Requires Java 8 and Maven 3.x
$ git clone https://github.com/pieter-van-prooijen/tv-ad-pricing-table.git
$ cd tv-ad-pricing-table
$ mvn clean install
$ java -jar webapp/target/tv-ad-pricing-webapp-0.1.0.jar --service.directory=./sample-service-providers/target
This will start the REST service and read / write the service jars from the build directory of the sample service providers. The embedded Tomcat also serves a simple single page Javascript application to demo the REST endpoints.
Open the url at [http://localhost:8080/index.html] and login with the either the following credentials:
user/user-password (user role) admin/admin-password (admin role)
Because the application uses basic authentication, the "logout" link only works under Firefox (and you need to give your credentials twice). In Chrome, to re-authenticate as another user, close the browser and open it again on the application.
Go to the sample-service-providers directory, make some changes to the code and build the jar. Using the [http://localhost:8080/index.html] URL, load the new jar in the application. Changes to the pricing should now become visible in the pricing table page.
Modules:
Contains the interface and value objects for the ChannelPricingService.
Contains two example providers which implement the interface above. Note that these are very simple, real service providers would function as a proxy to fetch prices from a database, invoke other web services etc.
REST service and Single Page App to demo the REST service.
The REST endpoint is defined in ChannelController. The single endpoints serves up the pricing for all channels.
The service handling is in the ServiceLocator class, this takes care of enumerating the available services and reloading when the jar changes
The administration (REST) endpoint is in the ChannelPricingJarsController. This handles file uploads to the application. Only admin users can access this endpoint (and the corresponding form)
The endpoints are secured with Spring Security, configured using SecurityConfig and the @Secured annotations on the appropriate controller methods.
The request.sh and upload.sh scripts contain curl invocations to exercise the REST endpoints directly.
-
The application uses basic authentication over plain HTTP, normally you would only use this over HTTPS and enforce it with redirects and strict transport security headers). Another way to secure the REST service would be using some form of authentication token, like JSON Web Tokens.
-
The Cross site request forgery protection (CSRF) in Spring Security had to be turned off because currently the upload form is not generated by Spring MVC, which means the CSRF token is not available for resubmission. Normally this would be turned on (if using basic authentication for security), to prevent uploading malicious jars to the application.
-
Due to time constraints, there is little error handling and only a few unit tests. For further functional tests, the Spring MVC test support could be used.