org.owasp.esapi.filters
Class SecurityWrapperRequest

java.lang.Object
  javax.servlet.ServletRequestWrapper
      javax.servlet.http.HttpServletRequestWrapper
          org.owasp.esapi.filters.SecurityWrapperRequest

All Implemented Interfaces:

javax.servlet.http.HttpServletRequest, javax.servlet.ServletRequest

public class SecurityWrapperRequest
extends javax.servlet.http.HttpServletRequestWrapper
implements javax.servlet.http.HttpServletRequest

This request wrapper simply overrides unsafe methods in the HttpServletRequest API with safe versions that return canonicalized data where possible. The wrapper returns a safe value when a validation error is detected, including stripped or empty strings.

Field Summary

Fields inherited from interface javax.servlet.http.HttpServletRequest

BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH

Constructor Summary

SecurityWrapperRequest(javax.servlet.http.HttpServletRequest request)
Construct a safe request that overrides the default request methods with safer versions.

Method Summary

java.lang.String	getAllowableContentRoot()
java.lang.Object	getAttribute(java.lang.String name) Same as HttpServletRequest, no security changes required.
java.util.Enumeration	getAttributeNames() Same as HttpServletRequest, no security changes required.
java.lang.String	getAuthType() Same as HttpServletRequest, no security changes required.
java.lang.String	getCharacterEncoding() Same as HttpServletRequest, no security changes required.
int	getContentLength() Same as HttpServletRequest, no security changes required.
java.lang.String	getContentType() Same as HttpServletRequest, no security changes required.
java.lang.String	getContextPath() Returns the context path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
javax.servlet.http.Cookie[]	getCookies() Returns the array of Cookies from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
long	getDateHeader(java.lang.String name) Same as HttpServletRequest, no security changes required.
java.lang.String	getHeader(java.lang.String name) Returns the named header from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.util.Enumeration	getHeaderNames() Returns the enumeration of header names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.util.Enumeration	getHeaders(java.lang.String name) Returns the enumeration of headers from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
javax.servlet.ServletInputStream	getInputStream() Same as HttpServletRequest, no security changes required.
int	getIntHeader(java.lang.String name) Same as HttpServletRequest, no security changes required.
java.lang.String	getLocalAddr() Same as HttpServletRequest, no security changes required.
java.util.Locale	getLocale() Same as HttpServletRequest, no security changes required.
java.util.Enumeration	getLocales() Same as HttpServletRequest, no security changes required.
java.lang.String	getLocalName() Same as HttpServletRequest, no security changes required.
int	getLocalPort() Same as HttpServletRequest, no security changes required.
java.lang.String	getMethod() Same as HttpServletRequest, no security changes required.
java.lang.String	getParameter(java.lang.String name) Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getParameter(java.lang.String name, boolean allowNull) Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getParameter(java.lang.String name, boolean allowNull, int maxLength) Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getParameter(java.lang.String name, boolean allowNull, int maxLength, java.lang.String regexName) Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.util.Map	getParameterMap() Returns the parameter map from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.util.Enumeration	getParameterNames() Returns the enumeration of parameter names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String[]	getParameterValues(java.lang.String name) Returns the array of matching parameter values from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getPathInfo() Returns the path info from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getPathTranslated() Same as HttpServletRequest, no security changes required.
java.lang.String	getProtocol() Same as HttpServletRequest, no security changes required.
java.lang.String	getQueryString() Returns the query string from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.io.BufferedReader	getReader() Same as HttpServletRequest, no security changes required.
java.lang.String	getRealPath(java.lang.String path) Deprecated. in servlet spec 2.1. Use ServletContext.getRealPath(String) instead.
java.lang.String	getRemoteAddr() Same as HttpServletRequest, no security changes required.
java.lang.String	getRemoteHost() Same as HttpServletRequest, no security changes required.
int	getRemotePort() Same as HttpServletRequest, no security changes required.
java.lang.String	getRemoteUser() Returns the name of the ESAPI user associated with this getHttpServletRequest().
javax.servlet.RequestDispatcher	getRequestDispatcher(java.lang.String path) Checks to make sure the path to forward to is within the WEB-INF directory and then returns the dispatcher.
java.lang.String	getRequestedSessionId() Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getRequestURI() Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.StringBuffer	getRequestURL() Returns the URL from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getScheme() Returns the scheme from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
java.lang.String	getServerName() Returns the server name (host header) from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
int	getServerPort() Returns the server port (after the : in the host header) from the HttpServletRequest after parsing and checking the range 0-65536.
java.lang.String	getServletPath() Returns the server path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
javax.servlet.http.HttpSession	getSession() Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie.
javax.servlet.http.HttpSession	getSession(boolean create) Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie.
java.security.Principal	getUserPrincipal() Returns the ESAPI User associated with this getHttpServletRequest().
boolean	isRequestedSessionIdFromCookie() Same as HttpServletRequest, no security changes required.
boolean	isRequestedSessionIdFromUrl() Deprecated. in servlet spec 2.1. Use isRequestedSessionIdFromURL() instead.
boolean	isRequestedSessionIdFromURL() Same as HttpServletRequest, no security changes required.
boolean	isRequestedSessionIdValid() Same as HttpServletRequest, no security changes required.
boolean	isSecure() Same as HttpServletRequest, no security changes required.
boolean	isUserInRole(java.lang.String role) Returns true if the ESAPI User associated with this request has the specified role.
void	removeAttribute(java.lang.String name) Same as HttpServletRequest, no security changes required.
void	setAllowableContentRoot(java.lang.String allowableContentRoot)
void	setAttribute(java.lang.String name, java.lang.Object o) Same as HttpServletRequest, no security changes required.
void	setCharacterEncoding(java.lang.String enc) Sets the character encoding scheme to the ESAPI configured encoding scheme.

Methods inherited from class javax.servlet.ServletRequestWrapper

getRequest, setRequest

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecurityWrapperRequest

public SecurityWrapperRequest(javax.servlet.http.HttpServletRequest request)

Construct a safe request that overrides the default request methods with safer versions.

Parameters:

request - The HttpServletRequest we are wrapping.

Method Detail

getAttribute

public java.lang.Object getAttribute(java.lang.String name)

Same as HttpServletRequest, no security changes required.

Specified by:

getAttribute in interface javax.servlet.ServletRequest

Overrides:

getAttribute in class javax.servlet.ServletRequestWrapper

Parameters:

name - The attribute name

Returns:

The attribute value

getAttributeNames

public java.util.Enumeration getAttributeNames()

Same as HttpServletRequest, no security changes required.

Specified by:

getAttributeNames in interface javax.servlet.ServletRequest

Overrides:

getAttributeNames in class javax.servlet.ServletRequestWrapper

Returns:

An Enumeration of attribute names.

getAuthType

public java.lang.String getAuthType()

Same as HttpServletRequest, no security changes required.

Specified by:

getAuthType in interface javax.servlet.http.HttpServletRequest

Overrides:

getAuthType in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The authentication type

getCharacterEncoding

public java.lang.String getCharacterEncoding()

Same as HttpServletRequest, no security changes required.

Specified by:

getCharacterEncoding in interface javax.servlet.ServletRequest

Overrides:

getCharacterEncoding in class javax.servlet.ServletRequestWrapper

Returns:

The character-encoding for this HttpServletRequest

getContentLength

public int getContentLength()

Same as HttpServletRequest, no security changes required.

Specified by:

getContentLength in interface javax.servlet.ServletRequest

Overrides:

getContentLength in class javax.servlet.ServletRequestWrapper

Returns:

The content-length for this HttpServletRequest

getContentType

public java.lang.String getContentType()

Same as HttpServletRequest, no security changes required.

Specified by:

getContentType in interface javax.servlet.ServletRequest

Overrides:

getContentType in class javax.servlet.ServletRequestWrapper

Returns:

The content-type for this HttpServletRequest

getContextPath

public java.lang.String getContextPath()

Returns the context path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getContextPath in interface javax.servlet.http.HttpServletRequest

Overrides:

getContextPath in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The context path for this HttpServletRequest

getCookies

public javax.servlet.http.Cookie[] getCookies()

Returns the array of Cookies from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getCookies in interface javax.servlet.http.HttpServletRequest

Overrides:

getCookies in class javax.servlet.http.HttpServletRequestWrapper

Returns:

An array of Cookies for this HttpServletRequest

getDateHeader

public long getDateHeader(java.lang.String name)

Same as HttpServletRequest, no security changes required.

Specified by:

getDateHeader in interface javax.servlet.http.HttpServletRequest

Overrides:

getDateHeader in class javax.servlet.http.HttpServletRequestWrapper

Parameters:

name - Specifies the name of the HTTP request header; e.g., If-Modified-Since.

Returns:

a long value representing the date specified in the header expressed as the number of milliseconds since January 1, 1970 GMT, or -1 if the named header was not included with the request.

getHeader

public java.lang.String getHeader(java.lang.String name)

Returns the named header from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getHeader in interface javax.servlet.http.HttpServletRequest

Overrides:

getHeader in class javax.servlet.http.HttpServletRequestWrapper

Parameters:

name - The name of an HTTP request header

Returns:

The specified header value is returned.

getHeaderNames

public java.util.Enumeration getHeaderNames()

Returns the enumeration of header names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getHeaderNames in interface javax.servlet.http.HttpServletRequest

Overrides:

getHeaderNames in class javax.servlet.http.HttpServletRequestWrapper

Returns:

An Enumeration of header names associated with this request.

getHeaders

public java.util.Enumeration getHeaders(java.lang.String name)

Returns the enumeration of headers from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getHeaders in interface javax.servlet.http.HttpServletRequest

Overrides:

getHeaders in class javax.servlet.http.HttpServletRequestWrapper

Parameters:

name - The name of an HTTP request header.

Returns:

An Enumeration of headers from the request after canonicalizing and filtering has been performed.

getInputStream

public javax.servlet.ServletInputStream getInputStream()
                                                throws java.io.IOException

Same as HttpServletRequest, no security changes required. Note that this input stream may contain attacks and the developer is responsible for canonicalizing, validating, and encoding any data from this stream.

Specified by:

getInputStream in interface javax.servlet.ServletRequest

Overrides:

getInputStream in class javax.servlet.ServletRequestWrapper

Returns:

The ServletInputStream associated with this HttpServletRequest.

Throws:

java.io.IOException - Thrown if an input exception is thrown, such as the remote peer closing the connection.

getIntHeader

public int getIntHeader(java.lang.String name)

Same as HttpServletRequest, no security changes required.

Specified by:

getIntHeader in interface javax.servlet.http.HttpServletRequest

Overrides:

getIntHeader in class javax.servlet.http.HttpServletRequestWrapper

Parameters:

name - The name of an HTTP request header.

Returns:

Returns the value of the specified request header as an int.

getLocalAddr

public java.lang.String getLocalAddr()

Same as HttpServletRequest, no security changes required.

Specified by:

getLocalAddr in interface javax.servlet.ServletRequest

Overrides:

getLocalAddr in class javax.servlet.ServletRequestWrapper

Returns:

A String containing the IP address on which the request was received.

getLocale

public java.util.Locale getLocale()

Same as HttpServletRequest, no security changes required.

Specified by:

getLocale in interface javax.servlet.ServletRequest

Overrides:

getLocale in class javax.servlet.ServletRequestWrapper

Returns:

The preferred Locale for the client.

getLocales

public java.util.Enumeration getLocales()

Same as HttpServletRequest, no security changes required.

Specified by:

getLocales in interface javax.servlet.ServletRequest

Overrides:

getLocales in class javax.servlet.ServletRequestWrapper

Returns:

An Enumeration of preferred Locale objects for the client.

getLocalName

public java.lang.String getLocalName()

Same as HttpServletRequest, no security changes required.

Specified by:

getLocalName in interface javax.servlet.ServletRequest

Overrides:

getLocalName in class javax.servlet.ServletRequestWrapper

Returns:

A String containing the host name of the IP on which the request was received.

getLocalPort

public int getLocalPort()

Same as HttpServletRequest, no security changes required.

Specified by:

getLocalPort in interface javax.servlet.ServletRequest

Overrides:

getLocalPort in class javax.servlet.ServletRequestWrapper

Returns:

Returns the Internet Protocol (IP) port number of the interface on which the request was received.

getMethod

public java.lang.String getMethod()

Same as HttpServletRequest, no security changes required.

Specified by:

getMethod in interface javax.servlet.http.HttpServletRequest

Overrides:

getMethod in class javax.servlet.http.HttpServletRequestWrapper

Returns:

Returns the name of the HTTP method with which this request was made.

getParameter

public java.lang.String getParameter(java.lang.String name)

Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getParameter in interface javax.servlet.ServletRequest

Overrides:

getParameter in class javax.servlet.ServletRequestWrapper

Parameters:

name - The parameter name for the request

Returns:

The "scrubbed" parameter value.

getParameter

public java.lang.String getParameter(java.lang.String name,
                                     boolean allowNull)

Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Parameters:

name - The parameter name for the request

allowNull - Whether null values are allowed

Returns:

The "scrubbed" parameter value.

getParameter

public java.lang.String getParameter(java.lang.String name,
                                     boolean allowNull,
                                     int maxLength)

Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Parameters:

name - The parameter name for the request

allowNull - Whether null values are allowed

maxLength - The maximum length allowed

Returns:

The "scrubbed" parameter value.

getParameter

public java.lang.String getParameter(java.lang.String name,
                                     boolean allowNull,
                                     int maxLength,
                                     java.lang.String regexName)

Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Parameters:

name - The parameter name for the request

allowNull - Whether null values are allowed

maxLength - The maximum length allowed

regexName - The name of the regex mapped from ESAPI.properties

Returns:

The "scrubbed" parameter value.

getParameterMap

public java.util.Map getParameterMap()

Returns the parameter map from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getParameterMap in interface javax.servlet.ServletRequest

Overrides:

getParameterMap in class javax.servlet.ServletRequestWrapper

Returns:

A Map containing scrubbed parameter names / value pairs.

getParameterNames

public java.util.Enumeration getParameterNames()

Returns the enumeration of parameter names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getParameterNames in interface javax.servlet.ServletRequest

Overrides:

getParameterNames in class javax.servlet.ServletRequestWrapper

Returns:

An Enumeration of properly "scrubbed" parameter names.

getParameterValues

public java.lang.String[] getParameterValues(java.lang.String name)

Returns the array of matching parameter values from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getParameterValues in interface javax.servlet.ServletRequest

Overrides:

getParameterValues in class javax.servlet.ServletRequestWrapper

Parameters:

name - The parameter name

Returns:

An array of matching "scrubbed" parameter values or null if the parameter does not exist.

getPathInfo

public java.lang.String getPathInfo()

Returns the path info from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getPathInfo in interface javax.servlet.http.HttpServletRequest

Overrides:

getPathInfo in class javax.servlet.http.HttpServletRequestWrapper

Returns:

Returns any extra path information, appropriately scrubbed, associated with the URL the client sent when it made this request.

getPathTranslated

public java.lang.String getPathTranslated()

Same as HttpServletRequest, no security changes required.

Specified by:

getPathTranslated in interface javax.servlet.http.HttpServletRequest

Overrides:

getPathTranslated in class javax.servlet.http.HttpServletRequestWrapper

Returns:

Returns any extra path information, appropriate scrubbed, after the servlet name but before the query string, and translates it to a real path.

getProtocol

public java.lang.String getProtocol()

Same as HttpServletRequest, no security changes required.

Specified by:

getProtocol in interface javax.servlet.ServletRequest

Overrides:

getProtocol in class javax.servlet.ServletRequestWrapper

Returns:

Returns the name and version of the protocol the request uses in the form protocol/majorVersion.minorVersion, for example, HTTP/1.1.

getQueryString

public java.lang.String getQueryString()

Returns the query string from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getQueryString in interface javax.servlet.http.HttpServletRequest

Overrides:

getQueryString in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The scrubbed query string is returned.

getReader

public java.io.BufferedReader getReader()
                                 throws java.io.IOException

Same as HttpServletRequest, no security changes required. Note that this reader may contain attacks and the developer is responsible for canonicalizing, validating, and encoding any data from this stream.

Specified by:

getReader in interface javax.servlet.ServletRequest

Overrides:

getReader in class javax.servlet.ServletRequestWrapper

Returns:

aA BufferedReader containing the body of the request.

Throws:

java.io.IOException - If an input error occurred while reading the request body (e.g., premature EOF).

getRealPath

@Deprecated
public java.lang.String getRealPath(java.lang.String path)

Deprecated. in servlet spec 2.1. Use ServletContext.getRealPath(String) instead.

Same as HttpServletRequest, no security changes required.

Specified by:

getRealPath in interface javax.servlet.ServletRequest

Overrides:

getRealPath in class javax.servlet.ServletRequestWrapper

Parameters:

path - A virtual path on a web or application server; e.g., "/index.htm".

Returns:

Returns a String containing the real path for a given virtual path.

getRemoteAddr

public java.lang.String getRemoteAddr()

Same as HttpServletRequest, no security changes required.

Specified by:

getRemoteAddr in interface javax.servlet.ServletRequest

Overrides:

getRemoteAddr in class javax.servlet.ServletRequestWrapper

Returns:

Returns the IP address of the client or last proxy that sent the request.

getRemoteHost

public java.lang.String getRemoteHost()

Same as HttpServletRequest, no security changes required.

Specified by:

getRemoteHost in interface javax.servlet.ServletRequest

Overrides:

getRemoteHost in class javax.servlet.ServletRequestWrapper

Returns:

The remote host

getRemotePort

public int getRemotePort()

Same as HttpServletRequest, no security changes required.

Specified by:

getRemotePort in interface javax.servlet.ServletRequest

Overrides:

getRemotePort in class javax.servlet.ServletRequestWrapper

Returns:

The remote port

getRemoteUser

public java.lang.String getRemoteUser()

Returns the name of the ESAPI user associated with this getHttpServletRequest().

Specified by:

getRemoteUser in interface javax.servlet.http.HttpServletRequest

Overrides:

getRemoteUser in class javax.servlet.http.HttpServletRequestWrapper

Returns:

Returns the fully qualified name of the client or the last proxy that sent the request

getRequestDispatcher

public javax.servlet.RequestDispatcher getRequestDispatcher(java.lang.String path)

Checks to make sure the path to forward to is within the WEB-INF directory and then returns the dispatcher. Otherwise returns null.

Specified by:

getRequestDispatcher in interface javax.servlet.ServletRequest

Overrides:

getRequestDispatcher in class javax.servlet.ServletRequestWrapper

Parameters:

path - The path to create a request dispatcher for

Returns:

A RequestDispatcher object that acts as a wrapper for the resource at the specified path, or null if the servlet container cannot return a RequestDispatcher.

getRequestedSessionId

public java.lang.String getRequestedSessionId()

Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. Code must be very careful not to depend on the value of a requested session id reported by the user.

Specified by:

getRequestedSessionId in interface javax.servlet.http.HttpServletRequest

Overrides:

getRequestedSessionId in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The requested Session ID

getRequestURI

public java.lang.String getRequestURI()

Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getRequestURI in interface javax.servlet.http.HttpServletRequest

Overrides:

getRequestURI in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The current request URI

getRequestURL

public java.lang.StringBuffer getRequestURL()

Returns the URL from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getRequestURL in interface javax.servlet.http.HttpServletRequest

Overrides:

getRequestURL in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The currect request URL

getScheme

public java.lang.String getScheme()

Returns the scheme from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getScheme in interface javax.servlet.ServletRequest

Overrides:

getScheme in class javax.servlet.ServletRequestWrapper

Returns:

The scheme of the current request

getServerName

public java.lang.String getServerName()

Returns the server name (host header) from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getServerName in interface javax.servlet.ServletRequest

Overrides:

getServerName in class javax.servlet.ServletRequestWrapper

Returns:

The local server name

getServerPort

public int getServerPort()

Returns the server port (after the : in the host header) from the HttpServletRequest after parsing and checking the range 0-65536.

Specified by:

getServerPort in interface javax.servlet.ServletRequest

Overrides:

getServerPort in class javax.servlet.ServletRequestWrapper

Returns:

The local server port

getServletPath

public java.lang.String getServletPath()

Returns the server path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.

Specified by:

getServletPath in interface javax.servlet.http.HttpServletRequest

Overrides:

getServletPath in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The servlet path

getSession

public javax.servlet.http.HttpSession getSession()

Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie.

Specified by:

getSession in interface javax.servlet.http.HttpServletRequest

Overrides:

getSession in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The current session

getSession

public javax.servlet.http.HttpSession getSession(boolean create)

Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie.

Specified by:

getSession in interface javax.servlet.http.HttpServletRequest

Overrides:

getSession in class javax.servlet.http.HttpServletRequestWrapper

Parameters:

create - Create a new session if one doesn't exist

Returns:

The current session

getUserPrincipal

public java.security.Principal getUserPrincipal()

Returns the ESAPI User associated with this getHttpServletRequest().

Specified by:

getUserPrincipal in interface javax.servlet.http.HttpServletRequest

Overrides:

getUserPrincipal in class javax.servlet.http.HttpServletRequestWrapper

Returns:

The ESAPI User

isRequestedSessionIdFromCookie

public boolean isRequestedSessionIdFromCookie()

Same as HttpServletRequest, no security changes required.

Specified by:

isRequestedSessionIdFromCookie in interface javax.servlet.http.HttpServletRequest

Overrides:

isRequestedSessionIdFromCookie in class javax.servlet.http.HttpServletRequestWrapper

Returns:

if requested session id is from a cookie

isRequestedSessionIdFromUrl

@Deprecated
public boolean isRequestedSessionIdFromUrl()

Deprecated. in servlet spec 2.1. Use isRequestedSessionIdFromURL() instead.

Same as HttpServletRequest, no security changes required.

Specified by:

isRequestedSessionIdFromUrl in interface javax.servlet.http.HttpServletRequest

Overrides:

isRequestedSessionIdFromUrl in class javax.servlet.http.HttpServletRequestWrapper

Returns:

Whether the requested session id is from the URL

isRequestedSessionIdFromURL

public boolean isRequestedSessionIdFromURL()

Same as HttpServletRequest, no security changes required.

Specified by:

isRequestedSessionIdFromURL in interface javax.servlet.http.HttpServletRequest

Overrides:

isRequestedSessionIdFromURL in class javax.servlet.http.HttpServletRequestWrapper

Returns:

Whether the requested session id is from the URL

isRequestedSessionIdValid

public boolean isRequestedSessionIdValid()

Same as HttpServletRequest, no security changes required.

Specified by:

isRequestedSessionIdValid in interface javax.servlet.http.HttpServletRequest

Overrides:

isRequestedSessionIdValid in class javax.servlet.http.HttpServletRequestWrapper

Returns:

Whether the requested session id is valid

isSecure

public boolean isSecure()

Same as HttpServletRequest, no security changes required.

Specified by:

isSecure in interface javax.servlet.ServletRequest

Overrides:

isSecure in class javax.servlet.ServletRequestWrapper

Returns:

Whether the current request is secure

isUserInRole

public boolean isUserInRole(java.lang.String role)

Returns true if the ESAPI User associated with this request has the specified role.

Specified by:

isUserInRole in interface javax.servlet.http.HttpServletRequest

Overrides:

isUserInRole in class javax.servlet.http.HttpServletRequestWrapper

Parameters:

role - The role to check

Returns:

Whether the current user is in the passed role

removeAttribute

public void removeAttribute(java.lang.String name)

Same as HttpServletRequest, no security changes required.

Specified by:

removeAttribute in interface javax.servlet.ServletRequest

Overrides:

removeAttribute in class javax.servlet.ServletRequestWrapper

Parameters:

name - The attribute name

setAttribute

public void setAttribute(java.lang.String name,
                         java.lang.Object o)

Same as HttpServletRequest, no security changes required.

Specified by:

setAttribute in interface javax.servlet.ServletRequest

Overrides:

setAttribute in class javax.servlet.ServletRequestWrapper

Parameters:

name - The attribute name

o - The attribute value

setCharacterEncoding

public void setCharacterEncoding(java.lang.String enc)
                          throws java.io.UnsupportedEncodingException

Sets the character encoding scheme to the ESAPI configured encoding scheme.

Specified by:

setCharacterEncoding in interface javax.servlet.ServletRequest

Overrides:

setCharacterEncoding in class javax.servlet.ServletRequestWrapper

Parameters:

enc - The encoding scheme

Throws:

java.io.UnsupportedEncodingException

getAllowableContentRoot

public java.lang.String getAllowableContentRoot()

setAllowableContentRoot

public void setAllowableContentRoot(java.lang.String allowableContentRoot)