Browse Source

Add web security restrictions for demonstration page

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
v0.0.4-alpha
Pekka Helenius 4 years ago
parent
commit
6306d53e51
3 changed files with 60 additions and 1 deletions
  1. +20
    -0
      bookstore/src/main/java/com/fjordtek/bookstore/web/BookBasePathAwareController.java
  2. +34
    -1
      bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
  3. +6
    -0
      bookstore/src/main/resources/templates/fragments/bookfields.html

+ 20
- 0
bookstore/src/main/java/com/fjordtek/bookstore/web/BookBasePathAwareController.java View File

@ -24,6 +24,7 @@ import com.fjordtek.bookstore.model.book.BookRepository;
import com.fjordtek.bookstore.model.book.CategoryRepository; import com.fjordtek.bookstore.model.book.CategoryRepository;
import com.fjordtek.bookstore.service.BookAuthorHelper; import com.fjordtek.bookstore.service.BookAuthorHelper;
import com.fjordtek.bookstore.service.HttpServerLogger; import com.fjordtek.bookstore.service.HttpServerLogger;
import com.fjordtek.bookstore.service.session.BookStoreWebRestrictions;
/** /**
* *
@ -56,6 +57,9 @@ public class BookBasePathAwareController {
@Autowired @Autowired
private HttpServerLogger httpServerLogger; private HttpServerLogger httpServerLogger;
@Autowired
private BookStoreWebRestrictions webRestrictions;
////////////////////////////// //////////////////////////////
private void bookGetAndSetNestedJSON(Book book, JsonNode bookNode) { private void bookGetAndSetNestedJSON(Book book, JsonNode bookNode) {
// Nested data: Determine nested JSON keys & their values // Nested data: Determine nested JSON keys & their values
@ -108,6 +112,22 @@ public class BookBasePathAwareController {
HttpServletResponse responseData HttpServletResponse responseData
) { ) {
////////////
/*
* Hard-coded book count limit.
* Added as we expose all accounts to internet
* due to course requirements & demo purposes.
*
* It is assumed that admin account is exposed, too.
*
* In real life, this must never be a case!
* Instead, we should have a proper admin-only
* configuration panel where to set these values.
*/
if (webRestrictions.limitBookMaxCount("prod")) {
return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
}
try { try {
/* /*


+ 34
- 1
bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java View File

@ -39,6 +39,7 @@ import com.fjordtek.bookstore.model.book.CategoryRepository;
import com.fjordtek.bookstore.service.BigDecimalPropertyEditor; import com.fjordtek.bookstore.service.BigDecimalPropertyEditor;
import com.fjordtek.bookstore.service.BookAuthorHelper; import com.fjordtek.bookstore.service.BookAuthorHelper;
import com.fjordtek.bookstore.service.HttpServerLogger; import com.fjordtek.bookstore.service.HttpServerLogger;
import com.fjordtek.bookstore.service.session.BookStoreWebRestrictions;
/** /**
* *
@ -85,6 +86,9 @@ public class BookController {
@Autowired @Autowired
private BookEventHandler bookEventHandler; private BookEventHandler bookEventHandler;
@Autowired
private BookStoreWebRestrictions webRestrictions;
/* /*
private Map<String,String> globalModelMap = new HashMap<String,String>() { private Map<String,String> globalModelMap = new HashMap<String,String>() {
private static final long serialVersionUID = 1L; private static final long serialVersionUID = 1L;
@ -190,9 +194,38 @@ public class BookController {
@Valid @ModelAttribute("book") Book book, @Valid @ModelAttribute("book") Book book,
BindingResult bindingResult, BindingResult bindingResult,
HttpServletRequest requestData, HttpServletRequest requestData,
HttpServletResponse responseData
HttpServletResponse responseData,
RedirectAttributes redirectAttributes
) { ) {
////////////
/*
* Hard-coded book count limit.
* Added as we expose all accounts to internet
* due to course requirements & demo purposes.
*
* It is assumed that admin account is exposed, too.
*
* In real life, this must never be a case!
* Instead, we should have a proper admin-only
* configuration panel where to set these values.
*/
if (webRestrictions.limitBookMaxCount("prod")) {
redirectAttributes.addFlashAttribute(
"bookmaxcount",
msg.getMessage(
"security.book.count.max.msg",
null,
"security.book.count.max.msg [placeholder]",
requestData.getLocale()
)
+ " " + env.getProperty("security.book.count.max") + "."
);
return "redirect:" + env.getProperty("page.url.add");
}
// TODO consider better solution. Add custom Hibernate annotation for Book class? // TODO consider better solution. Add custom Hibernate annotation for Book class?
if (bookRepository.existsByIsbn(book.getIsbn())) { if (bookRepository.existsByIsbn(book.getIsbn())) {
bindingResult.rejectValue( bindingResult.rejectValue(


+ 6
- 0
bookstore/src/main/resources/templates/fragments/bookfields.html View File

@ -11,6 +11,12 @@
<th:block th:fragment="bookfields"> <th:block th:fragment="bookfields">
<div class="bookform-section"> <div class="bookform-section">
<div class="alert alert-danger mt-2" th:if="${bookmaxcount != null}"
th:text="${bookmaxcount}">
Unable to add more books. Book count limit is X.
</div>
<div> <div>
<h3 th:text="${#messages.msgOrNull('book.author')} ?: 'book.author'"> <h3 th:text="${#messages.msgOrNull('book.author')} ?: 'book.author'">
book.author book.author


Loading…
Cancel
Save