SecurityWrapperResponse (ESAPI 2.0 2.0

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.owasp.esapi.filters
Class SecurityWrapperResponse

java.lang.Object
  javax.servlet.ServletResponseWrapper
      javax.servlet.http.HttpServletResponseWrapper
          org.owasp.esapi.filters.SecurityWrapperResponse

All Implemented Interfaces:: javax.servlet.http.HttpServletResponse, javax.servlet.ServletResponse

public class SecurityWrapperResponse
extends javax.servlet.http.HttpServletResponseWrapper
implements javax.servlet.http.HttpServletResponse
extends javax.servlet.http.HttpServletResponseWrapper
implements javax.servlet.http.HttpServletResponse

This response wrapper simply overrides unsafe methods in the HttpServletResponse API with safe versions.

Field Summary

Fields inherited from interface javax.servlet.http.HttpServletResponse
SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY

Fields inherited from interface javax.servlet.http.HttpServletResponse

SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY

Constructor Summary
`SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response)` Construct a safe response that overrides the default response methods with safer versions.
`SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response, java.lang.String mode)`

Method Summary
`void`	`addCookie(javax.servlet.http.Cookie cookie)` Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value.
`void`	`addDateHeader(java.lang.String name, long date)` Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.
`void`	`addHeader(java.lang.String name, java.lang.String value)` Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value.
`void`	`addIntHeader(java.lang.String name, int value)` Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and name.
`boolean`	`containsHeader(java.lang.String name)` Same as HttpServletResponse, no security changes required.
`java.lang.String`	`encodeRedirectUrl(java.lang.String url)` Deprecated. in servlet spec 2.1. Use `encodeRedirectUrl(String)` instead.
`java.lang.String`	`encodeRedirectURL(java.lang.String url)` Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.
`java.lang.String`	`encodeUrl(java.lang.String url)` Deprecated. in servlet spec 2.1. Use `encodeURL(String)` instead.
`java.lang.String`	`encodeURL(java.lang.String url)` Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.
`void`	`flushBuffer()` Same as HttpServletResponse, no security changes required.
`int`	`getBufferSize()` Same as HttpServletResponse, no security changes required.
`java.lang.String`	`getCharacterEncoding()` Same as HttpServletResponse, no security changes required.
`java.lang.String`	`getContentType()` Same as HttpServletResponse, no security changes required.
`java.util.Locale`	`getLocale()` Same as HttpServletResponse, no security changes required.
`javax.servlet.ServletOutputStream`	`getOutputStream()` Same as HttpServletResponse, no security changes required.
`java.io.PrintWriter`	`getWriter()` Same as HttpServletResponse, no security changes required.
`boolean`	`isCommitted()` Same as HttpServletResponse, no security changes required.
`void`	`reset()` Same as HttpServletResponse, no security changes required.
`void`	`resetBuffer()` Same as HttpServletResponse, no security changes required.
`void`	`sendError(int sc)` Override the error code with a 200 in order to confound attackers using automated scanners.
`void`	`sendError(int sc, java.lang.String msg)` Override the error code with a 200 in order to confound attackers using automated scanners.
`void`	`sendRedirect(java.lang.String location)` This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration.
`void`	`setBufferSize(int size)` Same as HttpServletResponse, no security changes required.
`void`	`setCharacterEncoding(java.lang.String charset)` Sets the character encoding to the ESAPI configured encoding.
`void`	`setContentLength(int len)` Same as HttpServletResponse, no security changes required.
`void`	`setContentType(java.lang.String type)` Same as HttpServletResponse, no security changes required.
`void`	`setDateHeader(java.lang.String name, long date)` Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.
`void`	`setHeader(java.lang.String name, java.lang.String value)` Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value.
`void`	`setIntHeader(java.lang.String name, int value)` Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.
`void`	`setLocale(java.util.Locale loc)` Same as HttpServletResponse, no security changes required.
`void`	`setStatus(int sc)` Override the status code with a 200 in order to confound attackers using automated scanners.
`void`	`setStatus(int sc, java.lang.String sm)` Deprecated. In Servlet spec 2.1.

Methods inherited from class javax.servlet.ServletResponseWrapper
`getResponse, setResponse`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

SecurityWrapperResponse

public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response)

Construct a safe response that overrides the default response methods with safer versions.

Parameters:: response -

SecurityWrapperResponse

public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response,
                               java.lang.String mode)

Parameters:: response -; mode -

Method Detail

addCookie

public void addCookie(javax.servlet.http.Cookie cookie)

Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This method also sets the secure and HttpOnly flags on the cookie. This implementation uses a custom "set-cookie" header instead of using Java's cookie interface which doesn't allow the use of HttpOnly.

Specified by:: addCookie in interface javax.servlet.http.HttpServletResponse
Overrides:: addCookie in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: cookie -

addDateHeader

public void addDateHeader(java.lang.String name,
                          long date)

Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.

Specified by:: addDateHeader in interface javax.servlet.http.HttpServletResponse
Overrides:: addDateHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: name -; date -

addHeader

public void addHeader(java.lang.String name,
                      java.lang.String value)

Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This implementation follows the following recommendation: "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2

Specified by:: addHeader in interface javax.servlet.http.HttpServletResponse
Overrides:: addHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: name -; value -

addIntHeader

public void addIntHeader(java.lang.String name,
                         int value)

Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and name.

Specified by:: addIntHeader in interface javax.servlet.http.HttpServletResponse
Overrides:: addIntHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: name -; value -

containsHeader

public boolean containsHeader(java.lang.String name)

Same as HttpServletResponse, no security changes required.

Specified by:: containsHeader in interface javax.servlet.http.HttpServletResponse
Overrides:: containsHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: name -
Returns:

encodeRedirectUrl

@Deprecated
public java.lang.String encodeRedirectUrl(java.lang.String url)

Deprecated. in servlet spec 2.1. Use encodeRedirectUrl(String) instead.

Return the URL without any changes, to prevent disclosure of the Session ID. The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.

Specified by:: encodeRedirectUrl in interface javax.servlet.http.HttpServletResponse
Overrides:: encodeRedirectUrl in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: url -
Returns:: original url

encodeRedirectURL

public java.lang.String encodeRedirectURL(java.lang.String url)

Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.

Specified by:: encodeRedirectURL in interface javax.servlet.http.HttpServletResponse
Overrides:: encodeRedirectURL in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: url -
Returns:: original url

encodeUrl

@Deprecated
public java.lang.String encodeUrl(java.lang.String url)

Deprecated. in servlet spec 2.1. Use encodeURL(String) instead.

Specified by:: encodeUrl in interface javax.servlet.http.HttpServletResponse
Overrides:: encodeUrl in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: url -
Returns:: original url

encodeURL

public java.lang.String encodeURL(java.lang.String url)

Specified by:: encodeURL in interface javax.servlet.http.HttpServletResponse
Overrides:: encodeURL in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: url -
Returns:: original url

flushBuffer

public void flushBuffer()
                 throws java.io.IOException

Same as HttpServletResponse, no security changes required.

Specified by:: flushBuffer in interface javax.servlet.ServletResponse
Overrides:: flushBuffer in class javax.servlet.ServletResponseWrapper

Throws:: java.io.IOException

getBufferSize

public int getBufferSize()

Same as HttpServletResponse, no security changes required.

Specified by:: getBufferSize in interface javax.servlet.ServletResponse
Overrides:: getBufferSize in class javax.servlet.ServletResponseWrapper

Returns:

getCharacterEncoding

public java.lang.String getCharacterEncoding()

Same as HttpServletResponse, no security changes required.

Specified by:: getCharacterEncoding in interface javax.servlet.ServletResponse
Overrides:: getCharacterEncoding in class javax.servlet.ServletResponseWrapper

Returns:

getContentType

public java.lang.String getContentType()

Same as HttpServletResponse, no security changes required.

Specified by:: getContentType in interface javax.servlet.ServletResponse
Overrides:: getContentType in class javax.servlet.ServletResponseWrapper

Returns:

getLocale

public java.util.Locale getLocale()

Same as HttpServletResponse, no security changes required.

Specified by:: getLocale in interface javax.servlet.ServletResponse
Overrides:: getLocale in class javax.servlet.ServletResponseWrapper

Returns:

getOutputStream

public javax.servlet.ServletOutputStream getOutputStream()
                                                  throws java.io.IOException

Same as HttpServletResponse, no security changes required.

Specified by:: getOutputStream in interface javax.servlet.ServletResponse
Overrides:: getOutputStream in class javax.servlet.ServletResponseWrapper

Returns:
Throws:: java.io.IOException

getWriter

public java.io.PrintWriter getWriter()
                              throws java.io.IOException

Same as HttpServletResponse, no security changes required.

Specified by:: getWriter in interface javax.servlet.ServletResponse
Overrides:: getWriter in class javax.servlet.ServletResponseWrapper

Returns:
Throws:: java.io.IOException

isCommitted

public boolean isCommitted()

Same as HttpServletResponse, no security changes required.

Specified by:: isCommitted in interface javax.servlet.ServletResponse
Overrides:: isCommitted in class javax.servlet.ServletResponseWrapper

Returns:

reset

public void reset()

Same as HttpServletResponse, no security changes required.

Specified by:: reset in interface javax.servlet.ServletResponse
Overrides:: reset in class javax.servlet.ServletResponseWrapper

resetBuffer

public void resetBuffer()

Same as HttpServletResponse, no security changes required.

Specified by:: resetBuffer in interface javax.servlet.ServletResponse
Overrides:: resetBuffer in class javax.servlet.ServletResponseWrapper

sendError

public void sendError(int sc)
               throws java.io.IOException

Override the error code with a 200 in order to confound attackers using automated scanners.

Specified by:: sendError in interface javax.servlet.http.HttpServletResponse
Overrides:: sendError in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: sc -
Throws:: java.io.IOException

sendError

public void sendError(int sc,
                      java.lang.String msg)
               throws java.io.IOException

Override the error code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters.

Specified by:: sendError in interface javax.servlet.http.HttpServletResponse
Overrides:: sendError in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: sc -; msg -
Throws:: java.io.IOException

sendRedirect

public void sendRedirect(java.lang.String location)
                  throws java.io.IOException

This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration. This method does not that redirect requests can be modified by attackers, so do not rely information contained within redirect requests, and do not include sensitive information in a redirect.

Specified by:: sendRedirect in interface javax.servlet.http.HttpServletResponse
Overrides:: sendRedirect in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: location -
Throws:: java.io.IOException

setBufferSize

public void setBufferSize(int size)

Same as HttpServletResponse, no security changes required.

Specified by:: setBufferSize in interface javax.servlet.ServletResponse
Overrides:: setBufferSize in class javax.servlet.ServletResponseWrapper

Parameters:: size -

setCharacterEncoding

public void setCharacterEncoding(java.lang.String charset)

Sets the character encoding to the ESAPI configured encoding.

Specified by:: setCharacterEncoding in interface javax.servlet.ServletResponse
Overrides:: setCharacterEncoding in class javax.servlet.ServletResponseWrapper

Parameters:: charset -

setContentLength

public void setContentLength(int len)

Same as HttpServletResponse, no security changes required.

Specified by:: setContentLength in interface javax.servlet.ServletResponse
Overrides:: setContentLength in class javax.servlet.ServletResponseWrapper

Parameters:: len -

setContentType

public void setContentType(java.lang.String type)

Same as HttpServletResponse, no security changes required.

Specified by:: setContentType in interface javax.servlet.ServletResponse
Overrides:: setContentType in class javax.servlet.ServletResponseWrapper

Parameters:: type -

setDateHeader

public void setDateHeader(java.lang.String name,
                          long date)

Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.

Specified by:: setDateHeader in interface javax.servlet.http.HttpServletResponse
Overrides:: setDateHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: name -; date -

setHeader

public void setHeader(java.lang.String name,
                      java.lang.String value)

Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value. "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2

Specified by:: setHeader in interface javax.servlet.http.HttpServletResponse
Overrides:: setHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: name -; value -

setIntHeader

public void setIntHeader(java.lang.String name,
                         int value)

Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.

Specified by:: setIntHeader in interface javax.servlet.http.HttpServletResponse
Overrides:: setIntHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: name -; value -

setLocale

public void setLocale(java.util.Locale loc)

Same as HttpServletResponse, no security changes required.

Specified by:: setLocale in interface javax.servlet.ServletResponse
Overrides:: setLocale in class javax.servlet.ServletResponseWrapper

Parameters:: loc -

setStatus

public void setStatus(int sc)

Override the status code with a 200 in order to confound attackers using automated scanners.

Specified by:: setStatus in interface javax.servlet.http.HttpServletResponse
Overrides:: setStatus in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: sc -

setStatus

@Deprecated
public void setStatus(int sc,
                                 java.lang.String sm)

Deprecated. In Servlet spec 2.1.

Override the status code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters.

Specified by:: setStatus in interface javax.servlet.http.HttpServletResponse
Overrides:: setStatus in class javax.servlet.http.HttpServletResponseWrapper

Parameters:: sc -; sm -

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.owasp.esapi.filters Class SecurityWrapperResponse

SecurityWrapperResponse

SecurityWrapperResponse

addCookie

addDateHeader

addHeader

addIntHeader

containsHeader

encodeRedirectUrl

encodeRedirectURL

encodeUrl

encodeURL

flushBuffer

getBufferSize

getCharacterEncoding

getContentType

getLocale

getOutputStream

getWriter

isCommitted

reset

resetBuffer

sendError

sendError

sendRedirect

setBufferSize

setCharacterEncoding

setContentLength

setContentType

setDateHeader

setHeader

setIntHeader

setLocale

setStatus

setStatus

org.owasp.esapi.filters
Class SecurityWrapperResponse