aboutsummaryrefslogtreecommitdiff
path: root/pdf-as-web/src/main
diff options
context:
space:
mode:
authorAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2015-03-26 10:04:08 +0100
committerAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2015-03-26 10:04:08 +0100
commitdfde473ef88f8be7873385b1ff3357c1f79afe73 (patch)
tree5e6873399f8519944a1a20c6ed1ba2d2795f429e /pdf-as-web/src/main
parentf179c8db3574d03bb1b6b5be1bd86c9ea04073ad (diff)
downloadpdf-as-4-dfde473ef88f8be7873385b1ff3357c1f79afe73.tar.gz
pdf-as-4-dfde473ef88f8be7873385b1ff3357c1f79afe73.tar.bz2
pdf-as-4-dfde473ef88f8be7873385b1ff3357c1f79afe73.zip
added Whitelist for external configuration overwrites
Diffstat (limited to 'pdf-as-web/src/main')
-rw-r--r--pdf-as-web/src/main/configuration/pdf-as-web.properties7
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java43
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java35
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java34
4 files changed, 90 insertions, 29 deletions
diff --git a/pdf-as-web/src/main/configuration/pdf-as-web.properties b/pdf-as-web/src/main/configuration/pdf-as-web.properties
index 4f6b0661..71bcf386 100644
--- a/pdf-as-web/src/main/configuration/pdf-as-web.properties
+++ b/pdf-as-web/src/main/configuration/pdf-as-web.properties
@@ -10,7 +10,12 @@ bku.local.url=http://127.0.0.1:3495/http-security-layer-request
bku.mobile.url=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx
# Allow full configuration overwrite from external sources
-allow.ext.overwrite=true
+# use with care!
+allow.ext.overwrite=false
+
+# White list entries for properties, that can be overwriten,
+# by external components
+ext.overwrite.wl.1=^$
ks.enabled=false
ks.file=test.p12
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java
index 5860b740..ca4f2c50 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java
@@ -50,6 +50,8 @@ public class WebConfiguration implements IConfigurationConstants {
public static final String STATISTIC_BACKEND_LIST = "statistic.backends";
public static final String ALLOW_EXT_OVERWRITE = "allow.ext.overwrite";
+ public static final String ALLOW_EXT_WHITELIST_VALUE_PRE = "ext.overwrite.wl.";
+
public static final String MOA_SS_ENABLED = "moa.enabled";
public static final String SOAP_SIGN_ENABLED = "soap.sign.enabled";
public static final String SOAP_VERIFY_ENABLED = "soap.verify.enabled";
@@ -94,11 +96,13 @@ public class WebConfiguration implements IConfigurationConstants {
.getLogger(WebConfiguration.class);
private static List<String> whiteListregEx = new ArrayList<String>();
-
+ private static List<String> overwritewhiteListregEx = new ArrayList<String>();
+
public static void configure(String config) {
properties.clear();
whiteListregEx.clear();
+ overwritewhiteListregEx.clear();
try {
properties.load(new FileInputStream(config));
@@ -123,6 +127,23 @@ public class WebConfiguration implements IConfigurationConstants {
}
}
}
+
+ if (isAllowExtOverwrite()) {
+ Iterator<Object> keyIt = properties.keySet().iterator();
+ while (keyIt.hasNext()) {
+ Object keyObj = keyIt.next();
+ if (keyObj != null) {
+ String key = keyObj.toString();
+ if (key.startsWith(ALLOW_EXT_WHITELIST_VALUE_PRE)) {
+ String whitelist_expr = properties.getProperty(key);
+ if (whitelist_expr != null) {
+ overwritewhiteListregEx.add(whitelist_expr);
+ logger.debug("Overwrite Whitelist: " + whitelist_expr);
+ }
+ }
+ }
+ }
+ }
Iterator<Object> keyIt = properties.keySet().iterator();
while (keyIt.hasNext()) {
@@ -249,6 +270,26 @@ public class WebConfiguration implements IConfigurationConstants {
return false;
}
+ public static synchronized boolean isOverwriteAllowed(String key) {
+ if (isAllowExtOverwrite()) {
+
+ Iterator<String> patterns = whiteListregEx.iterator();
+ while (patterns.hasNext()) {
+ String pattern = patterns.next();
+ try {
+ if (key.matches(pattern)) {
+ return true;
+ }
+ } catch (Throwable e) {
+ logger.warn("Error in matching regex: " + pattern, e);
+ }
+ }
+
+ return false;
+ }
+ return false;
+ }
+
public static boolean isMoaEnabled(String keyIdentifier) {
String value = properties.getProperty(MOA_LIST + "." + keyIdentifier + ".enabled");
if (value != null) {
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java
new file mode 100644
index 00000000..3bf20bf4
--- /dev/null
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java
@@ -0,0 +1,35 @@
+package at.gv.egiz.pdfas.web.helper;
+
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egiz.pdfas.lib.api.Configuration;
+import at.gv.egiz.pdfas.web.config.WebConfiguration;
+
+public class ConfigurationOverwrite {
+
+ private static final Logger logger = LoggerFactory
+ .getLogger(ConfigurationOverwrite.class);
+
+ public static void overwriteConfiguration(Map<String, String> overwrite,
+ Configuration config) {
+ if (WebConfiguration.isAllowExtOverwrite() && overwrite != null && config != null) {
+ Iterator<Entry<String, String>> entryIt = overwrite.entrySet()
+ .iterator();
+ while (entryIt.hasNext()) {
+ Entry<String, String> entry = entryIt.next();
+ if (WebConfiguration.isOverwriteAllowed(entry.getKey())) {
+ config.setValue(entry.getKey(), entry.getValue());
+ } else {
+ logger.warn(
+ "External component tried to overwrite cfg {}. This is not in the whitelist!",
+ entry.getKey());
+ }
+ }
+ }
+ }
+}
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java
index 53cf5783..52eb8468 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java
@@ -36,7 +36,6 @@ import java.security.cert.CertificateException;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
-import java.util.Map.Entry;
import javax.imageio.ImageIO;
import javax.servlet.RequestDispatcher;
@@ -362,16 +361,9 @@ public class PdfAsHelper {
Configuration config = pdfAs.getConfiguration();
- if (WebConfiguration.isAllowExtOverwrite()) {
- Map<String,String> configOverwrite = PdfAsParameterExtractor.getOverwriteMap(request);
- if(configOverwrite != null) {
- Iterator<Entry<String, String>> entryIt = configOverwrite.entrySet().iterator();
- while (entryIt.hasNext()) {
- Entry<String, String> entry = entryIt.next();
- config.setValue(entry.getKey(), entry.getValue());
- }
- }
- }
+
+ Map<String,String> configOverwrite = PdfAsParameterExtractor.getOverwriteMap(request);
+ ConfigurationOverwrite.overwriteConfiguration(configOverwrite, config);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
@@ -502,6 +494,7 @@ public class PdfAsHelper {
// set Signature Position
signParameter.setSignaturePosition(buildPosString(request, response));
+ @SuppressWarnings("unused")
SignResult result = pdfAs.sign(signParameter);
return baos.toByteArray();
@@ -523,15 +516,8 @@ public class PdfAsHelper {
PDFASSignParameters params) throws Exception {
Configuration config = pdfAs.getConfiguration();
- if (WebConfiguration.isAllowExtOverwrite()) {
- if (params.getOverrides() != null) {
- Iterator<Entry<String, String>> entryIt = params.getOverrides()
- .getMap().entrySet().iterator();
- while (entryIt.hasNext()) {
- Entry<String, String> entry = entryIt.next();
- config.setValue(entry.getKey(), entry.getValue());
- }
- }
+ if (WebConfiguration.isAllowExtOverwrite() && params.getOverrides() != null) {
+ ConfigurationOverwrite.overwriteConfiguration(params.getOverrides().getMap(), config);
}
ByteArrayOutputStream baos = new ByteArrayOutputStream();
@@ -702,13 +688,7 @@ public class PdfAsHelper {
Configuration config = pdfAs.getConfiguration();
session.setAttribute(PDF_CONFIG, config);
- if (WebConfiguration.isAllowExtOverwrite() && overwrite != null) {
- Iterator<Entry<String, String>> entryIt = overwrite.entrySet().iterator();
- while (entryIt.hasNext()) {
- Entry<String, String> entry = entryIt.next();
- config.setValue(entry.getKey(), entry.getValue());
- }
- }
+ ConfigurationOverwrite.overwriteConfiguration(overwrite, config);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
session.setAttribute(PDF_OUTPUT, baos);