URL Whitelist + Basic Design

3 files changed, 40 insertions, 10 deletions

diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
index a0fe3e80..7847d840 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
@@ -6,10 +6,12 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 import javax.xml.bind.JAXBElement;
 
-import at.gv.egiz.pdfas.lib.api.StatusRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egiz.pdfas.web.exception.PdfAsSecurityLayerException;
 import at.gv.egiz.pdfas.web.helper.PdfAsHelper;
 import at.gv.egiz.sl.CreateCMSSignatureResponseType;
 import at.gv.egiz.sl.ErrorResponseType;
@@ -22,6 +24,9 @@ import at.gv.egiz.sl.util.SLMarschaller;
 public class DataURLServlet extends HttpServlet {
 	private static final long serialVersionUID = 1L;
 
+	private static final Logger logger = LoggerFactory
+			.getLogger(DataURLServlet.class);
+	
 	/**
 	 * @see HttpServlet#HttpServlet()
 	 */
@@ -64,11 +69,18 @@ public class DataURLServlet extends HttpServlet {
 				PdfAsHelper.injectSignature(request, response, createCMSSignatureResponseType, getServletContext());
 			} else if(jaxbObject.getValue() instanceof ErrorResponseType) {
 				ErrorResponseType errorResponseType = (ErrorResponseType)jaxbObject.getValue();
-				// TODO: store error and redirect user
-				System.out.println("ERROR: " + errorResponseType.getErrorCode() + " " + errorResponseType.getInfo());
+				logger.error("SecurityLayer: " + errorResponseType.getErrorCode() + " " + errorResponseType.getInfo());
+				throw new PdfAsSecurityLayerException(errorResponseType.getInfo(), 
+						errorResponseType.getErrorCode());
+				
+			} else {
+				throw new PdfAsSecurityLayerException("Unknown SL response", 
+						9999);
 			}
 		} catch (Exception e) {
-			e.printStackTrace();
+			PdfAsHelper.setSessionException(request, response, e.getMessage(),
+					e);
+			PdfAsHelper.gotoError(getServletContext(), request, response);
 		}
 	}
 
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java
index fe436566..ef8e058f 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java
@@ -8,9 +8,9 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.swing.text.html.HTML;
 
-import org.apache.commons.lang3.StringEscapeUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import at.gv.egiz.pdfas.web.config.WebConfiguration;
 import at.gv.egiz.pdfas.web.helper.HTMLFormater;
@@ -21,7 +21,10 @@ import at.gv.egiz.pdfas.web.helper.PdfAsHelper;
  */
 public class ErrorPage extends HttpServlet {
 	private static final long serialVersionUID = 1L;
-
+	
+	private static final Logger logger = LoggerFactory
+			.getLogger(ErrorPage.class);
+	
 	/**
 	 * @see HttpServlet#HttpServlet()
 	 */
@@ -61,7 +64,7 @@ public class ErrorPage extends HttpServlet {
 					.getSessionException(request, response);
 			String message = PdfAsHelper.getSessionErrMessage(request,
 					response);
-			if (errorURL != null) {
+			if (errorURL != null && WebConfiguration.isProvidePdfURLinWhitelist(errorURL)) {
 				String template = PdfAsHelper.getErrorRedirectTemplateSL();
 				template = template.replace("##ERROR_URL##",
 						errorURL);
@@ -81,6 +84,9 @@ public class ErrorPage extends HttpServlet {
 				response.getWriter().write(template);
 				response.getWriter().close();
 			} else {
+				if(!WebConfiguration.isProvidePdfURLinWhitelist(errorURL)) {
+					logger.warn(errorURL + " is not allowed by whitelist");
+				}
 				response.setContentType("text/html");
 				PrintWriter pw = response.getWriter();
 		
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java
index e1387fce..194a9a63 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java
@@ -8,7 +8,11 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import at.gv.egiz.pdfas.common.exceptions.PdfAsException;
+import at.gv.egiz.pdfas.web.config.WebConfiguration;
 import at.gv.egiz.pdfas.web.helper.PdfAsHelper;
 
 /**
@@ -17,6 +21,9 @@ import at.gv.egiz.pdfas.web.helper.PdfAsHelper;
 public class ProvidePDFServlet extends HttpServlet {
 	private static final long serialVersionUID = 1L;
 
+	private static final Logger logger = LoggerFactory
+			.getLogger(ProvidePDFServlet.class);
+	
 	/**
 	 * @see HttpServlet#HttpServlet()
 	 */
@@ -47,7 +54,12 @@ public class ProvidePDFServlet extends HttpServlet {
 		try {
 			String invokeURL = PdfAsHelper.getInvokeURL(request, response);
 
-			if (invokeURL == null) {
+			if (invokeURL == null || WebConfiguration.isProvidePdfURLinWhitelist(invokeURL)) {
+				
+				if(!WebConfiguration.isProvidePdfURLinWhitelist(invokeURL)) {
+					logger.warn(invokeURL + " is not allowed by whitelist");
+				}
+				
 				// Deliver to Browser directly!
 				response.setContentType("text/html");
 				PrintWriter pw = response.getWriter();