@Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) { Cookie cookie = new Cookie("name", unknown()); cookie.setValue(req.getParameter("p") + "x"); resp.setHeader("header", req.getParameter("h1")); resp.addHeader("header", unknown()); callCookieSink(req.getParameter("h2")); String encoded = ESAPI.encoder().encodeForURL(req.getParameter("h3")); resp.addHeader("header", ESAPI.encoder().decodeFromURL(encoded)); // false positives String safe = "x".concat("y"); Cookie safeCookie = new Cookie("name", safe); safeCookie.setValue(safe + "x"); resp.setHeader("header", safe); resp.addHeader("header", encoded.concat(safe)); HttpServletResponseWrapper resWrapper = new HttpServletResponseWrapper(resp); resWrapper.setHeader("header2",req.getParameter("a")); resWrapper.addHeader("header3",req.getParameter("b")); }
/** * Delegate OPTIONS requests to {@link #processRequest}, if desired. * <p>Applies HttpServlet's standard OPTIONS processing otherwise, * and also if there is still no 'Allow' header set after dispatching. * @see #doService */ @Override protected void doOptions(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { if (this.dispatchOptionsRequest || CorsUtils.isPreFlightRequest(request)) { processRequest(request, response); if (response.containsHeader("Allow")) { // Proper OPTIONS response coming from a handler - we're done. return; } } // Use response wrapper for Servlet 2.5 compatibility where // the getHeader() method does not exist super.doOptions(request, new HttpServletResponseWrapper(response) { @Override public void setHeader(String name, String value) { if ("Allow".equals(name)) { value = (StringUtils.hasLength(value) ? value + ", " : "") + RequestMethod.PATCH.name(); } super.setHeader(name, value); } }); }
@Test public void decoratedNativeRequest() { HttpServletRequest decoratedRequest = new HttpServletRequestWrapper(servletRequest); HttpServletResponse decoratedResponse = new HttpServletResponseWrapper(servletResponse); ServletWebRequest request = new ServletWebRequest(decoratedRequest, decoratedResponse); assertSame(decoratedRequest, request.getNativeRequest()); assertSame(decoratedRequest, request.getNativeRequest(ServletRequest.class)); assertSame(decoratedRequest, request.getNativeRequest(HttpServletRequest.class)); assertSame(servletRequest, request.getNativeRequest(MockHttpServletRequest.class)); assertNull(request.getNativeRequest(MultipartRequest.class)); assertSame(decoratedResponse, request.getNativeResponse()); assertSame(decoratedResponse, request.getNativeResponse(ServletResponse.class)); assertSame(decoratedResponse, request.getNativeResponse(HttpServletResponse.class)); assertSame(servletResponse, request.getNativeResponse(MockHttpServletResponse.class)); assertNull(request.getNativeResponse(MultipartRequest.class)); }
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { filterChain.doFilter(new HttpServletRequestWrapper(request) { @Override public Principal getUserPrincipal() { return new Principal() { @Override public String getName() { return PRINCIPAL_NAME; } }; } }, new HttpServletResponseWrapper(response)); }
/** * Fetch the response wrapper of type CacheProxyResponse if one can be * found. * * @param servletResponse * the current servlet response. * @return the response wrapper of type CacheProxyResponse if one can be * found. */ private static CacheProxyResponse fetchCacheProxyResponse( ServletResponse servletResponse) { CacheProxyResponse cachedResponse = null; ServletResponse findResponse = servletResponse; while (findResponse instanceof HttpServletResponseWrapper) { if (findResponse instanceof CacheProxyResponse) { cachedResponse = (CacheProxyResponse) findResponse; break; } HttpServletResponseWrapper wrapper = (HttpServletResponseWrapper) findResponse; findResponse = wrapper.getResponse(); } return cachedResponse; }
@Test public void notAnErrorButNotOK() throws Exception { this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).setStatus(201); super.doFilter(request, response); response.flushBuffer(); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponse) this.chain.getResponse()).getStatus()) .isEqualTo(201); assertThat(((HttpServletResponse) ((HttpServletResponseWrapper) this.chain .getResponse()).getResponse()).getStatus()).isEqualTo(201); assertThat(this.response.isCommitted()).isTrue(); }
@Test public void unauthorizedWithErrorPath() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(401, "UNAUTHORIZED"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest()).isEqualTo(this.request); HttpServletResponseWrapper wrapper = (HttpServletResponseWrapper) this.chain .getResponse(); assertThat(wrapper.getResponse()).isEqualTo(this.response); assertThat(this.response.isCommitted()).isTrue(); assertThat(wrapper.getStatus()).isEqualTo(401); // The real response has to be 401 as well... assertThat(this.response.getStatus()).isEqualTo(401); assertThat(this.response.getForwardedUrl()).isEqualTo("/error"); }
@Test public void responseUncommittedWithoutErrorPage() throws Exception { this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest()).isEqualTo(this.request); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getResponse()) .isEqualTo(this.response); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus()) .isEqualTo(400); assertThat(this.response.getForwardedUrl()).isNull(); assertThat(this.response.isCommitted()).isTrue(); }
@Test public void globalError() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus()) .isEqualTo(400); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE)) .isEqualTo(400); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE)) .isEqualTo("BAD"); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI)) .isEqualTo("/test/path"); assertThat(this.response.isCommitted()).isTrue(); assertThat(this.response.getForwardedUrl()).isEqualTo("/error"); }
@Test public void statusError() throws Exception { this.filter.addErrorPages(new ErrorPage(HttpStatus.BAD_REQUEST, "/400")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus()) .isEqualTo(400); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE)) .isEqualTo(400); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE)) .isEqualTo("BAD"); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI)) .isEqualTo("/test/path"); assertThat(this.response.isCommitted()).isTrue(); assertThat(this.response.getForwardedUrl()).isEqualTo("/400"); }
@Test public void statusErrorWithCommittedResponse() throws Exception { this.filter.addErrorPages(new ErrorPage(HttpStatus.BAD_REQUEST, "/400")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); response.flushBuffer(); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus()) .isEqualTo(400); assertThat(this.response.isCommitted()).isTrue(); assertThat(this.response.getForwardedUrl()).isNull(); }
@Test public void exceptionError() throws Exception { this.filter.addErrorPages(new ErrorPage(RuntimeException.class, "/500")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); throw new RuntimeException("BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus()) .isEqualTo(500); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE)) .isEqualTo(500); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE)) .isEqualTo("BAD"); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_EXCEPTION_TYPE)) .isEqualTo(RuntimeException.class.getName()); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI)) .isEqualTo("/test/path"); assertThat(this.response.isCommitted()).isTrue(); assertThat(this.response.getForwardedUrl()).isEqualTo("/500"); }
@Test public void subClassExceptionError() throws Exception { this.filter.addErrorPages(new ErrorPage(RuntimeException.class, "/500")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); throw new IllegalStateException("BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus()) .isEqualTo(500); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE)) .isEqualTo(500); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE)) .isEqualTo("BAD"); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_EXCEPTION_TYPE)) .isEqualTo(IllegalStateException.class.getName()); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI)) .isEqualTo("/test/path"); assertThat(this.response.isCommitted()).isTrue(); }
@Test public void responseIsCommittedWhenExceptionIsThrownDuringAsyncDispatch() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); setUpAsyncDispatch(); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); throw new RuntimeException("BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest()).isEqualTo(this.request); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getResponse()) .isEqualTo(this.response); assertThat(this.response.isCommitted()).isTrue(); }
@Test public void responseIsCommittedWhenStatusIs400PlusDuringAsyncDispatch() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); setUpAsyncDispatch(); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); ((HttpServletResponse) response).sendError(400, "BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest()).isEqualTo(this.request); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getResponse()) .isEqualTo(this.response); assertThat(this.response.isCommitted()).isTrue(); }
@Test public void nestedServletExceptionIsUnwrapped() throws Exception { this.filter.addErrorPages(new ErrorPage(RuntimeException.class, "/500")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); throw new NestedServletException("Wrapper", new RuntimeException("BAD")); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus()) .isEqualTo(500); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE)) .isEqualTo(500); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE)) .isEqualTo("BAD"); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_EXCEPTION_TYPE)) .isEqualTo(RuntimeException.class.getName()); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI)) .isEqualTo("/test/path"); assertThat(this.response.isCommitted()).isTrue(); assertThat(this.response.getForwardedUrl()).isEqualTo("/500"); }
public void handleBlocking(PXContext context, PXConfiguration pxConfig, HttpServletResponseWrapper responseWrapper) throws PXException { String pageTemplate = "block.mustache"; if (context.getBlockAction().equals(BlockAction.CAPTCHA)) { String fileName = pxConfig.getCaptchaProvider().name().toLowerCase(); String ext = ".mustache"; pageTemplate = fileName + ext; } String page = TemplateFactory.getTemplate(context, pxConfig, pageTemplate); responseWrapper.setStatus(HttpServletResponse.SC_FORBIDDEN); responseWrapper.setContentType("text/html"); try { responseWrapper.getWriter().print(page); } catch (IOException e) { throw new PXException(e); } }
@Override public boolean handleVerification(PXContext context, HttpServletResponseWrapper responseWrapper) throws PXException { boolean verified = shouldPassRequest(context); if (verified) { logger.info("Passing request {} {}", verified, this.pxConfiguration.getModuleMode()); // Not blocking request and sending page_requested activity to px if configured as true if (this.pxConfiguration.shouldSendPageActivities()) { this.activityHandler.handlePageRequestedActivity(context); } } else { logger.info("Request invalid"); this.activityHandler.handleBlockActivity(context); this.blockHandler.handleBlocking(context, this.pxConfiguration, responseWrapper); } return verified; }
@Override public void doGet(HttpServletRequest req, HttpServletResponse resp,AuthStep as) throws ServletException, IOException { //HttpSession session = SharedSession.getSharedSession().getSession(req.getSession().getId()); HttpSession session = ((HttpServletRequest) req).getSession(); HashMap<String,Attribute> authParams = (HashMap<String,Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS); ConfigManager cfg = (ConfigManager) req.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ); String formURI = authParams.get(LOGIN_JSP).getValues().get(0); HttpServletRequestWrapper reqWrapper = new HttpServletRequestWrapper(req); HttpServletResponseWrapper respWrapper = new HttpServletResponseWrapper(resp); //reqWrapper.getRequestDispatcher(formURI).forward(reqWrapper, respWrapper); //TODO: fix redirect issue //StringBuffer b = new StringBuffer(); //b.append(cfg.getAuthPath()).append(formURI.substring(1)); resp.sendRedirect(formURI); }
@Test public void notAnErrorButNotOK() throws Exception { this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).setStatus(201); super.doFilter(request, response); response.flushBuffer(); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponse) this.chain.getResponse()).getStatus(), equalTo(201)); assertThat(((HttpServletResponse) ((HttpServletResponseWrapper) this.chain .getResponse()).getResponse()).getStatus(), equalTo(201)); assertTrue(this.response.isCommitted()); }
@Test public void unauthorizedWithErrorPath() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(401, "UNAUTHORIZED"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest(), equalTo((ServletRequest) this.request)); HttpServletResponseWrapper wrapper = (HttpServletResponseWrapper) this.chain .getResponse(); assertThat(wrapper.getResponse(), equalTo((ServletResponse) this.response)); assertTrue(this.response.isCommitted()); assertThat(wrapper.getStatus(), equalTo(401)); // The real response has to be 401 as well... assertThat(this.response.getStatus(), equalTo(401)); assertThat(this.response.getForwardedUrl(), equalTo("/error")); }
@Test public void responseUncommittedWithoutErrorPage() throws Exception { this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest(), equalTo((ServletRequest) this.request)); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getResponse(), equalTo((ServletResponse) this.response)); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus(), equalTo(400)); assertThat(this.response.getForwardedUrl(), is(nullValue())); assertTrue(this.response.isCommitted()); }
@Test public void globalError() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus(), equalTo(400)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE), equalTo((Object) 400)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE), equalTo((Object) "BAD")); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI), equalTo((Object) "/test/path")); assertTrue(this.response.isCommitted()); assertThat(this.response.getForwardedUrl(), equalTo("/error")); }
@Test public void statusError() throws Exception { this.filter.addErrorPages(new ErrorPage(HttpStatus.BAD_REQUEST, "/400")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus(), equalTo(400)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE), equalTo((Object) 400)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE), equalTo((Object) "BAD")); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI), equalTo((Object) "/test/path")); assertTrue(this.response.isCommitted()); assertThat(this.response.getForwardedUrl(), equalTo("/400")); }
@Test public void statusErrorWithCommittedResponse() throws Exception { this.filter.addErrorPages(new ErrorPage(HttpStatus.BAD_REQUEST, "/400")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { ((HttpServletResponse) response).sendError(400, "BAD"); response.flushBuffer(); super.doFilter(request, response); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus(), equalTo(400)); assertTrue(this.response.isCommitted()); assertThat(this.response.getForwardedUrl(), is(nullValue())); }
@Test public void exceptionError() throws Exception { this.filter.addErrorPages(new ErrorPage(RuntimeException.class, "/500")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); throw new RuntimeException("BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus(), equalTo(500)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE), equalTo((Object) 500)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE), equalTo((Object) "BAD")); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_EXCEPTION_TYPE), equalTo((Object) RuntimeException.class.getName())); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI), equalTo((Object) "/test/path")); assertTrue(this.response.isCommitted()); assertThat(this.response.getForwardedUrl(), equalTo("/500")); }
@Test public void subClassExceptionError() throws Exception { this.filter.addErrorPages(new ErrorPage(RuntimeException.class, "/500")); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); throw new IllegalStateException("BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getStatus(), equalTo(500)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE), equalTo((Object) 500)); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_MESSAGE), equalTo((Object) "BAD")); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_EXCEPTION_TYPE), equalTo((Object) IllegalStateException.class.getName())); assertThat(this.request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI), equalTo((Object) "/test/path")); assertTrue(this.response.isCommitted()); }
@Test public void responseIsCommitedWhenExceptionIsThrownDuringAsyncDispatch() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); setUpAsyncDispatch(); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); throw new RuntimeException("BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest(), equalTo((ServletRequest) this.request)); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getResponse(), equalTo((ServletResponse) this.response)); assertTrue(this.response.isCommitted()); }
@Test public void responseIsCommitedWhenStatusIs400PlusDuringAsyncDispatch() throws Exception { this.filter.addErrorPages(new ErrorPage("/error")); setUpAsyncDispatch(); this.chain = new MockFilterChain() { @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { super.doFilter(request, response); ((HttpServletResponse) response).sendError(400, "BAD"); } }; this.filter.doFilter(this.request, this.response, this.chain); assertThat(this.chain.getRequest(), equalTo((ServletRequest) this.request)); assertThat(((HttpServletResponseWrapper) this.chain.getResponse()).getResponse(), equalTo((ServletResponse) this.response)); assertTrue(this.response.isCommitted()); }