• Home
• org.owasp.esapi
• esapi
• 2.2.1.0-RC1
• source code
• InterceptingHTTPServletResponse.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.owasp.esapi.waf.internal.InterceptingHTTPServletResponse Maven / Gradle / Ivy

/**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2009 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @author Arshan Dabirsiaghi Aspect Security
 * @created 2009
 */
package org.owasp.esapi.waf.internal;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

import org.owasp.esapi.waf.rules.AddHTTPOnlyFlagRule;
import org.owasp.esapi.waf.rules.AddSecureFlagRule;
import org.owasp.esapi.waf.rules.Rule;

/**
 * The wrapper for the HttpServletResponse object which will be passed to the application
 * being protected by the WAF. It contains logic for the response building API in order
 * to allow the WAF rules regarding responses to work. Much of the work is delegated to
 * other classes, especially InterceptingServletOutputStream
 * 
 * @author Arshan Dabirsiaghi
 *
 */
public class InterceptingHTTPServletResponse extends HttpServletResponseWrapper {

	private InterceptingPrintWriter ipw;
	private InterceptingServletOutputStream isos;
	private String contentType;

	private List addSecureFlagRules = null;
	private List addHTTPOnlyFlagRules = null;
	private boolean alreadyCalledWriter = false;
	private boolean alreadyCalledOutputStream = false;

	public InterceptingHTTPServletResponse(HttpServletResponse response, boolean buffering, List cookieRules) throws IOException {

		super(response);
		
		this.contentType = response.getContentType();
		
		this.isos = new InterceptingServletOutputStream(response.getOutputStream(), buffering);
		this.ipw = new InterceptingPrintWriter(new PrintWriter(isos));

		addSecureFlagRules = new ArrayList();
		addHTTPOnlyFlagRules = new ArrayList();

		for(int i=0;i=[; =][; expires=][;
        // domain=][; path=][; secure][;HttpOnly
        String header = name + "=" + value;

        if ( ! isTemporary ) {
        	header += "; Max-Age=" + maxAge;
        }

        if (domain != null) {
            header += "; Domain=" + domain;
        }
        if (path != null) {
            header += "; Path=" + path;
        }

        if ( secure ) {
        	header += "; Secure";
        }

        if (httpOnly) {
        	header += "; HttpOnly";
        }

        return header;
    }

}