• Home
• org.owasp.esapi
• esapi
• 2.2.1.0-RC1
• source code
• ClientInfoSupplier.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.owasp.esapi.logging.appender.ClientInfoSupplier Maven / Gradle / Ivy

/**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2007 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @created 2019
 */

package org.owasp.esapi.logging.appender;

// Uncomment and use once ESAPI supports Java 8 as the minimal baseline.
// import java.util.function.Supplier;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.User;

/**
 * Supplier which can provide a String representing the client-side connection
 * information.
 */
public class ClientInfoSupplier // implements Supplier
{
    /** Default Last Host string if the Authenticated user is null.*/
    private static final String DEFAULT_LAST_HOST = "#UNKNOWN_HOST#";
    /** Session Attribute containing the ESAPI Session id. */
    private static final String ESAPI_SESSION_ATTR = "ESAPI_SESSION";
    /**
     * Minimum value for generating a random session value if one is not defined.
     */
    private static final int ESAPI_SESSION_RAND_MIN = 0;
    /**
     * Maximum value for generating a random session value if one is not defined.
     */
    private static final int ESAPI_SESSION_RAND_MAX = 1000000;

    /** Format for supplier output. */
    private static final String USER_INFO_FORMAT = "%s@%s"; // SID, USER_HOST_ADDRESS

    /** Whether to log the user info from this instance. */
    private boolean logClientInfo = true;

    // @Override    -- Uncomment when we switch to Java 8 as minimal baseline.
    public String get() {
        String clientInfo = "";

        if (logClientInfo) {
            HttpServletRequest request = ESAPI.currentRequest();
            // create a random session number for the user to represent the user's
            // 'session', if it doesn't exist already
            String sid = "";
            if (request != null) {
                HttpSession session = request.getSession(false);
                if (session != null) {
                    sid = (String) session.getAttribute(ESAPI_SESSION_ATTR);
                    // if there is no session ID for the user yet, we create one and store it in the
                    // user's session
                    if (sid == null) {
                        sid = "" + ESAPI.randomizer().getRandomInteger(ESAPI_SESSION_RAND_MIN, ESAPI_SESSION_RAND_MAX);
                        session.setAttribute(ESAPI_SESSION_ATTR, sid);
                    }
                }
            }
            // log user information - username:session@ipaddr
            User user = ESAPI.authenticator().getCurrentUser();
            if (user == null) {
                clientInfo = String.format(USER_INFO_FORMAT, sid, DEFAULT_LAST_HOST);
            } else {
                clientInfo = String.format(USER_INFO_FORMAT, sid, user.getLastHostAddress());
            }
        }
        return clientInfo;
    }

    /**
     * Specify whether the instance should record the client info.
     * 
     * @param log {@code true} to record
     */
    public void setLogClientInfo(boolean log) {
        this.logClientInfo = log;
    }

}