Commit 297261af authored by Matija Obreza's avatar Matija Obreza

Use ${base.url} in generated javascript

Check request Referrer before serving /api/genesys-api.js
parent 0c6f8564
......@@ -16,6 +16,8 @@
package org.genesys2.server.servlet.controller;
import java.util.List;
import org.genesys2.server.exception.NotUniqueUserException;
import org.genesys2.server.exception.UserException;
import org.genesys2.server.model.impl.User;
......@@ -23,6 +25,7 @@ import org.genesys2.server.service.OAuth2ClientDetailsService;
import org.genesys2.server.service.UserService;
import org.genesys2.server.servlet.model.UserList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.dao.DataIntegrityViolationException;
import org.springframework.http.MediaType;
import org.springframework.security.access.prepost.PreAuthorize;
......@@ -30,9 +33,12 @@ import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
import java.util.List;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* User REST-controller. It produces and consumes JSON. For "USER" role all
......@@ -43,8 +49,12 @@ import java.util.List;
@Controller
public class UsersRestController extends BaseController {
@Value("${base.url}")
private String baseUrl;
@Autowired
protected UserService userService;
@Autowired
private OAuth2ClientDetailsService clientDetailsService;
......@@ -98,8 +108,7 @@ public class UsersRestController extends BaseController {
"var js, gjs = d.getElementsByTagName(s)[0];\n" +
"if (d.getElementById(id)) return;\n" +
"js = d.createElement(s); js.id = id;\n" +
// "js.src = '/api/genesys-api.js?client_id="+clientDetails.getClientId()+"&client_secret="+clientDetails.getClientSecret()+"';\n" +
"js.src = 'https://www.genesys-pgr.org/api/genesys-api.js?client_id="+clientDetails.getClientId()+"&client_secret="+clientDetails.getClientSecret()+"';\n" +
"js.src = '"+baseUrl+"/api/genesys-api.js?client_id="+clientDetails.getClientId()+"&client_secret="+clientDetails.getClientSecret()+"';\n" +
"gjs.parentNode.insertBefore(js, gjs);\n" +
"}(document, 'script', 'genesys-api'));</script>";
......
/**
* Copyright 2014 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
package org.genesys2.server.servlet.filter;
import org.apache.commons.lang.StringUtils;
import org.genesys2.server.service.OAuth2ClientDetailsService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.stereotype.Component;
......@@ -10,26 +29,41 @@ import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component("apiFilter")
public class ApiFilter extends OncePerRequestFilter {
private static final Logger _logger = LoggerFactory.getLogger(ApiFilter.class);
@Autowired
private OAuth2ClientDetailsService clientDetailsService;
@Autowired
private OAuth2ClientDetailsService clientDetailsService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String clientId = request.getParameter("client_id");
String clientSecret = request.getParameter("client_secret");
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String clientId = request.getParameter("client_id");
String clientSecret = request.getParameter("client_secret");
String referrer = request.getHeader("Referer");
ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
if (clientDetails!=null&&clientDetails.getClientSecret().equals(clientSecret)) {
filterChain.doFilter(request, response);
} else {
//Wrong token
response.sendRedirect("/api/error.js");
}
}
try {
if (!clientDetails.getClientSecret().equals(clientSecret)) {
throw new Exception("Invalid client secret");
}
if (StringUtils.isBlank(referrer)) {
throw new Exception("Referrer not provided by client");
}
if (!clientDetails.getRegisteredRedirectUri().contains(referrer)) {
throw new Exception("Referrer not registered with client " + referrer);
}
filterChain.doFilter(request, response);
} catch (Throwable e) {
_logger.warn(e.getMessage());
response.sendRedirect("/api/error.js");
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment