From 6306d53e5130de70cfc91b12d19907f59d7611a3 Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Fri, 16 Oct 2020 16:10:45 +0300 Subject: [PATCH] Add web security restrictions for demonstration page Signed-off-by: Pekka Helenius --- .../web/BookBasePathAwareController.java | 20 +++++++++++ .../bookstore/web/BookController.java | 35 ++++++++++++++++++- .../templates/fragments/bookfields.html | 6 ++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookBasePathAwareController.java b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookBasePathAwareController.java index 016c945..cbf60db 100644 --- a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookBasePathAwareController.java +++ b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookBasePathAwareController.java @@ -24,6 +24,7 @@ import com.fjordtek.bookstore.model.book.BookRepository; import com.fjordtek.bookstore.model.book.CategoryRepository; import com.fjordtek.bookstore.service.BookAuthorHelper; import com.fjordtek.bookstore.service.HttpServerLogger; +import com.fjordtek.bookstore.service.session.BookStoreWebRestrictions; /** * @@ -56,6 +57,9 @@ public class BookBasePathAwareController { @Autowired private HttpServerLogger httpServerLogger; + @Autowired + private BookStoreWebRestrictions webRestrictions; + ////////////////////////////// private void bookGetAndSetNestedJSON(Book book, JsonNode bookNode) { // Nested data: Determine nested JSON keys & their values @@ -108,6 +112,22 @@ public class BookBasePathAwareController { HttpServletResponse responseData ) { + //////////// + /* + * Hard-coded book count limit. + * Added as we expose all accounts to internet + * due to course requirements & demo purposes. + * + * It is assumed that admin account is exposed, too. + * + * In real life, this must never be a case! + * Instead, we should have a proper admin-only + * configuration panel where to set these values. + */ + if (webRestrictions.limitBookMaxCount("prod")) { + return new ResponseEntity<>(HttpStatus.BAD_REQUEST); + } + try { /* diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java index cb9e4b8..04fa155 100644 --- a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java +++ b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java @@ -39,6 +39,7 @@ import com.fjordtek.bookstore.model.book.CategoryRepository; import com.fjordtek.bookstore.service.BigDecimalPropertyEditor; import com.fjordtek.bookstore.service.BookAuthorHelper; import com.fjordtek.bookstore.service.HttpServerLogger; +import com.fjordtek.bookstore.service.session.BookStoreWebRestrictions; /** * @@ -85,6 +86,9 @@ public class BookController { @Autowired private BookEventHandler bookEventHandler; + @Autowired + private BookStoreWebRestrictions webRestrictions; + /* private Map globalModelMap = new HashMap() { private static final long serialVersionUID = 1L; @@ -190,9 +194,38 @@ public class BookController { @Valid @ModelAttribute("book") Book book, BindingResult bindingResult, HttpServletRequest requestData, - HttpServletResponse responseData + HttpServletResponse responseData, + RedirectAttributes redirectAttributes ) { + //////////// + /* + * Hard-coded book count limit. + * Added as we expose all accounts to internet + * due to course requirements & demo purposes. + * + * It is assumed that admin account is exposed, too. + * + * In real life, this must never be a case! + * Instead, we should have a proper admin-only + * configuration panel where to set these values. + */ + if (webRestrictions.limitBookMaxCount("prod")) { + redirectAttributes.addFlashAttribute( + "bookmaxcount", + msg.getMessage( + "security.book.count.max.msg", + null, + "security.book.count.max.msg [placeholder]", + requestData.getLocale() + ) + + " " + env.getProperty("security.book.count.max") + "." + ); + + return "redirect:" + env.getProperty("page.url.add"); + } + + // TODO consider better solution. Add custom Hibernate annotation for Book class? if (bookRepository.existsByIsbn(book.getIsbn())) { bindingResult.rejectValue( diff --git a/bookstore/src/main/resources/templates/fragments/bookfields.html b/bookstore/src/main/resources/templates/fragments/bookfields.html index 93ed202..8a032f3 100644 --- a/bookstore/src/main/resources/templates/fragments/bookfields.html +++ b/bookstore/src/main/resources/templates/fragments/bookfields.html @@ -11,6 +11,12 @@
+ +
+ Unable to add more books. Book count limit is X. +
+

book.author