|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object javax.servlet.ServletRequestWrapper javax.servlet.http.HttpServletRequestWrapper org.owasp.esapi.filters.SecurityWrapperRequest
public class SecurityWrapperRequest
This request wrapper simply overrides unsafe methods in the HttpServletRequest API with safe versions that return canonicalized data where possible. The wrapper returns a safe value when a validation error is detected, including stripped or empty strings.
Field Summary |
---|
Fields inherited from interface javax.servlet.http.HttpServletRequest |
---|
BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH |
Constructor Summary | |
---|---|
SecurityWrapperRequest(javax.servlet.http.HttpServletRequest request)
Construct a safe request that overrides the default request methods with safer versions. |
Method Summary | |
---|---|
java.lang.String |
getAllowableContentRoot()
|
java.lang.Object |
getAttribute(java.lang.String name)
Same as HttpServletRequest, no security changes required. |
java.util.Enumeration |
getAttributeNames()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getAuthType()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getCharacterEncoding()
Same as HttpServletRequest, no security changes required. |
int |
getContentLength()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getContentType()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getContextPath()
Returns the context path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
javax.servlet.http.Cookie[] |
getCookies()
Returns the array of Cookies from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
long |
getDateHeader(java.lang.String name)
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getHeader(java.lang.String name)
Returns the named header from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.util.Enumeration |
getHeaderNames()
Returns the enumeration of header names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.util.Enumeration |
getHeaders(java.lang.String name)
Returns the enumeration of headers from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
javax.servlet.ServletInputStream |
getInputStream()
Same as HttpServletRequest, no security changes required. |
int |
getIntHeader(java.lang.String name)
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getLocalAddr()
Same as HttpServletRequest, no security changes required. |
java.util.Locale |
getLocale()
Same as HttpServletRequest, no security changes required. |
java.util.Enumeration |
getLocales()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getLocalName()
Same as HttpServletRequest, no security changes required. |
int |
getLocalPort()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getMethod()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getParameter(java.lang.String name)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getParameter(java.lang.String name,
boolean allowNull)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getParameter(java.lang.String name,
boolean allowNull,
int maxLength)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getParameter(java.lang.String name,
boolean allowNull,
int maxLength,
java.lang.String regexName)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.util.Map |
getParameterMap()
Returns the parameter map from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.util.Enumeration |
getParameterNames()
Returns the enumeration of parameter names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String[] |
getParameterValues(java.lang.String name)
Returns the array of matching parameter values from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getPathInfo()
Returns the path info from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getPathTranslated()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getProtocol()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getQueryString()
Returns the query string from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.io.BufferedReader |
getReader()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getRealPath(java.lang.String path)
Deprecated. in servlet spec 2.1. Use ServletContext.getRealPath(String) instead. |
java.lang.String |
getRemoteAddr()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getRemoteHost()
Same as HttpServletRequest, no security changes required. |
int |
getRemotePort()
Same as HttpServletRequest, no security changes required. |
java.lang.String |
getRemoteUser()
Returns the name of the ESAPI user associated with this getHttpServletRequest(). |
javax.servlet.RequestDispatcher |
getRequestDispatcher(java.lang.String path)
Checks to make sure the path to forward to is within the WEB-INF directory and then returns the dispatcher. |
java.lang.String |
getRequestedSessionId()
Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getRequestURI()
Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.StringBuffer |
getRequestURL()
Returns the URL from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getScheme()
Returns the scheme from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
java.lang.String |
getServerName()
Returns the server name (host header) from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
int |
getServerPort()
Returns the server port (after the : in the host header) from the HttpServletRequest after parsing and checking the range 0-65536. |
java.lang.String |
getServletPath()
Returns the server path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. |
javax.servlet.http.HttpSession |
getSession()
Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie. |
javax.servlet.http.HttpSession |
getSession(boolean create)
Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie. |
java.security.Principal |
getUserPrincipal()
Returns the ESAPI User associated with this getHttpServletRequest(). |
boolean |
isRequestedSessionIdFromCookie()
Same as HttpServletRequest, no security changes required. |
boolean |
isRequestedSessionIdFromUrl()
Deprecated. in servlet spec 2.1. Use isRequestedSessionIdFromURL() instead. |
boolean |
isRequestedSessionIdFromURL()
Same as HttpServletRequest, no security changes required. |
boolean |
isRequestedSessionIdValid()
Same as HttpServletRequest, no security changes required. |
boolean |
isSecure()
Same as HttpServletRequest, no security changes required. |
boolean |
isUserInRole(java.lang.String role)
Returns true if the ESAPI User associated with this request has the specified role. |
void |
removeAttribute(java.lang.String name)
Same as HttpServletRequest, no security changes required. |
void |
setAllowableContentRoot(java.lang.String allowableContentRoot)
|
void |
setAttribute(java.lang.String name,
java.lang.Object o)
Same as HttpServletRequest, no security changes required. |
void |
setCharacterEncoding(java.lang.String enc)
Sets the character encoding scheme to the ESAPI configured encoding scheme. |
Methods inherited from class javax.servlet.ServletRequestWrapper |
---|
getRequest, setRequest |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public SecurityWrapperRequest(javax.servlet.http.HttpServletRequest request)
request
- The HttpServletRequest
we are wrapping.Method Detail |
---|
public java.lang.Object getAttribute(java.lang.String name)
getAttribute
in interface javax.servlet.ServletRequest
getAttribute
in class javax.servlet.ServletRequestWrapper
name
- The attribute name
public java.util.Enumeration getAttributeNames()
getAttributeNames
in interface javax.servlet.ServletRequest
getAttributeNames
in class javax.servlet.ServletRequestWrapper
Enumeration
of attribute names.public java.lang.String getAuthType()
getAuthType
in interface javax.servlet.http.HttpServletRequest
getAuthType
in class javax.servlet.http.HttpServletRequestWrapper
public java.lang.String getCharacterEncoding()
getCharacterEncoding
in interface javax.servlet.ServletRequest
getCharacterEncoding
in class javax.servlet.ServletRequestWrapper
HttpServletRequest
public int getContentLength()
getContentLength
in interface javax.servlet.ServletRequest
getContentLength
in class javax.servlet.ServletRequestWrapper
HttpServletRequest
public java.lang.String getContentType()
getContentType
in interface javax.servlet.ServletRequest
getContentType
in class javax.servlet.ServletRequestWrapper
HttpServletRequest
public java.lang.String getContextPath()
getContextPath
in interface javax.servlet.http.HttpServletRequest
getContextPath
in class javax.servlet.http.HttpServletRequestWrapper
HttpServletRequest
public javax.servlet.http.Cookie[] getCookies()
getCookies
in interface javax.servlet.http.HttpServletRequest
getCookies
in class javax.servlet.http.HttpServletRequestWrapper
Cookie
s for this HttpServletRequest
public long getDateHeader(java.lang.String name)
getDateHeader
in interface javax.servlet.http.HttpServletRequest
getDateHeader
in class javax.servlet.http.HttpServletRequestWrapper
name
- Specifies the name of the HTTP request header; e.g.,
If-Modified-Since
.
January 1, 1970 GMT
,
or -1
if the named header was not included with the request.public java.lang.String getHeader(java.lang.String name)
getHeader
in interface javax.servlet.http.HttpServletRequest
getHeader
in class javax.servlet.http.HttpServletRequestWrapper
name
- The name of an HTTP request header
public java.util.Enumeration getHeaderNames()
getHeaderNames
in interface javax.servlet.http.HttpServletRequest
getHeaderNames
in class javax.servlet.http.HttpServletRequestWrapper
Enumeration
of header names associated with this request.public java.util.Enumeration getHeaders(java.lang.String name)
getHeaders
in interface javax.servlet.http.HttpServletRequest
getHeaders
in class javax.servlet.http.HttpServletRequestWrapper
name
- The name of an HTTP request header.
Enumeration
of headers from the request after
canonicalizing and filtering has been performed.public javax.servlet.ServletInputStream getInputStream() throws java.io.IOException
getInputStream
in interface javax.servlet.ServletRequest
getInputStream
in class javax.servlet.ServletRequestWrapper
ServletInputStream
associated with this
HttpServletRequest
.
java.io.IOException
- Thrown if an input exception is thrown, such as the
remote peer closing the connection.public int getIntHeader(java.lang.String name)
getIntHeader
in interface javax.servlet.http.HttpServletRequest
getIntHeader
in class javax.servlet.http.HttpServletRequestWrapper
name
- The name of an HTTP request header.
int
.public java.lang.String getLocalAddr()
getLocalAddr
in interface javax.servlet.ServletRequest
getLocalAddr
in class javax.servlet.ServletRequestWrapper
String
containing the IP address on which the
request was received.public java.util.Locale getLocale()
getLocale
in interface javax.servlet.ServletRequest
getLocale
in class javax.servlet.ServletRequestWrapper
Locale
for the client.public java.util.Enumeration getLocales()
getLocales
in interface javax.servlet.ServletRequest
getLocales
in class javax.servlet.ServletRequestWrapper
Enumeration
of preferred Locale
objects for the client.public java.lang.String getLocalName()
getLocalName
in interface javax.servlet.ServletRequest
getLocalName
in class javax.servlet.ServletRequestWrapper
String
containing the host name of the IP on which
the request was received.public int getLocalPort()
getLocalPort
in interface javax.servlet.ServletRequest
getLocalPort
in class javax.servlet.ServletRequestWrapper
public java.lang.String getMethod()
getMethod
in interface javax.servlet.http.HttpServletRequest
getMethod
in class javax.servlet.http.HttpServletRequestWrapper
public java.lang.String getParameter(java.lang.String name)
getParameter
in interface javax.servlet.ServletRequest
getParameter
in class javax.servlet.ServletRequestWrapper
name
- The parameter name for the request
public java.lang.String getParameter(java.lang.String name, boolean allowNull)
name
- The parameter name for the requestallowNull
- Whether null values are allowed
public java.lang.String getParameter(java.lang.String name, boolean allowNull, int maxLength)
name
- The parameter name for the requestallowNull
- Whether null values are allowedmaxLength
- The maximum length allowed
public java.lang.String getParameter(java.lang.String name, boolean allowNull, int maxLength, java.lang.String regexName)
name
- The parameter name for the requestallowNull
- Whether null values are allowedmaxLength
- The maximum length allowedregexName
- The name of the regex mapped from ESAPI.properties
public java.util.Map getParameterMap()
getParameterMap
in interface javax.servlet.ServletRequest
getParameterMap
in class javax.servlet.ServletRequestWrapper
Map
containing scrubbed parameter names / value pairs.public java.util.Enumeration getParameterNames()
getParameterNames
in interface javax.servlet.ServletRequest
getParameterNames
in class javax.servlet.ServletRequestWrapper
Enumeration
of properly "scrubbed" parameter names.public java.lang.String[] getParameterValues(java.lang.String name)
getParameterValues
in interface javax.servlet.ServletRequest
getParameterValues
in class javax.servlet.ServletRequestWrapper
name
- The parameter name
null
if the parameter does not exist.public java.lang.String getPathInfo()
getPathInfo
in interface javax.servlet.http.HttpServletRequest
getPathInfo
in class javax.servlet.http.HttpServletRequestWrapper
public java.lang.String getPathTranslated()
getPathTranslated
in interface javax.servlet.http.HttpServletRequest
getPathTranslated
in class javax.servlet.http.HttpServletRequestWrapper
public java.lang.String getProtocol()
getProtocol
in interface javax.servlet.ServletRequest
getProtocol
in class javax.servlet.ServletRequestWrapper
public java.lang.String getQueryString()
getQueryString
in interface javax.servlet.http.HttpServletRequest
getQueryString
in class javax.servlet.http.HttpServletRequestWrapper
public java.io.BufferedReader getReader() throws java.io.IOException
getReader
in interface javax.servlet.ServletRequest
getReader
in class javax.servlet.ServletRequestWrapper
BufferedReader
containing the body of the request.
java.io.IOException
- If an input error occurred while reading the request
body (e.g., premature EOF).@Deprecated public java.lang.String getRealPath(java.lang.String path)
ServletContext.getRealPath(String)
instead.
getRealPath
in interface javax.servlet.ServletRequest
getRealPath
in class javax.servlet.ServletRequestWrapper
path
- A virtual path on a web or application server; e.g., "/index.htm".
public java.lang.String getRemoteAddr()
getRemoteAddr
in interface javax.servlet.ServletRequest
getRemoteAddr
in class javax.servlet.ServletRequestWrapper
public java.lang.String getRemoteHost()
getRemoteHost
in interface javax.servlet.ServletRequest
getRemoteHost
in class javax.servlet.ServletRequestWrapper
public int getRemotePort()
getRemotePort
in interface javax.servlet.ServletRequest
getRemotePort
in class javax.servlet.ServletRequestWrapper
public java.lang.String getRemoteUser()
getRemoteUser
in interface javax.servlet.http.HttpServletRequest
getRemoteUser
in class javax.servlet.http.HttpServletRequestWrapper
public javax.servlet.RequestDispatcher getRequestDispatcher(java.lang.String path)
getRequestDispatcher
in interface javax.servlet.ServletRequest
getRequestDispatcher
in class javax.servlet.ServletRequestWrapper
path
- The path to create a request dispatcher for
RequestDispatcher
object that acts as a wrapper for the
resource at the specified path, or null if the servlet container
cannot return a RequestDispatcher
.public java.lang.String getRequestedSessionId()
getRequestedSessionId
in interface javax.servlet.http.HttpServletRequest
getRequestedSessionId
in class javax.servlet.http.HttpServletRequestWrapper
public java.lang.String getRequestURI()
getRequestURI
in interface javax.servlet.http.HttpServletRequest
getRequestURI
in class javax.servlet.http.HttpServletRequestWrapper
public java.lang.StringBuffer getRequestURL()
getRequestURL
in interface javax.servlet.http.HttpServletRequest
getRequestURL
in class javax.servlet.http.HttpServletRequestWrapper
public java.lang.String getScheme()
getScheme
in interface javax.servlet.ServletRequest
getScheme
in class javax.servlet.ServletRequestWrapper
public java.lang.String getServerName()
getServerName
in interface javax.servlet.ServletRequest
getServerName
in class javax.servlet.ServletRequestWrapper
public int getServerPort()
getServerPort
in interface javax.servlet.ServletRequest
getServerPort
in class javax.servlet.ServletRequestWrapper
public java.lang.String getServletPath()
getServletPath
in interface javax.servlet.http.HttpServletRequest
getServletPath
in class javax.servlet.http.HttpServletRequestWrapper
public javax.servlet.http.HttpSession getSession()
getSession
in interface javax.servlet.http.HttpServletRequest
getSession
in class javax.servlet.http.HttpServletRequestWrapper
public javax.servlet.http.HttpSession getSession(boolean create)
getSession
in interface javax.servlet.http.HttpServletRequest
getSession
in class javax.servlet.http.HttpServletRequestWrapper
create
- Create a new session if one doesn't exist
public java.security.Principal getUserPrincipal()
getUserPrincipal
in interface javax.servlet.http.HttpServletRequest
getUserPrincipal
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isRequestedSessionIdFromCookie()
isRequestedSessionIdFromCookie
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdFromCookie
in class javax.servlet.http.HttpServletRequestWrapper
@Deprecated public boolean isRequestedSessionIdFromUrl()
isRequestedSessionIdFromURL()
instead.
isRequestedSessionIdFromUrl
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdFromUrl
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isRequestedSessionIdFromURL()
isRequestedSessionIdFromURL
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdFromURL
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isRequestedSessionIdValid()
isRequestedSessionIdValid
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdValid
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isSecure()
isSecure
in interface javax.servlet.ServletRequest
isSecure
in class javax.servlet.ServletRequestWrapper
public boolean isUserInRole(java.lang.String role)
isUserInRole
in interface javax.servlet.http.HttpServletRequest
isUserInRole
in class javax.servlet.http.HttpServletRequestWrapper
role
- The role to check
public void removeAttribute(java.lang.String name)
removeAttribute
in interface javax.servlet.ServletRequest
removeAttribute
in class javax.servlet.ServletRequestWrapper
name
- The attribute namepublic void setAttribute(java.lang.String name, java.lang.Object o)
setAttribute
in interface javax.servlet.ServletRequest
setAttribute
in class javax.servlet.ServletRequestWrapper
name
- The attribute nameo
- The attribute valuepublic void setCharacterEncoding(java.lang.String enc) throws java.io.UnsupportedEncodingException
setCharacterEncoding
in interface javax.servlet.ServletRequest
setCharacterEncoding
in class javax.servlet.ServletRequestWrapper
enc
- The encoding scheme
java.io.UnsupportedEncodingException
public java.lang.String getAllowableContentRoot()
public void setAllowableContentRoot(java.lang.String allowableContentRoot)
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |