public class SecurityWrapperRequest
extends javax.servlet.http.HttpServletRequestWrapper
implements javax.servlet.http.HttpServletRequest
Constructor and Description |
---|
SecurityWrapperRequest(javax.servlet.http.HttpServletRequest request)
Construct a safe request that overrides the default request methods with
safer versions.
|
Modifier and Type | Method and Description |
---|---|
String |
getAllowableContentRoot() |
Object |
getAttribute(String name)
Same as HttpServletRequest, no security changes required.
|
Enumeration |
getAttributeNames()
Same as HttpServletRequest, no security changes required.
|
String |
getAuthType()
Same as HttpServletRequest, no security changes required.
|
String |
getCharacterEncoding()
Same as HttpServletRequest, no security changes required.
|
int |
getContentLength()
Same as HttpServletRequest, no security changes required.
|
String |
getContentType()
Same as HttpServletRequest, no security changes required.
|
String |
getContextPath()
Returns the context path from the HttpServletRequest after canonicalizing
and filtering out any dangerous characters.
|
javax.servlet.http.Cookie[] |
getCookies()
Returns the array of Cookies from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
long |
getDateHeader(String name)
Same as HttpServletRequest, no security changes required.
|
String |
getHeader(String name)
Returns the named header from the HttpServletRequest after canonicalizing
and filtering out any dangerous characters.
|
Enumeration |
getHeaderNames()
Returns the enumeration of header names from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
Enumeration |
getHeaders(String name)
Returns the enumeration of headers from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
javax.servlet.ServletInputStream |
getInputStream()
Same as HttpServletRequest, no security changes required.
|
int |
getIntHeader(String name)
Same as HttpServletRequest, no security changes required.
|
String |
getLocalAddr()
Same as HttpServletRequest, no security changes required.
|
Locale |
getLocale()
Same as HttpServletRequest, no security changes required.
|
Enumeration |
getLocales()
Same as HttpServletRequest, no security changes required.
|
String |
getLocalName()
Same as HttpServletRequest, no security changes required.
|
int |
getLocalPort()
Same as HttpServletRequest, no security changes required.
|
String |
getMethod()
Same as HttpServletRequest, no security changes required.
|
String |
getParameter(String name)
Returns the named parameter from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
String |
getParameter(String name,
boolean allowNull)
Returns the named parameter from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
String |
getParameter(String name,
boolean allowNull,
int maxLength)
Returns the named parameter from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
String |
getParameter(String name,
boolean allowNull,
int maxLength,
String regexName)
Returns the named parameter from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
Map |
getParameterMap()
Returns the parameter map from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
Enumeration |
getParameterNames()
Returns the enumeration of parameter names from the HttpServletRequest
after canonicalizing and filtering out any dangerous characters.
|
String[] |
getParameterValues(String name)
Returns the array of matching parameter values from the
HttpServletRequest after canonicalizing and filtering out any dangerous
characters.
|
String |
getPathInfo()
Returns the path info from the HttpServletRequest after canonicalizing
and filtering out any dangerous characters.
|
String |
getPathTranslated()
Same as HttpServletRequest, no security changes required.
|
String |
getProtocol()
Same as HttpServletRequest, no security changes required.
|
String |
getQueryString()
Returns the query string from the HttpServletRequest after canonicalizing
and filtering out any dangerous characters.
|
BufferedReader |
getReader()
Same as HttpServletRequest, no security changes required.
|
String |
getRealPath(String path)
Deprecated.
in servlet spec 2.1. Use
ServletContext.getRealPath(String) instead. |
String |
getRemoteAddr()
Same as HttpServletRequest, no security changes required.
|
String |
getRemoteHost()
Same as HttpServletRequest, no security changes required.
|
int |
getRemotePort()
Same as HttpServletRequest, no security changes required.
|
String |
getRemoteUser()
Returns the name of the ESAPI user associated with this getHttpServletRequest().
|
javax.servlet.RequestDispatcher |
getRequestDispatcher(String path)
Checks to make sure the path to forward to is within the WEB-INF
directory and then returns the dispatcher.
|
String |
getRequestedSessionId()
Returns the URI from the HttpServletRequest after canonicalizing and
filtering out any dangerous characters.
|
String |
getRequestURI()
Returns the URI from the HttpServletRequest after canonicalizing and
filtering out any dangerous characters.
|
StringBuffer |
getRequestURL()
Returns the URL from the HttpServletRequest after canonicalizing and
filtering out any dangerous characters.
|
String |
getScheme()
Returns the scheme from the HttpServletRequest after canonicalizing and
filtering out any dangerous characters.
|
String |
getServerName()
Returns the server name (host header) from the HttpServletRequest after
canonicalizing and filtering out any dangerous characters.
|
int |
getServerPort()
Returns the server port (after the : in the host header) from the
HttpServletRequest after parsing and checking the range 0-65536.
|
String |
getServletPath()
Returns the server path from the HttpServletRequest after canonicalizing
and filtering out any dangerous characters.
|
javax.servlet.http.HttpSession |
getSession()
Returns a session, creating it if necessary, and sets the HttpOnly flag
on the Session ID cookie.
|
javax.servlet.http.HttpSession |
getSession(boolean create)
Returns the current session associated with this request or, if there is no current session and
create is true , returns a new session and sets the HttpOnly flag on the session ID cookie. |
Principal |
getUserPrincipal()
Returns the ESAPI User associated with this getHttpServletRequest().
|
boolean |
isRequestedSessionIdFromCookie()
Same as HttpServletRequest, no security changes required.
|
boolean |
isRequestedSessionIdFromUrl()
Deprecated.
in servlet spec 2.1. Use
isRequestedSessionIdFromURL() instead. |
boolean |
isRequestedSessionIdFromURL()
Same as HttpServletRequest, no security changes required.
|
boolean |
isRequestedSessionIdValid()
Same as HttpServletRequest, no security changes required.
|
boolean |
isSecure()
Same as HttpServletRequest, no security changes required.
|
boolean |
isUserInRole(String role)
Returns true if the ESAPI User associated with this request has the
specified role.
|
void |
removeAttribute(String name)
Same as HttpServletRequest, no security changes required.
|
void |
setAllowableContentRoot(String allowableContentRoot) |
void |
setAttribute(String name,
Object o)
Same as HttpServletRequest, no security changes required.
|
void |
setCharacterEncoding(String enc)
Sets the character encoding scheme to the ESAPI configured encoding scheme.
|
authenticate, changeSessionId, getPart, getParts, login, logout, upgrade
getAsyncContext, getContentLengthLong, getDispatcherType, getRequest, getServletContext, isAsyncStarted, isAsyncSupported, isWrapperFor, isWrapperFor, setRequest, startAsync, startAsync
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
public SecurityWrapperRequest(javax.servlet.http.HttpServletRequest request)
request
- The HttpServletRequest
we are wrapping.public Object getAttribute(String name)
getAttribute
in interface javax.servlet.ServletRequest
getAttribute
in class javax.servlet.ServletRequestWrapper
name
- The attribute namepublic Enumeration getAttributeNames()
getAttributeNames
in interface javax.servlet.ServletRequest
getAttributeNames
in class javax.servlet.ServletRequestWrapper
Enumeration
of attribute names.public String getAuthType()
getAuthType
in interface javax.servlet.http.HttpServletRequest
getAuthType
in class javax.servlet.http.HttpServletRequestWrapper
public String getCharacterEncoding()
getCharacterEncoding
in interface javax.servlet.ServletRequest
getCharacterEncoding
in class javax.servlet.ServletRequestWrapper
HttpServletRequest
public int getContentLength()
getContentLength
in interface javax.servlet.ServletRequest
getContentLength
in class javax.servlet.ServletRequestWrapper
HttpServletRequest
public String getContentType()
getContentType
in interface javax.servlet.ServletRequest
getContentType
in class javax.servlet.ServletRequestWrapper
HttpServletRequest
public String getContextPath()
getContextPath
in interface javax.servlet.http.HttpServletRequest
getContextPath
in class javax.servlet.http.HttpServletRequestWrapper
HttpServletRequest
public javax.servlet.http.Cookie[] getCookies()
getCookies
in interface javax.servlet.http.HttpServletRequest
getCookies
in class javax.servlet.http.HttpServletRequestWrapper
Cookie
s for this HttpServletRequest
public long getDateHeader(String name)
getDateHeader
in interface javax.servlet.http.HttpServletRequest
getDateHeader
in class javax.servlet.http.HttpServletRequestWrapper
name
- Specifies the name of the HTTP request header; e.g.,
If-Modified-Since
.January 1, 1970 GMT
,
or -1
if the named header was not included with the request.public String getHeader(String name)
getHeader
in interface javax.servlet.http.HttpServletRequest
getHeader
in class javax.servlet.http.HttpServletRequestWrapper
name
- The name of an HTTP request headerpublic Enumeration getHeaderNames()
getHeaderNames
in interface javax.servlet.http.HttpServletRequest
getHeaderNames
in class javax.servlet.http.HttpServletRequestWrapper
Enumeration
of header names associated with this request.public Enumeration getHeaders(String name)
getHeaders
in interface javax.servlet.http.HttpServletRequest
getHeaders
in class javax.servlet.http.HttpServletRequestWrapper
name
- The name of an HTTP request header.Enumeration
of headers from the request after
canonicalizing and filtering has been performed.public javax.servlet.ServletInputStream getInputStream() throws IOException
getInputStream
in interface javax.servlet.ServletRequest
getInputStream
in class javax.servlet.ServletRequestWrapper
ServletInputStream
associated with this
HttpServletRequest
.IOException
- Thrown if an input exception is thrown, such as the
remote peer closing the connection.public int getIntHeader(String name)
getIntHeader
in interface javax.servlet.http.HttpServletRequest
getIntHeader
in class javax.servlet.http.HttpServletRequestWrapper
name
- The name of an HTTP request header.int
.public String getLocalAddr()
getLocalAddr
in interface javax.servlet.ServletRequest
getLocalAddr
in class javax.servlet.ServletRequestWrapper
String
containing the IP address on which the
request was received.public Locale getLocale()
getLocale
in interface javax.servlet.ServletRequest
getLocale
in class javax.servlet.ServletRequestWrapper
Locale
for the client.public Enumeration getLocales()
getLocales
in interface javax.servlet.ServletRequest
getLocales
in class javax.servlet.ServletRequestWrapper
Enumeration
of preferred Locale
objects for the client.public String getLocalName()
getLocalName
in interface javax.servlet.ServletRequest
getLocalName
in class javax.servlet.ServletRequestWrapper
String
containing the host name of the IP on which
the request was received.public int getLocalPort()
getLocalPort
in interface javax.servlet.ServletRequest
getLocalPort
in class javax.servlet.ServletRequestWrapper
public String getMethod()
getMethod
in interface javax.servlet.http.HttpServletRequest
getMethod
in class javax.servlet.http.HttpServletRequestWrapper
public String getParameter(String name)
getParameter
in interface javax.servlet.ServletRequest
getParameter
in class javax.servlet.ServletRequestWrapper
name
- The parameter name for the requestpublic String getParameter(String name, boolean allowNull)
name
- The parameter name for the requestallowNull
- Whether null values are allowedpublic String getParameter(String name, boolean allowNull, int maxLength)
name
- The parameter name for the requestallowNull
- Whether null values are allowedmaxLength
- The maximum length allowedpublic String getParameter(String name, boolean allowNull, int maxLength, String regexName)
name
- The parameter name for the requestallowNull
- Whether null values are allowedmaxLength
- The maximum length allowedregexName
- The name of the regex mapped from ESAPI.propertiespublic Map getParameterMap()
getParameterMap
in interface javax.servlet.ServletRequest
getParameterMap
in class javax.servlet.ServletRequestWrapper
Map
containing scrubbed parameter names / value pairs.public Enumeration getParameterNames()
getParameterNames
in interface javax.servlet.ServletRequest
getParameterNames
in class javax.servlet.ServletRequestWrapper
Enumeration
of properly "scrubbed" parameter names.public String[] getParameterValues(String name)
getParameterValues
in interface javax.servlet.ServletRequest
getParameterValues
in class javax.servlet.ServletRequestWrapper
name
- The parameter namenull
if the parameter does not exist.public String getPathInfo()
getPathInfo
in interface javax.servlet.http.HttpServletRequest
getPathInfo
in class javax.servlet.http.HttpServletRequestWrapper
public String getPathTranslated()
getPathTranslated
in interface javax.servlet.http.HttpServletRequest
getPathTranslated
in class javax.servlet.http.HttpServletRequestWrapper
public String getProtocol()
getProtocol
in interface javax.servlet.ServletRequest
getProtocol
in class javax.servlet.ServletRequestWrapper
public String getQueryString()
getQueryString
in interface javax.servlet.http.HttpServletRequest
getQueryString
in class javax.servlet.http.HttpServletRequestWrapper
public BufferedReader getReader() throws IOException
getReader
in interface javax.servlet.ServletRequest
getReader
in class javax.servlet.ServletRequestWrapper
BufferedReader
containing the body of the request.IOException
- If an input error occurred while reading the request
body (e.g., premature EOF).@Deprecated public String getRealPath(String path)
ServletContext.getRealPath(String)
instead.getRealPath
in interface javax.servlet.ServletRequest
getRealPath
in class javax.servlet.ServletRequestWrapper
path
- A virtual path on a web or application server; e.g., "/index.htm".public String getRemoteAddr()
getRemoteAddr
in interface javax.servlet.ServletRequest
getRemoteAddr
in class javax.servlet.ServletRequestWrapper
public String getRemoteHost()
getRemoteHost
in interface javax.servlet.ServletRequest
getRemoteHost
in class javax.servlet.ServletRequestWrapper
public int getRemotePort()
getRemotePort
in interface javax.servlet.ServletRequest
getRemotePort
in class javax.servlet.ServletRequestWrapper
public String getRemoteUser()
getRemoteUser
in interface javax.servlet.http.HttpServletRequest
getRemoteUser
in class javax.servlet.http.HttpServletRequestWrapper
public javax.servlet.RequestDispatcher getRequestDispatcher(String path)
getRequestDispatcher
in interface javax.servlet.ServletRequest
getRequestDispatcher
in class javax.servlet.ServletRequestWrapper
path
- The path to create a request dispatcher forRequestDispatcher
object that acts as a wrapper for the
resource at the specified path, or null if the servlet container
cannot return a RequestDispatcher
.public String getRequestedSessionId()
getRequestedSessionId
in interface javax.servlet.http.HttpServletRequest
getRequestedSessionId
in class javax.servlet.http.HttpServletRequestWrapper
public String getRequestURI()
getRequestURI
in interface javax.servlet.http.HttpServletRequest
getRequestURI
in class javax.servlet.http.HttpServletRequestWrapper
public StringBuffer getRequestURL()
getRequestURL
in interface javax.servlet.http.HttpServletRequest
getRequestURL
in class javax.servlet.http.HttpServletRequestWrapper
public String getScheme()
getScheme
in interface javax.servlet.ServletRequest
getScheme
in class javax.servlet.ServletRequestWrapper
public String getServerName()
getServerName
in interface javax.servlet.ServletRequest
getServerName
in class javax.servlet.ServletRequestWrapper
public int getServerPort()
getServerPort
in interface javax.servlet.ServletRequest
getServerPort
in class javax.servlet.ServletRequestWrapper
public String getServletPath()
getServletPath
in interface javax.servlet.http.HttpServletRequest
getServletPath
in class javax.servlet.http.HttpServletRequestWrapper
public javax.servlet.http.HttpSession getSession()
HttpUtilities.ForceSecureCookies
is set to true
in the ESAPI.properties file.getSession
in interface javax.servlet.http.HttpServletRequest
getSession
in class javax.servlet.http.HttpServletRequestWrapper
public javax.servlet.http.HttpSession getSession(boolean create)
create
is true
, returns a new session and sets the HttpOnly flag on the session ID cookie.
The 'secure' flag is also set if the property HttpUtilities.ForceSecureCookies
is set to
true
in the ESAPI.properties file.getSession
in interface javax.servlet.http.HttpServletRequest
getSession
in class javax.servlet.http.HttpServletRequestWrapper
create
- If set to true
, create a new session if one doesn't exist, otherwise return null
public Principal getUserPrincipal()
getUserPrincipal
in interface javax.servlet.http.HttpServletRequest
getUserPrincipal
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isRequestedSessionIdFromCookie()
isRequestedSessionIdFromCookie
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdFromCookie
in class javax.servlet.http.HttpServletRequestWrapper
@Deprecated public boolean isRequestedSessionIdFromUrl()
isRequestedSessionIdFromURL()
instead.isRequestedSessionIdFromUrl
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdFromUrl
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isRequestedSessionIdFromURL()
isRequestedSessionIdFromURL
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdFromURL
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isRequestedSessionIdValid()
isRequestedSessionIdValid
in interface javax.servlet.http.HttpServletRequest
isRequestedSessionIdValid
in class javax.servlet.http.HttpServletRequestWrapper
public boolean isSecure()
isSecure
in interface javax.servlet.ServletRequest
isSecure
in class javax.servlet.ServletRequestWrapper
public boolean isUserInRole(String role)
isUserInRole
in interface javax.servlet.http.HttpServletRequest
isUserInRole
in class javax.servlet.http.HttpServletRequestWrapper
role
- The role to checkpublic void removeAttribute(String name)
removeAttribute
in interface javax.servlet.ServletRequest
removeAttribute
in class javax.servlet.ServletRequestWrapper
name
- The attribute namepublic void setAttribute(String name, Object o)
setAttribute
in interface javax.servlet.ServletRequest
setAttribute
in class javax.servlet.ServletRequestWrapper
name
- The attribute nameo
- The attribute valuepublic void setCharacterEncoding(String enc) throws UnsupportedEncodingException
setCharacterEncoding
in interface javax.servlet.ServletRequest
setCharacterEncoding
in class javax.servlet.ServletRequestWrapper
enc
- The encoding schemeUnsupportedEncodingException
public String getAllowableContentRoot()
public void setAllowableContentRoot(String allowableContentRoot)
Copyright © 2022 The Open Web Application Security Project (OWASP). All rights reserved.