• Home
• org.owasp.esapi
• esapi
• 2.2.1.0-RC1
• source code
• SecurityWrapper.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.owasp.esapi.filters.SecurityWrapper Maven / Gradle / Ivy

/**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2007 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @author Jeff Williams Aspect Security
 * @created 2007
 */
package org.owasp.esapi.filters;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Logger;
import org.owasp.esapi.StringUtilities;


/**
 * This filter wraps the incoming request and outgoing response and overrides
 * many methods with safer versions. Many of the safer versions simply validate
 * parts of the request or response for unwanted characters before allowing the
 * call to complete. Some examples of attacks that use these
 * vectors include request splitting, response splitting, and file download
 * injection. Attackers use techniques like CRLF injection and null byte injection
 * to confuse the parsing of requests and responses.
 * 

 * Example Configuration #1 (Default Configuration allows /WEB-INF):
 * 
 * <filter>
 *    <filter-name>SecurityWrapperDefault</filter-name>
 *    <filter-class>org.owasp.filters.SecurityWrapper</filter-class>
 * </filter>
 * 
 * 

 * Example Configuration #2 (Allows /servlet)
 * 
 * <filter>
 *    <filter-name>SecurityWrapperForServlet</filter-name>
 *    <filter-class>org.owasp.filters.SecurityWrapper</filter-class>
 *    <init-param>
 *       <param-name>allowableResourceRoot</param-name>
 *       <param-value>/servlet</param-value>
 *    </init-param>
 * </filter>
 * 
 *
 * @author  Chris Schmidt ([email protected])
 */
public class SecurityWrapper implements Filter {

    private final Logger logger = ESAPI.getLogger("SecurityWrapper");

    /**
     * This is the root path of what resources this filter will allow a RequestDispatcher to be dispatched to. This
     * defaults to WEB-INF as best practice dictates that dispatched requests should be done to resources that are
     * not browsable and everything behind WEB-INF is protected by the container. However, it is possible and sometimes
     * required to dispatch requests to places outside of the WEB-INF path (such as to another servlet).
     *
     * See http://code.google.com/p/owasp-esapi-java/issues/detail?id=70
     * and https://lists.owasp.org/pipermail/owasp-esapi/2009-December/001672.html
     * for details.
     */
    private String allowableResourcesRoot = "WEB-INF";

    /**
     *
     * @param request
     * @param response
     * @param chain
     * @throws java.io.IOException
     * @throws javax.servlet.ServletException
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (!(request instanceof HttpServletRequest)) {
            chain.doFilter(request, response);
            return;
        }

        try {
            HttpServletRequest hrequest = (HttpServletRequest)request;
            HttpServletResponse hresponse = (HttpServletResponse)response;

            SecurityWrapperRequest secureRequest = new SecurityWrapperRequest(hrequest);
            SecurityWrapperResponse secureResponse = new SecurityWrapperResponse(hresponse);

            // Set the configuration on the wrapped request
            secureRequest.setAllowableContentRoot(allowableResourcesRoot);

            ESAPI.httpUtilities().setCurrentHTTP(secureRequest, secureResponse);

            chain.doFilter(ESAPI.currentRequest(), ESAPI.currentResponse());
        } catch (Exception e) {
            logger.error( Logger.SECURITY_FAILURE, "Error in SecurityWrapper: " + e.getMessage(), e );
            request.setAttribute("message", e.getMessage() );
        } finally {
            // VERY IMPORTANT
            // clear out the ThreadLocal variables in the authenticator
            // some containers could possibly reuse this thread without clearing the User
            // Issue 70 - http://code.google.com/p/owasp-esapi-java/issues/detail?id=70
            ESAPI.httpUtilities().clearCurrent();
        }
    }

    /**
     *
     */
    public void destroy() {
		// no special action
	}

    /**
     *
     * @param filterConfig
     * @throws javax.servlet.ServletException
     */
    public void init(FilterConfig filterConfig) throws ServletException {
		this.allowableResourcesRoot = StringUtilities.replaceNull( filterConfig.getInitParameter( "allowableResourcesRoot" ), allowableResourcesRoot );
	}
	
}