Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
...
head fork: trifork/dgws
  • 6 commits
  • 7 files changed
  • 0 commit comments
  • 1 contributor
View
45 dgws-spring/pom.xml
@@ -59,14 +59,49 @@
</plugins>
</build>
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-core</artifactId>
+ <version>3.1.1.RELEASE</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-beans</artifactId>
+ <version>3.1.1.RELEASE</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
+ <version>3.1.1.RELEASE</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-webmvc</artifactId>
+ <version>3.1.1.RELEASE</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-web</artifactId>
+ <version>3.1.1.RELEASE</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-aop</artifactId>
+ <version>3.1.1.RELEASE</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-oxm</artifactId>
+ <version>3.1.1.RELEASE</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
- <artifactId>spring-aop</artifactId>
- <version>3.1.1.RELEASE</version>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>3.1.1.RELEASE</version>
</dependency>
View
21 dgws-spring/src/main/java/com/trifork/dgws/SecurityCheckerImpl.java
@@ -9,21 +9,28 @@
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.Assert;
+import static org.apache.commons.lang.StringUtils.isNotEmpty;
+
public class SecurityCheckerImpl implements SecurityChecker {
private static Logger logger = Logger.getLogger(SecurityCheckerImpl.class);
- @SuppressWarnings("SpringJavaAutowiringInspection should be wired by user")
- @Autowired
+
+ @Autowired(required = false)
WhitelistChecker whitelistChecker;
public void validateHeader(String whitelist, Security securityHeader) {
//TODO: validering af signature
- Assert.hasText(whitelist);
- final String cvrNumber = findCvrNumber(securityHeader);
- logger.debug("Extracted CVR=" + cvrNumber + " from saml:assertion");
- if (!(whitelistChecker.getLegalCvrNumbers(whitelist).contains(cvrNumber))) {
- throw new IllegalAccessError("cvrNumber=" + cvrNumber + " was not found in whitelist=" + whitelist);
+ if (isNotEmpty(whitelist)) {
+ final String cvrNumber = findCvrNumber(securityHeader);
+ logger.debug("Extracted CVR=" + cvrNumber + " from saml:assertion");
+ if (!(whitelistChecker.getLegalCvrNumbers(whitelist).contains(cvrNumber))) {
+ logger.warn("whitelist check failed. cvrNumber=" + cvrNumber + " was not found in whitelist=" + whitelist);
+ throw new IllegalAccessError("cvrNumber=" + cvrNumber + " was not found in whitelist=" + whitelist);
+ }
+ }
+ else {
+ logger.debug("No whitelist checking");
}
}
View
2  dgws-spring/src/main/java/com/trifork/dgws/annotations/Protected.java
@@ -8,5 +8,5 @@
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})
public @interface Protected {
- String whitelist();
+ String whitelist() default "";
}
View
3  dgws-spring/src/test/java/com/trifork/dgws/ProtectedTarget.java
@@ -1,10 +1,11 @@
package com.trifork.dgws;
-import com.trifork.dgws.annotations.Protected;
import org.springframework.ws.soap.SoapHeader;
public interface ProtectedTarget {
String hitMe();
String hitMe(SoapHeader header);
+
+ String publicHitMe(SoapHeader soapHeader);
}
View
5 dgws-spring/src/test/java/com/trifork/dgws/ProtectedTargetProxy.java
@@ -22,4 +22,9 @@ public String hitMe() {
public String hitMe(SoapHeader header) {
return target.hitMe(header);
}
+
+ @Protected
+ public String publicHitMe(SoapHeader soapHeader) {
+ return target.publicHitMe(soapHeader);
+ }
}
View
23 dgws-spring/src/test/java/com/trifork/dgws/SecurityCheckerImplTest.java
@@ -2,6 +2,10 @@
import org.junit.Before;
import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
import org.oasis_open.docs.wss._2004._01.oasis_200401_wss_wssecurity_secext_1_0.Security;
import org.springframework.oxm.jaxb.Jaxb2Marshaller;
import org.w3._2000._09.xmldsig.Signature;
@@ -12,14 +16,18 @@
import static org.junit.Assert.*;
import static org.mockito.Mockito.*;
+@RunWith(MockitoJUnitRunner.class)
public class SecurityCheckerImplTest {
+ @InjectMocks
SecurityCheckerImpl securityChecker = new SecurityCheckerImpl();
- private final WhitelistChecker whitelistChecker = mock(WhitelistChecker.class);
+
+ @Mock
+ WhitelistChecker whitelistChecker;
+
Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
@Before
public void setUp() throws Exception {
- securityChecker.whitelistChecker = whitelistChecker;
marshaller.setClassesToBeBound(
Security.class,
Signature.class
@@ -28,6 +36,17 @@ public void setUp() throws Exception {
}
@Test
+ public void willNotWhitelistCheckIfCheckerIfProvided() throws Exception {
+ StreamSource source = new StreamSource(getClass().getResourceAsStream("/SecurityHeader1.xml"));
+ final Security securityHeader = (Security) marshaller.unmarshal(source);
+ assertNotNull(securityHeader);
+
+ securityChecker.validateHeader("", securityHeader);
+
+ verify(whitelistChecker, never()).getLegalCvrNumbers(any(String.class));
+ }
+
+ @Test
public void canValidateCvrFromCarProviderID() throws Exception {
StreamSource source = new StreamSource(getClass().getResourceAsStream("/SecurityHeader1.xml"));
final Security securityHeader = (Security) marshaller.unmarshal(source);
View
22 dgws-spring/src/test/java/com/trifork/dgws/aspect/DgwsProtectionAspectTest.java
@@ -125,6 +125,28 @@ public void willForwardCallToTargetAndStoreReplay() throws Exception {
}
@Test
+ public void willForwardWithoutWhitelist() throws Exception {
+ SoapHeaderElement soapHeaderElementHeader = mock(SoapHeaderElement.class);
+ SoapHeaderElement soapHeaderElementSecurity = mock(SoapHeaderElement.class);
+ Source sourceHeader = mock(Source.class);
+ Source sourceSecurity = mock(Source.class);
+ Header medcomHeader = createMedcomHeader("TEST");
+ Security security = new Security();
+
+ when(soapHeader.examineAllHeaderElements()).thenReturn(asList(soapHeaderElementHeader, soapHeaderElementSecurity).iterator());
+ when(soapHeaderElementHeader.getSource()).thenReturn(sourceHeader);
+ when(soapHeaderElementSecurity.getSource()).thenReturn(sourceSecurity);
+ when(unmarshaller.unmarshal(sourceHeader)).thenReturn(medcomHeader);
+ when(unmarshaller.unmarshal(sourceSecurity)).thenReturn(security);
+ when(protectedTargetMock.publicHitMe(soapHeader)).thenReturn("HIT");
+
+ assertEquals("HIT", protectedTargetProxy.publicHitMe(soapHeader));
+
+ verify(securityChecker).validateHeader("", security);
+ verify(protectedTargetMock).publicHitMe(soapHeader);
+ }
+
+ @Test
public void willNotAllowNullSoapHeader() throws Exception {
try {
protectedTargetProxy.hitMe(null);

No commit comments for this range

Something went wrong with that request. Please try again.