public class SecurityWrapperResponse
extends javax.servlet.http.HttpServletResponseWrapper
implements javax.servlet.http.HttpServletResponse
SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY
Constructor and Description |
---|
SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response)
Construct a safe response that overrides the default response methods
with safer versions.
|
SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response,
String mode)
Construct a safe response that overrides the default response methods
with safer versions.
|
Modifier and Type | Method and Description |
---|---|
void |
addCookie(javax.servlet.http.Cookie cookie)
Add a cookie to the response after ensuring that there are no encoded or
illegal characters in the name and name and value.
|
void |
addDateHeader(String name,
long date)
Add a cookie to the response after ensuring that there are no encoded or
illegal characters in the name.
|
void |
addHeader(String name,
String value)
Add a header to the response after ensuring that there are no encoded or
illegal characters in the name and name and value.
|
void |
addIntHeader(String name,
int value)
Add an int header to the response after ensuring that there are no
encoded or illegal characters in the name and value.
|
void |
addReferer(String uri)
Add a referer header to the response, after validating there are no illegal characters according to the
Validator.isValidURI() method, as well as ensuring there are no instances of mixed or double encoding
depending on how you have configured ESAPI defaults.
|
boolean |
containsHeader(String name)
Same as HttpServletResponse, no security changes required.
|
String |
encodeRedirectUrl(String url)
Deprecated.
in servlet spec 2.1. Use
encodeRedirectUrl(String) instead. |
String |
encodeRedirectURL(String url)
Return the URL without any changes, to prevent disclosure of the
Session ID The default implementation of this method can add the
Session ID to the URL if support for cookies is not detected.
|
String |
encodeUrl(String url)
Deprecated.
in servlet spec 2.1. Use
encodeURL(String) instead. |
String |
encodeURL(String url)
Return the URL without any changes, to prevent disclosure of the
Session ID The default implementation of this method can add the
Session ID to the URL if support for cookies is not detected.
|
void |
flushBuffer()
Same as HttpServletResponse, no security changes required.
|
int |
getBufferSize()
Same as HttpServletResponse, no security changes required.
|
String |
getCharacterEncoding()
Same as HttpServletResponse, no security changes required.
|
String |
getContentType()
Same as HttpServletResponse, no security changes required.
|
Locale |
getLocale()
Same as HttpServletResponse, no security changes required.
|
javax.servlet.ServletOutputStream |
getOutputStream()
Same as HttpServletResponse, no security changes required.
|
PrintWriter |
getWriter()
Same as HttpServletResponse, no security changes required.
|
boolean |
isCommitted()
Same as HttpServletResponse, no security changes required.
|
void |
reset()
Same as HttpServletResponse, no security changes required.
|
void |
resetBuffer()
Same as HttpServletResponse, no security changes required.
|
void |
sendError(int sc)
Override the error code with a 200 in order to confound attackers using
automated scanners.
|
void |
sendError(int sc,
String msg)
Override the error code with a 200 in order to confound attackers using
automated scanners.
|
void |
sendRedirect(String location)
This method generates a redirect response that can only be used to
redirect the browser to safe locations, as configured in the ESAPI
security configuration.
|
void |
setBufferSize(int size)
Same as HttpServletResponse, no security changes required.
|
void |
setCharacterEncoding(String charset)
Sets the character encoding to the ESAPI configured encoding.
|
void |
setContentLength(int len)
Same as HttpServletResponse, no security changes required.
|
void |
setContentType(String type)
Same as HttpServletResponse, no security changes required.
|
void |
setDateHeader(String name,
long date)
Add a date header to the response after ensuring that there are no
encoded or illegal characters in the name.
|
void |
setHeader(String name,
String value)
Add a header to the response after ensuring that there are no encoded or
illegal characters in the name and value.
|
void |
setIntHeader(String name,
int value)
Add an int header to the response after ensuring that there are no
encoded or illegal characters in the name.
|
void |
setLocale(Locale loc)
Same as HttpServletResponse, no security changes required.
|
void |
setStatus(int sc)
Override the status code with a 200 in order to confound attackers using
automated scanners.
|
void |
setStatus(int sc,
String sm)
Deprecated.
In Servlet spec 2.1.
|
getHeader, getHeaderNames, getHeaders, getStatus
getResponse, isWrapperFor, isWrapperFor, setContentLengthLong, setResponse
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response)
response
- public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response, String mode)
response
- mode
- The mode for this wrapper. Legal modes are "log", "skip", "sanitize", "throw".public void addCookie(javax.servlet.http.Cookie cookie)
addCookie
in interface javax.servlet.http.HttpServletResponse
addCookie
in class javax.servlet.http.HttpServletResponseWrapper
cookie
- public void addDateHeader(String name, long date)
addDateHeader
in interface javax.servlet.http.HttpServletResponse
addDateHeader
in class javax.servlet.http.HttpServletResponseWrapper
name
- date
- public void addHeader(String name, String value)
addHeader
in interface javax.servlet.http.HttpServletResponse
addHeader
in class javax.servlet.http.HttpServletResponseWrapper
name
- value
- public void addReferer(String uri)
uri
- public void addIntHeader(String name, int value)
addIntHeader
in interface javax.servlet.http.HttpServletResponse
addIntHeader
in class javax.servlet.http.HttpServletResponseWrapper
name
- value
- public boolean containsHeader(String name)
containsHeader
in interface javax.servlet.http.HttpServletResponse
containsHeader
in class javax.servlet.http.HttpServletResponseWrapper
name
- @Deprecated public String encodeRedirectUrl(String url)
encodeRedirectUrl(String)
instead.encodeRedirectUrl
in interface javax.servlet.http.HttpServletResponse
encodeRedirectUrl
in class javax.servlet.http.HttpServletResponseWrapper
url
- public String encodeRedirectURL(String url)
encodeRedirectURL
in interface javax.servlet.http.HttpServletResponse
encodeRedirectURL
in class javax.servlet.http.HttpServletResponseWrapper
url
- @Deprecated public String encodeUrl(String url)
encodeURL(String)
instead.encodeUrl
in interface javax.servlet.http.HttpServletResponse
encodeUrl
in class javax.servlet.http.HttpServletResponseWrapper
url
- public String encodeURL(String url)
encodeURL
in interface javax.servlet.http.HttpServletResponse
encodeURL
in class javax.servlet.http.HttpServletResponseWrapper
url
- public void flushBuffer() throws IOException
flushBuffer
in interface javax.servlet.ServletResponse
flushBuffer
in class javax.servlet.ServletResponseWrapper
IOException
public int getBufferSize()
getBufferSize
in interface javax.servlet.ServletResponse
getBufferSize
in class javax.servlet.ServletResponseWrapper
public String getCharacterEncoding()
getCharacterEncoding
in interface javax.servlet.ServletResponse
getCharacterEncoding
in class javax.servlet.ServletResponseWrapper
public String getContentType()
getContentType
in interface javax.servlet.ServletResponse
getContentType
in class javax.servlet.ServletResponseWrapper
public Locale getLocale()
getLocale
in interface javax.servlet.ServletResponse
getLocale
in class javax.servlet.ServletResponseWrapper
public javax.servlet.ServletOutputStream getOutputStream() throws IOException
getOutputStream
in interface javax.servlet.ServletResponse
getOutputStream
in class javax.servlet.ServletResponseWrapper
IOException
public PrintWriter getWriter() throws IOException
getWriter
in interface javax.servlet.ServletResponse
getWriter
in class javax.servlet.ServletResponseWrapper
IOException
public boolean isCommitted()
isCommitted
in interface javax.servlet.ServletResponse
isCommitted
in class javax.servlet.ServletResponseWrapper
public void reset()
reset
in interface javax.servlet.ServletResponse
reset
in class javax.servlet.ServletResponseWrapper
public void resetBuffer()
resetBuffer
in interface javax.servlet.ServletResponse
resetBuffer
in class javax.servlet.ServletResponseWrapper
public void sendError(int sc) throws IOException
HttpUtilities.OverwriteStatusCodes
in ESAPI.properties.sendError
in interface javax.servlet.http.HttpServletResponse
sendError
in class javax.servlet.http.HttpServletResponseWrapper
sc
- -- http status codeIOException
public void sendError(int sc, String msg) throws IOException
HttpUtilities.OverwriteStatusCodes
in ESAPI.properties.sendError
in interface javax.servlet.http.HttpServletResponse
sendError
in class javax.servlet.http.HttpServletResponseWrapper
sc
- -- http status codemsg
- -- error messageIOException
public void sendRedirect(String location) throws IOException
sendRedirect
in interface javax.servlet.http.HttpServletResponse
sendRedirect
in class javax.servlet.http.HttpServletResponseWrapper
location
- IOException
public void setBufferSize(int size)
setBufferSize
in interface javax.servlet.ServletResponse
setBufferSize
in class javax.servlet.ServletResponseWrapper
size
- public void setCharacterEncoding(String charset)
setCharacterEncoding
in interface javax.servlet.ServletResponse
setCharacterEncoding
in class javax.servlet.ServletResponseWrapper
charset
- public void setContentLength(int len)
setContentLength
in interface javax.servlet.ServletResponse
setContentLength
in class javax.servlet.ServletResponseWrapper
len
- public void setContentType(String type)
setContentType
in interface javax.servlet.ServletResponse
setContentType
in class javax.servlet.ServletResponseWrapper
type
- public void setDateHeader(String name, long date)
setDateHeader
in interface javax.servlet.http.HttpServletResponse
setDateHeader
in class javax.servlet.http.HttpServletResponseWrapper
name
- date
- public void setHeader(String name, String value)
setHeader
in interface javax.servlet.http.HttpServletResponse
setHeader
in class javax.servlet.http.HttpServletResponseWrapper
name
- value
- public void setIntHeader(String name, int value)
setIntHeader
in interface javax.servlet.http.HttpServletResponse
setIntHeader
in class javax.servlet.http.HttpServletResponseWrapper
name
- value
- public void setLocale(Locale loc)
setLocale
in interface javax.servlet.ServletResponse
setLocale
in class javax.servlet.ServletResponseWrapper
loc
- public void setStatus(int sc)
setStatus
in interface javax.servlet.http.HttpServletResponse
setStatus
in class javax.servlet.http.HttpServletResponseWrapper
sc
- @Deprecated public void setStatus(int sc, String sm)
setStatus
in interface javax.servlet.http.HttpServletResponse
setStatus
in class javax.servlet.http.HttpServletResponseWrapper
sc
- sm
- Copyright © 2022 The Open Web Application Security Project (OWASP). All rights reserved.