From d0c59a890be350ff1c39901e7fa94bf68c048065 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Tue, 28 Jan 2014 16:05:21 +0100 Subject: URL Whitelist + Basic Design --- .../gv/egiz/pdfas/web/servlets/DataURLServlet.java | 22 +++++++++++++++++----- .../at/gv/egiz/pdfas/web/servlets/ErrorPage.java | 14 ++++++++++---- .../egiz/pdfas/web/servlets/ProvidePDFServlet.java | 14 +++++++++++++- 3 files changed, 40 insertions(+), 10 deletions(-) (limited to 'pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets') diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java index a0fe3e80..7847d840 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java @@ -6,10 +6,12 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import javax.xml.bind.JAXBElement; -import at.gv.egiz.pdfas.lib.api.StatusRequest; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.pdfas.web.exception.PdfAsSecurityLayerException; import at.gv.egiz.pdfas.web.helper.PdfAsHelper; import at.gv.egiz.sl.CreateCMSSignatureResponseType; import at.gv.egiz.sl.ErrorResponseType; @@ -22,6 +24,9 @@ import at.gv.egiz.sl.util.SLMarschaller; public class DataURLServlet extends HttpServlet { private static final long serialVersionUID = 1L; + private static final Logger logger = LoggerFactory + .getLogger(DataURLServlet.class); + /** * @see HttpServlet#HttpServlet() */ @@ -64,11 +69,18 @@ public class DataURLServlet extends HttpServlet { PdfAsHelper.injectSignature(request, response, createCMSSignatureResponseType, getServletContext()); } else if(jaxbObject.getValue() instanceof ErrorResponseType) { ErrorResponseType errorResponseType = (ErrorResponseType)jaxbObject.getValue(); - // TODO: store error and redirect user - System.out.println("ERROR: " + errorResponseType.getErrorCode() + " " + errorResponseType.getInfo()); + logger.error("SecurityLayer: " + errorResponseType.getErrorCode() + " " + errorResponseType.getInfo()); + throw new PdfAsSecurityLayerException(errorResponseType.getInfo(), + errorResponseType.getErrorCode()); + + } else { + throw new PdfAsSecurityLayerException("Unknown SL response", + 9999); } } catch (Exception e) { - e.printStackTrace(); + PdfAsHelper.setSessionException(request, response, e.getMessage(), + e); + PdfAsHelper.gotoError(getServletContext(), request, response); } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java index fe436566..ef8e058f 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java @@ -8,9 +8,9 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.swing.text.html.HTML; -import org.apache.commons.lang3.StringEscapeUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import at.gv.egiz.pdfas.web.config.WebConfiguration; import at.gv.egiz.pdfas.web.helper.HTMLFormater; @@ -21,7 +21,10 @@ import at.gv.egiz.pdfas.web.helper.PdfAsHelper; */ public class ErrorPage extends HttpServlet { private static final long serialVersionUID = 1L; - + + private static final Logger logger = LoggerFactory + .getLogger(ErrorPage.class); + /** * @see HttpServlet#HttpServlet() */ @@ -61,7 +64,7 @@ public class ErrorPage extends HttpServlet { .getSessionException(request, response); String message = PdfAsHelper.getSessionErrMessage(request, response); - if (errorURL != null) { + if (errorURL != null && WebConfiguration.isProvidePdfURLinWhitelist(errorURL)) { String template = PdfAsHelper.getErrorRedirectTemplateSL(); template = template.replace("##ERROR_URL##", errorURL); @@ -81,6 +84,9 @@ public class ErrorPage extends HttpServlet { response.getWriter().write(template); response.getWriter().close(); } else { + if(!WebConfiguration.isProvidePdfURLinWhitelist(errorURL)) { + logger.warn(errorURL + " is not allowed by whitelist"); + } response.setContentType("text/html"); PrintWriter pw = response.getWriter(); diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java index e1387fce..194a9a63 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java @@ -8,7 +8,11 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.gv.egiz.pdfas.common.exceptions.PdfAsException; +import at.gv.egiz.pdfas.web.config.WebConfiguration; import at.gv.egiz.pdfas.web.helper.PdfAsHelper; /** @@ -17,6 +21,9 @@ import at.gv.egiz.pdfas.web.helper.PdfAsHelper; public class ProvidePDFServlet extends HttpServlet { private static final long serialVersionUID = 1L; + private static final Logger logger = LoggerFactory + .getLogger(ProvidePDFServlet.class); + /** * @see HttpServlet#HttpServlet() */ @@ -47,7 +54,12 @@ public class ProvidePDFServlet extends HttpServlet { try { String invokeURL = PdfAsHelper.getInvokeURL(request, response); - if (invokeURL == null) { + if (invokeURL == null || WebConfiguration.isProvidePdfURLinWhitelist(invokeURL)) { + + if(!WebConfiguration.isProvidePdfURLinWhitelist(invokeURL)) { + logger.warn(invokeURL + " is not allowed by whitelist"); + } + // Deliver to Browser directly! response.setContentType("text/html"); PrintWriter pw = response.getWriter(); -- cgit v1.2.3