org.owasp.esapi.waf.internal.InterceptingHTTPServletResponse Maven / Gradle / Ivy
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2009 - The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*
* @author Arshan Dabirsiaghi Aspect Security
* @created 2009
*/
package org.owasp.esapi.waf.internal;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.owasp.esapi.waf.rules.AddHTTPOnlyFlagRule;
import org.owasp.esapi.waf.rules.AddSecureFlagRule;
import org.owasp.esapi.waf.rules.Rule;
/**
* The wrapper for the HttpServletResponse object which will be passed to the application
* being protected by the WAF. It contains logic for the response building API in order
* to allow the WAF rules regarding responses to work. Much of the work is delegated to
* other classes, especially InterceptingServletOutputStream
*
* @author Arshan Dabirsiaghi
*
*/
public class InterceptingHTTPServletResponse extends HttpServletResponseWrapper {
private InterceptingPrintWriter ipw;
private InterceptingServletOutputStream isos;
private String contentType;
private List addSecureFlagRules = null;
private List addHTTPOnlyFlagRules = null;
private boolean alreadyCalledWriter = false;
private boolean alreadyCalledOutputStream = false;
public InterceptingHTTPServletResponse(HttpServletResponse response, boolean buffering, List cookieRules) throws IOException {
super(response);
this.contentType = response.getContentType();
this.isos = new InterceptingServletOutputStream(response.getOutputStream(), buffering);
this.ipw = new InterceptingPrintWriter(new PrintWriter(isos));
addSecureFlagRules = new ArrayList();
addHTTPOnlyFlagRules = new ArrayList();
for(int i=0;i=[; =][; expires=][;
// domain=][; path=][; secure][;HttpOnly
String header = name + "=" + value;
if ( ! isTemporary ) {
header += "; Max-Age=" + maxAge;
}
if (domain != null) {
header += "; Domain=" + domain;
}
if (path != null) {
header += "; Path=" + path;
}
if ( secure ) {
header += "; Secure";
}
if (httpOnly) {
header += "; HttpOnly";
}
return header;
}
}