|
Version 4.10.0 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
Object hirondelle.web4j.security.ApplicationFirewallImpl
public class ApplicationFirewallImpl
Default implementation of ApplicationFirewall
.
Upon startup, this class will inspect all Action
s in the application.
All public static final RequestParameter
fields accessible
to each Action
will be collected, and treated here as the set of acceptable
RequestParameter
s for each Action
class. Thus, when this class is used to implement
ApplicationFirewall
, each Action
must declare all expected request
parameters as a public static final RequestParameter
field, in order to pass hard validation.
An elegant way around this problem involves wrapping the request,
using HttpServletRequestWrapper
, such that POSTed data is parsed and made
available through the usual request methods.
If such a wrapper is used, then file upload forms can be handled in much the same way as any other form.
To indicate to this class if such a wrapper is being used for file upload requests, use the FullyValidateFileUploads setting in web.xml.
Settings in web.xml affecting this class :
RequestParameter
)
The above settings control the validations performed by this class :
Check | Regular | File Upload (Wrapped) | File Upload |
---|---|---|---|
Overall request size <= MaxHttpRequestSize | Y | N | N |
Overall request size <= MaxFileUploadRequestSize | N | Y | Y |
Every param name is among the RequestParameter s for that Action |
Y | Y* | N |
Every param value satifies RequestParameter.isValidParamValue(String) |
Y | Y** | N |
If created with RequestParameter.withLengthCheck(String) , then param value size <= MaxRequestParamValueSize |
Y | Y** | N |
If SpamDetectionInFirewall is on, then each param value is checked using the configured SpamDetector |
Y | Y** | N |
If a request param named Operation exists and it returns true for Operation.hasSideEffects() , then the underlying request must be a POST |
Y | Y | N |
CSRF Defenses | Y | Y | N |
CsrfFilter.FORM_SOURCE_ID_KEY
is present. (This
request parameter is deemed to be a special 'internal' parameter, and does not need to be explicitly declared in
your Action like other request parameters.)
CsrfFilter.FORM_SOURCE_ID_KEY
; if that check fails, then
check versus an item stored under the key
CsrfFilter.PREVIOUS_FORM_SOURCE_ID_KEY
CsrfFilter
for more information.
Constructor Summary | |
---|---|
ApplicationFirewallImpl()
|
Method Summary | |
---|---|
void |
doHardValidation(Action aAction,
RequestParser aRequestParser)
Perform checks on the incoming request. |
static void |
init()
Map actions to expected params. |
Methods inherited from class Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public ApplicationFirewallImpl()
Method Detail |
---|
public static void init()
public void doHardValidation(Action aAction, RequestParser aRequestParser) throws BadRequestException
See class description for more information.
Subclasses may extend this implementation, following the form :
public void doHardValidation(Action aAction, RequestParser aRequestParser) throws BadRequestException { super(aAction, aRequestParser); //place additional validations here //for example, one might check that a Content-Length header is present, //or that all header values are within some size range }
doHardValidation
in interface ApplicationFirewall
aAction
- corresponding to this request. If the underlying request is unknown
to RequestParser.getWebAction()
, then that method will throw a
BadRequestException
, and this method will not be called.aRequestParser
- provides the raw underlying request, through
RequestParser.getRequest()
;
BadRequestException
|
Version 4.10.0 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |