Update Java SpringBoot example for VISA Developer Platform

Author: bprokopc

java/spring-boot/.gitignore

@@ -1,40 +1,42 @@
-# Covers all spring-boot ignore files
-# Reference: https://github.com/spring-projects/spring-boot/blob/master/.gitignore
-
-.gradle
-*.sw?
-.#*
-*#
-*~
-/build
-/code
-.classpath
-.project
-.settings
-.metadata
-.factorypath
-.recommenders
-bin
-build
-lib/
-target
-.factorypath
-.springBeans
-interpolated*.xml
-dependency-reduced-pom.xml
-build.log
-_site/
-.*.md.html
-manifest.yml
-MANIFEST.MF
-settings.xml
-activemq-data
-overridedb.*
-*.iml
-*.ipr
-*.iws
-.idea
-*.jar
-.DS_Store
-.factorypath
-dump.rdb
+# Covers all spring-boot ignore files
+# Reference: https://github.com/spring-projects/spring-boot/blob/master/.gitignore
+
+.gradle
+*.sw?
+.#*
+*#
+*~
+/build
+/code
+.classpath
+.project
+.settings
+.metadata
+.factorypath
+.recommenders
+bin
+build
+lib/
+target
+.factorypath
+.springBeans
+interpolated*.xml
+dependency-reduced-pom.xml
+build.log
+_site/
+.*.md.html
+manifest.yml
+MANIFEST.MF
+settings.xml
+activemq-data
+overridedb.*
+*.iml
+*.ipr
+*.iws
+.idea
+*.jar
+.DS_Store
+.factorypath
+dump.rdb
+
+nbactions.xml

java/spring-boot/README.md

@@ -10,15 +10,11 @@ A minimalist java/spring-boot example integration using Flex-API tokenization.
 
 ## Setup Instructions
 
-1. Modify `./src/main/resources/application.properties` with the credentials provided by customer support in your private BETA invite and that your `.p12` key is placed in the directory specified.
+1. Modify `./src/main/resources/application.properties` with the credentials created through [VISA Developer Portal](https://developer.visa.com/).
 
   ```properties
-  mid=YOUR_MID
-  cmmKey=123456789012345678901234567890
-  organizationId=YOUR_ORD_ID
-  keyStoreFile=/your_keystore_file.p12
-  keyStorePassword=YOUR_KEYSTORE_PASS
-  privateKeyPassword=YOUR_PRIVKEY_PASS
+  vdp.api-key=_YOUR_APPLICATION_SPECIFIC_API_KEY_
+  vdp.shared-secret=_YOUR_APPLICATION_SPECIFIC_SHARED_SECRET_
   ```
 
 2. Build and run the application using maven
@@ -29,7 +25,7 @@ A minimalist java/spring-boot example integration using Flex-API tokenization.
 
 ## Tips
 
-- If you are having issues, checkout the full [FLEX documentation](http://apps.cybersource.com/library/documentation/dev_guides/Secure_Acceptance_Flex/html/).
+- If you are having issues, checkout the full [FLEX documentation](https://developer.visa.com/products/cybersource/reference#cybersource__cybersource_flex_api).
 
 - To change the port the application is served on, update `server.port=8443` in `application.properties`, replacing `8443` with your desired port number.
 

java/spring-boot/pom.xml

@@ -48,11 +48,5 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
-        <!-- bouncycastle for cryptography -->
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.51</version>
-        </dependency>
     </dependencies>
 </project>

java/spring-boot/src/main/java/com/cybersource/flex/application/CheckoutController.java

@@ -1,19 +1,19 @@
 /**
-* Copyright (c) 2016 by CyberSource
-* Governing licence: https://github.com/CyberSource/cybersource-flex-samples/blob/master/LICENSE.md
-*/
-
+ * Copyright (c) 2016 by CyberSource
+ * Governing licence: https://github.com/CyberSource/cybersource-flex-samples/blob/master/LICENSE.md
+ */
 package com.cybersource.flex.application;
 
 import com.cybersource.flex.models.KeyParameters;
+import com.cybersource.flex.models.KeyParametersMessageConverter;
 import com.cybersource.flex.models.KeyResult;
+import com.cybersource.flex.vdp.VDPEnpoints;
 import java.security.PublicKey;
 import java.util.Map;
+import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.HttpEntity;
-import org.springframework.http.HttpHeaders;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -24,16 +24,23 @@
 @Controller
 public class CheckoutController {
 
-    @Value("${mid}")
-    private String mid;
-    @Value("${profileId}")
-    private String profileId;
+    @Value("${vdp.api-key}")
+    private String apiKey;
+    @Value("${vdp.shared-secret}")
+    private String sharedSecret;
 
-    private final static String flexKeysEndpoint = "https://testflex.cybersource.com/cybersource/flex/v1/keys";
+    private final FlexSecurityService flexSecurityService;
+    private final RestTemplate restTemplate = new RestTemplate();
 
     @Autowired
-    private SecurityService securityService;
-    private final RestTemplate restTemplate = new RestTemplate();
+    public CheckoutController(final FlexSecurityService flexSecurityService) {
+        this.flexSecurityService = flexSecurityService;
+    }
+
+    @PostConstruct
+    private void postConstruct() {
+        restTemplate.getMessageConverters().add(0, new KeyParametersMessageConverter(apiKey, sharedSecret));
+    }
 
     @RequestMapping("/")
     String redirect() {
@@ -42,36 +49,26 @@ String redirect() {
 
     @RequestMapping("/checkout")
     String checkout(final HttpSession session, final Model model) {
-        // prepare HTTP headers to make server2flex rest call
-        final HttpHeaders headers = new HttpHeaders();
-        headers.set("X-MERCHANT-ID", mid);
-        securityService.addSignature(headers);
+        // retrieve one time use public RSA key from Flex to facilitate PAN encryption
+        final KeyParameters keyParameters = new KeyParameters();
+        KeyResult key = restTemplate.postForObject(VDPEnpoints.Sandbox.keysUrl(apiKey), keyParameters, KeyResult.class);
 
-        // prepare keys endpoint request payload
-        KeyParameters requestBody = new KeyParameters();
-        requestBody.setEncryptionType("WebCryptoAPI"); // encryption type
-
-        // retrieve one time use RSA public key
-        HttpEntity<KeyParameters> httpEntity = new HttpEntity<>(requestBody, headers);
-        KeyResult key = restTemplate.postForObject(flexKeysEndpoint, httpEntity, KeyResult.class);
-
-        // parse Flex public key in DER format and store it in session for future use.
-        PublicKey flexPublicKey = securityService.decodePublicKey(key.getDer().getPublicKey());
+        // parse Flex public key in DER format and store it in session for future use (i.e. to verify token signature)
+        PublicKey flexPublicKey = flexSecurityService.decodePublicKey(key.getDer().getPublicKey());
         session.setAttribute("flexPublicKey", flexPublicKey);
 
-        // Add JSON Web Keystore to the view model and return rendered page
+        // Add JSON Web Keystore to the view model and return rendered "checkout" page
         model.addAttribute("jwk", key.getJwk());
         return "checkout";
     }
 
     @RequestMapping(value = "/receipt", method = RequestMethod.POST)
     String receipt(@RequestParam final Map<String, Object> postParams, final HttpSession session, final Model model) {
-
         // Read in the public key to use and remove it from the session
         PublicKey flexPublicKey = (PublicKey) session.getAttribute("flexPublicKey");
-        session.removeAttribute("flexPublicKey");
+        session.removeAttribute("flexPublicKey"); // no longer needed
 
-        // verify Flex signature passed as POST parameters
+        // verify Flex signature passed as POST parameter
         String signedFields = (String) postParams.get("flex_signedFields");
         StringBuilder sb = new StringBuilder();
         for (String k : signedFields.split(",")) {
@@ -80,14 +77,21 @@ String receipt(@RequestParam final Map<String, Object> postParams, final HttpSes
         }
         final String signedValues = sb.substring(1);
         final String signature = (String) postParams.get("flex_signature");
-        if (!securityService.verify(flexPublicKey, signedValues, signature)) {
+        if (!flexSecurityService.verify(flexPublicKey, signedValues, signature)) {
             throw new RuntimeException("The signature is not valid");
         }
 
-        // Add the post params to our view model
-        model.addAttribute("postParams", postParams);
+        /**
+         *
+         * The payment may now be completed using the received & validated
+         * token.
+         *
+         * For demonstration purposes, all post parameters are added to the view
+         * model to display data received from cardholder's browser.
+         */
 
+        model.addAttribute("postParams", postParams);
         return "receipt";
     }
 
-}
+}

java/spring-boot/src/main/java/com/cybersource/flex/application/EntryPoint.java

@@ -1,15 +1,12 @@
 /**
-* Copyright (c) 2016 by CyberSource
-* Governing licence: https://github.com/CyberSource/cybersource-flex-samples/blob/master/LICENSE.md
-*/
-
+ * Copyright (c) 2016 by CyberSource
+ * Governing licence: https://github.com/CyberSource/cybersource-flex-samples/blob/master/LICENSE.md
+ */
 package com.cybersource.flex.application;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
-import java.lang.reflect.Field;
-
 @SpringBootApplication
 public class EntryPoint {
 

java/spring-boot/src/main/java/com/cybersource/flex/application/FlexSecurityService.java

@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) 2016 by CyberSource
+ * Governing licence: https://github.com/CyberSource/cybersource-flex-samples/blob/master/LICENSE.md
+ */
+package com.cybersource.flex.application;
+
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+import org.springframework.stereotype.Service;
+
+@Service
+public class FlexSecurityService {
+
+    private static final Base64.Decoder DECODER = Base64.getDecoder();
+
+    public PublicKey decodePublicKey(String derEncodedKey) {
+        try {
+            byte[] keyBytes = DECODER.decode(derEncodedKey);
+            PublicKey publicKey = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(keyBytes));
+            return publicKey;
+        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public boolean verify(final PublicKey publicKey, final String dataToVerify, final String base64Signature) {
+        try {
+            final Signature signInstance = Signature.getInstance("SHA512withRSA");
+            signInstance.initVerify(publicKey);
+            signInstance.update(dataToVerify.getBytes());
+            byte[] signature = DECODER.decode(base64Signature);
+            return signInstance.verify(signature);
+        } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+}