Spring boot examples update

bprokopc · bprokopc · commit 5352e7f33967 · 2017-12-19T08:05:54.000Z
diff --git a/java8/flex-sdk-spring-boot/src/main/java/com/cybersource/flex/application/CheckoutController.java b/java8/flex-sdk-spring-boot/src/main/java/com/cybersource/flex/application/CheckoutController.java
@@ -7,11 +7,14 @@
 import com.cybersource.flex.sdk.FlexService;
 import com.cybersource.flex.sdk.exception.FlexException;
 import com.cybersource.flex.sdk.model.FlexPublicKey;
+import java.util.HashMap;
 import java.util.Map;
+import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -22,8 +25,14 @@ public class CheckoutController {
     @Autowired
     private FlexService flexService;
 
+    @ModelAttribute
+    public void setFramingResponseHeader(HttpServletResponse response) {
+        response.setHeader("X-Frame-Options", "DENY");
+    }
+
     @RequestMapping("/")
-    String redirect() {
+    String redirect(final HttpSession session) {
+        session.invalidate();
         return "redirect:checkout";
     }
 
@@ -39,7 +48,9 @@ String checkout(final HttpSession session, final Model model) throws FlexExcepti
     }
 
     @RequestMapping(value = "/receipt", method = RequestMethod.POST)
-    String receipt(@RequestParam final Map<String, Object> postParams, final HttpSession session, final Model model) throws FlexException {
+    String receipt(@RequestParam Map<String, Object> postParams, final HttpSession session, final Model model) throws FlexException {
+        postParams = validateUntrustedParameters(postParams);
+
         // Read in the public key to be used and remove it from the session
         final FlexPublicKey key = (FlexPublicKey) session.getAttribute("flexPublicKey");
         session.removeAttribute("flexPublicKey"); // no longer needed
@@ -59,4 +70,14 @@ String receipt(@RequestParam final Map<String, Object> postParams, final HttpSes
         return "receipt";
     }
 
+    private Map<String, Object> validateUntrustedParameters(Map<String, Object> parameters) {
+        Map<String, Object> retVal = new HashMap<>();
+        // Each parameter must undergo proper validation / sanitization.
+        // The type of validation to be implemented will vary between individual
+        // Flex API integrations. It is merchant's responsibility to implement adequate
+        // parameter validation for production deployments.
+        parameters.forEach((k, v) -> retVal.put(k, v));
+        return retVal;
+    }
+
 }
diff --git a/java8/flex-sdk-spring-boot/src/main/resources/templates/checkout.html b/java8/flex-sdk-spring-boot/src/main/resources/templates/checkout.html
@@ -55,7 +55,6 @@
                                 </div>
                                 <div class="col-xs-6">
                                     <select class="form-control" name="expiryYear" id="expiryYear">
-                                        <option>2018</option>
                                         <option>2019</option>
                                         <option>2020</option>
                                         <option>2021</option>
diff --git a/java8/spring-boot/src/main/java/com/cybersource/flex/application/CheckoutController.java b/java8/spring-boot/src/main/java/com/cybersource/flex/application/CheckoutController.java
@@ -9,13 +9,16 @@
 import com.cybersource.flex.models.KeyResult;
 import com.cybersource.flex.vdp.VDPEnpoints;
 import java.security.PublicKey;
+import java.util.HashMap;
 import java.util.Map;
 import javax.annotation.PostConstruct;
+import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -42,8 +45,14 @@ private void postConstruct() {
         restTemplate.getMessageConverters().add(0, new KeyParametersMessageConverter(apiKey, sharedSecret));
     }
 
+    @ModelAttribute
+    public void setFramingResponseHeader(HttpServletResponse response) {
+        response.setHeader("X-Frame-Options", "DENY");
+    }
+
     @RequestMapping("/")
-    String redirect() {
+    String redirect(final HttpSession session) {
+        session.invalidate();
         return "redirect:checkout";
     }
 
@@ -63,7 +72,9 @@ String checkout(final HttpSession session, final Model model) {
     }
 
     @RequestMapping(value = "/receipt", method = RequestMethod.POST)
-    String receipt(@RequestParam final Map<String, Object> postParams, final HttpSession session, final Model model) {
+    String receipt(@RequestParam Map<String, Object> postParams, final HttpSession session, final Model model) {
+        postParams = validateUntrustedParameters(postParams);
+
         // Read in the public key to use and remove it from the session
         PublicKey flexPublicKey = (PublicKey) session.getAttribute("flexPublicKey");
         session.removeAttribute("flexPublicKey"); // no longer needed
@@ -89,9 +100,18 @@ String receipt(@RequestParam final Map<String, Object> postParams, final HttpSes
          * For demonstration purposes, all post parameters are added to the view
          * model to display data received from cardholder's browser.
          */
-
         model.addAttribute("postParams", postParams);
         return "receipt";
     }
 
+    private Map<String, Object> validateUntrustedParameters(Map<String, Object> parameters) {
+        Map<String, Object> retVal = new HashMap<>();
+        // Each parameter must undergo proper validation / sanitization.
+        // The type of validation to be implemented will vary between individual
+        // Flex API integrations. It is merchant's responsibility to implement adequate
+        // parameter validation for production deployments.
+        parameters.forEach((k, v) -> retVal.put(k, v));
+        return retVal;
+    }
+
 }
diff --git a/java8/spring-boot/src/main/resources/templates/checkout.html b/java8/spring-boot/src/main/resources/templates/checkout.html
@@ -56,9 +56,6 @@
                         </div>
                         <div class="col-xs-6">
                             <select class="form-control" name="cardExpirationYear" id="cardExpirationYear">
-                                <option>2016</option>
-                                <option>2017</option>
-                                <option>2018</option>
                                 <option>2019</option>
                                 <option>2020</option>
                                 <option>2021</option>
