jsp +++ b/pdf-as-web/src/main/webapp/WEB-INF/decorators/default_layout.jsp @@ -5,37 +5,28 @@ <%@page contentType="text/html; charset=UTF-8"%> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> - <meta charset="utf-8"/> - <meta http-equiv="X-UA-Compatible" content="IE=edge"/> - <meta name="viewport" content="width=device-width, initial-scale=1.0"/> - <meta name="description" content="PDF-Signatur"/> - <meta name="author" content="EGIZ"/> - <link rel="shortcut icon" href="assets/ico/favicon.png"/> +<meta charset="utf-8" /> +<meta http-equiv="X-UA-Compatible" content="IE=edge" /> +<meta name="viewport" content="width=device-width, initial-scale=1.0" /> +<meta name="description" content="PDF-Signatur" /> +<meta name="author" content="EGIZ" /> +<link rel="shortcut icon" href="assets/ico/favicon.png" /> - <title><decorator:title></decorator:title></title> - <link href="assets/css/bootstrap.css" rel="stylesheet"/> - - <link href="assets/css/pdfas.css" rel="stylesheet"/> - <decorator:head></decorator:head> +<title><decorator:title></decorator:title></title> +<decorator:head></decorator:head> </head> <body> - <div class="container"> - <div class="header"> - <h3 class="text-muted">PDF-Signatur</h3> - </div> - - <div class="row marketing"> - <div class="col-lg-12"> - <decorator:body></decorator:body> - </div> - </div> + <p> + <h3>PDF-Signatur</h3> + </p> - <div class="footer"> - <p>© EGIZ 2014</p> - </div> + <p> + <decorator:body></decorator:body> + </p> - </div> - <!-- /container --> + <p> + <p>© EGIZ 2014</p> + </p> </body> </html>
\ No newline at end of file diff --git a/pdf-as-web/src/main/webapp/index.jsp b/pdf-as-web/src/main/webapp/index.jsp index 8aba0dff..355c7838 100644 --- a/pdf-as-web/src/main/webapp/index.jsp +++ b/pdf-as-web/src/main/webapp/index.jsp @@ -6,47 +6,51 @@ <body> <form role="form" action="Sign" method="POST" enctype="multipart/form-data"> - <input type="hidden" name="source" id="source" value="internal"/> - <div class="form-group <% if(request.getAttribute("FILEERR") != null) { %> has-error <% } %>"> - <label for="exampleInputFile">Signieren: </label> <input type="file" - name="pdfFile" id="pdfFile" accept="application/pdf"> - <p class="help-block"> - <% if(request.getAttribute("FILEERR") != null) { %> - Bitte die zu signierende PDF Datei angeben. - <% } else { %> - Zu signierende PDF Datei - <% } %></p> - </div> - <% if(WebConfiguration.getOnlineBKUURL() != null || - WebConfiguration.getLocalBKUURL() != null) { %> - <div class="form-group"> - <!-- button type="submit" value="jks" name="connector" class="btn btn-primary">JKS</button--> - <label for="bku"><img src="assets/img/onlineBKU.png" /></label> - <% if(WebConfiguration.getLocalBKUURL() != null) { %> - <button type="submit" value="bku" name="connector" - class="btn btn-primary" id="bku">Lokale BKU</button> - <% } %> - <% if(WebConfiguration.getOnlineBKUURL() != null) { %> - <button type="submit" value="onlinebku" name="connector" - class="btn btn-primary" id="onlinebku">Online BKU</button> - <% } %> - </div> - <% } %> - <% if(WebConfiguration.getHandyBKUURL() != null) { %> - <div class="form-group"> - <label for="mobilebku"><img src="assets/img/mobileBKU.png" /></label> - <button type="submit" value="mobilebku" name="connector" - class="btn btn-primary" id="mobilebku">Handy</button> - <!-- button type="submit" value="moa" name="connector" class="btn btn-primary">MOA-SS</button --> - </div> - <% } %> - <% if(WebConfiguration.getKeystoreEnabled()) { %> - <div class="form-group"> + <input type="hidden" name="source" id="source" value="internal" /> <input + type="file" name="pdfFile" id="pdfFile" accept="application/pdf"> + <% + if (request.getAttribute("FILEERR") != null) { + %> + <p>Bitte die zu signierende PDF Datei angeben.</p> + <% + } + %> + + + <% + if (WebConfiguration.getLocalBKUURL() != null) { + %> + <img src="assets/img/onlineBKU.png" /> <input type="submit" + value="bku" name="connector" id="bku">Lokale BKU + </button> + <% + } + %> + <% + if (WebConfiguration.getOnlineBKUURL() != null) { + %> + <img src="assets/img/onlineBKU.png" /> + <button type="submit" value="onlinebku" name="connector" + id="onlinebku">Online BKU</button> + <% + } + %> + <% + if (WebConfiguration.getHandyBKUURL() != null) { + %> + <img src="assets/img/mobileBKU.png" /> + <button type="submit" value="mobilebku" name="connector" id="mobilebku">Handy</button> + <% + } + %> + <% + if (WebConfiguration.getKeystoreEnabled()) { + %> <button type="submit" value="jks" name="connector" - class="btn btn-primary" id="jks">Server Keystore</button> - <!-- button type="submit" value="moa" name="connector" class="btn btn-primary">MOA-SS</button --> - </div> - <% } %> + id="jks">Server Keystore</button> + <% + } + %> </form> </body> </html>
\ No newline at end of file |