hirondelle.web4j.security
Class ApplicationFirewallImpl

Object
  hirondelle.web4j.security.ApplicationFirewallImpl

All Implemented Interfaces:

ApplicationFirewall

public class ApplicationFirewallImpl
extends Object
implements ApplicationFirewall

Default implementation of ApplicationFirewall.

Upon startup, this class will inspect all Actions in the application. All public static final RequestParameter fields accessible to each Action will be collected, and treated here as the set of acceptable RequestParameters for each Action class. Thus, when this class is used to implement ApplicationFirewall, each Action must declare all expected request parameters as a public static final RequestParameter field, in order to pass hard validation.

File Upload Forms

If a POSTed request includes one or more file upload controls, then the underlying HTTP request has a completely different structure from a regular request having no file upload controls. Unfortunately, the Servlet API has very poor support for forms that include a file upload control: only the raw underlying request is available, in an unparsed form. For such forms, POSTed data is not available in the usual way, and by default request.getParameter(String) will return null - not only for the file upload control, but for all controls in the form.

An elegant way around this problem involves wrapping the request, using HttpServletRequestWrapper, such that POSTed data is parsed and made available through the usual request methods. If such a wrapper is used, then file upload forms can be handled in much the same way as any other form.

To indicate to this class if such a wrapper is being used for file upload requests, use the FullyValidateFileUploads setting in web.xml.

Settings in web.xml affecting this class :

• MaxHttpRequestSize
• MaxFileUploadRequestSize
• MaxRequestParamValueSize (used by RequestParameter)
• SpamDetectionInFirewall
• FullyValidateFileUploads

The above settings control the validations performed by this class :

Check	Regular	File Upload (Wrapped)	File Upload
Overall request size <= MaxHttpRequestSize	Y	N	N
Overall request size <= MaxFileUploadRequestSize	N	Y	Y
Every param name is among the RequestParameters for that Action	Y	Y*	N
Every param value satifies RequestParameter.isValidParamValue(String)	Y	Y**	N
If created with RequestParameter.withLengthCheck(String), then param value size <= MaxRequestParamValueSize	Y	Y**	N
If SpamDetectionInFirewall is on, then each param value is checked using the configured SpamDetector	Y	Y**	N
If a request param named Operation exists and it returns true for Operation.hasSideEffects(), then the underlying request must be a POST	Y	Y	N
CSRF Defenses	Y	Y	N

* For file upload controls, the param name is checked only if the return value of getParameterNames() (for the wrapper) includes it.
**Except for file upload controls. For file upload controls, no checks on the param value are made by this class.

Defending Against CSRF Attacks

If the usual WEB4J defenses against CSRF attacks are active (see package-level comments), then for every POST request executed within a session the following will also be performed as a defense against CSRF attacks :

• validate that a request parameter named CsrfFilter.FORM_SOURCE_ID_KEY is present. (This request parameter is deemed to be a special 'internal' parameter, and does not need to be explicitly declared in your Action like other request parameters.)
• validate that its value matches items stored in session scope. First check versus an item stored under the key CsrfFilter.FORM_SOURCE_ID_KEY; if that check fails, then check versus an item stored under the key CsrfFilter.PREVIOUS_FORM_SOURCE_ID_KEY

See CsrfFilter for more information.

Constructor Summary

ApplicationFirewallImpl()

Method Summary

void	doHardValidation(Action aAction, RequestParser aRequestParser) Perform checks on the incoming request.
static void	init() Map actions to expected params.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ApplicationFirewallImpl

public ApplicationFirewallImpl()

Method Detail

init

public static void init()

Map actions to expected params.

doHardValidation

public void doHardValidation(Action aAction,
                             RequestParser aRequestParser)
                      throws BadRequestException

Perform checks on the incoming request.

See class description for more information.

Subclasses may extend this implementation, following the form :

  public void doHardValidation(Action aAction, RequestParser aRequestParser) throws BadRequestException {
    super(aAction, aRequestParser);
    //place additional validations here
    //for example, one might check that a Content-Length header is present,
    //or that all header values are within some size range
  }
   

Specified by:

doHardValidation in interface ApplicationFirewall

Parameters:

aAction - corresponding to this request. If the underlying request is unknown to RequestParser.getWebAction(), then that method will throw a BadRequestException, and this method will not be called.

aRequestParser - provides the raw underlying request, through RequestParser.getRequest();

Throws:

BadRequestException