/** * Return the internal Session that is associated with this HttpRequest, * possibly creating a new one if necessary, or <code>null</code> if * there is no such session and we did not create one. * * @param request The HttpRequest we are processing * @param create Should we create a session if needed? */ protected Session getSession(HttpRequest request, boolean create) { HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpSession hses = hreq.getSession(create); if (hses == null) return (null); Manager manager = context.getManager(); if (manager == null) return (null); else { try { return (manager.findSession(hses.getId())); } catch (IOException e) { return (null); } } }
/** * Does this request match the saved one (so that it must be the redirect * we signalled after successful authentication? * * @param request The request to be verified */ protected boolean matchRequest(HttpRequest request) { // Has a session been created? Session session = getSession(request, false); if (session == null) return (false); // Is there a saved request? SavedRequest sreq = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE); if (sreq == null) return (false); // Is there a saved principal? if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) return (false); // Does the request URI match? HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); String requestURI = hreq.getRequestURI(); if (requestURI == null) return (false); return (requestURI.equals(sreq.getRequestURI())); }
/** * Return the child Container that should be used to process this Request, * based upon its characteristics. If no such child Container can be * identified, return <code>null</code> instead. * * @param request Request being processed * @param update Update the Request to reflect the mapping selection? */ public Container map(Request request, boolean update) { // Has this request already been mapped? if (update && (request.getContext() != null)) return (request.getContext()); // Perform mapping on our request URI String uri = ((HttpRequest) request).getDecodedRequestURI(); Context context = host.map(uri); // Update the request (if requested) and return the selected Context if (update) { request.setContext(context); if (context != null) ((HttpRequest) request).setContextPath(context.getPath()); else ((HttpRequest) request).setContextPath(null); } return (context); }
public Object run() { HttpRequest request = new MappingRequest (context.getPath(), contextPath + relativeURI, queryString); /* HttpRequestBase request = new HttpRequestBase(); request.setContext(context); request.setContextPath(context.getPath()); request.setRequestURI(contextPath + relativeURI); request.setQueryString(queryString); */ Wrapper wrapper = (Wrapper) context.map(request, true); if (wrapper == null) return (null); // Construct a RequestDispatcher to process this request HttpServletRequest hrequest = (HttpServletRequest) request.getRequest(); return (RequestDispatcher) new ApplicationDispatcher (wrapper, hrequest.getServletPath(), hrequest.getPathInfo(), hrequest.getQueryString(), null); }
static Session getSession(HttpRequest request, boolean create) { HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpSession hses = hreq.getSession(create); if (hses == null) return (null); Manager manager = request.getContext().getManager(); if (manager == null) return (null); else { try { return (manager.findSession(hses.getId())); } catch (IOException e) { Log.getLogger(LogCategories.SECURITY).error("Error in TomcatValve getting session id " + hses.getId() + " : " + ExceptionUtil.toString(e)); return (null); } } }
/** * Return the child Container that should be used to process this Request, * based upon its characteristics. If no such child Container can be * identified, return <code>null</code> instead. * * @param request Request being processed * @param update Update the Request to reflect the mapping selection? * * @exception IllegalArgumentException if the relative portion of the * path cannot be URL decoded */ public Container map(Request request, boolean update) { // Has this request already been mapped? if (update && (request.getWrapper() != null)) return (request.getWrapper()); // Identify the context-relative URI to be mapped String contextPath = ((HttpServletRequest) request.getRequest()).getContextPath(); String requestURI = ((HttpRequest) request).getDecodedRequestURI(); String relativeURI = requestURI.substring(contextPath.length()); // Apply the standard request URI mapping rules from the specification Wrapper wrapper = null; String servletPath = relativeURI; String pathInfo = null; String name = context.findServletMapping(relativeURI); if (name != null) wrapper = (Wrapper) context.findChild(name); // Update the Request (if requested) and return this Wrapper if (update) { request.setWrapper(wrapper); ((HttpRequest) request).setServletPath(servletPath); ((HttpRequest) request).setPathInfo(pathInfo); } return (wrapper); }
/** * Return the child Container that should be used to process this Request, * based upon its characteristics. If no such child Container can be * identified, return <code>null</code> instead. * * @param request Request being processed * @param update Update the Request to reflect the mapping selection? * * @exception IllegalArgumentException if the relative portion of the * path cannot be URL decoded */ public Container map(Request request, boolean update) { // Identify the context-relative URI to be mapped String contextPath = ((HttpServletRequest) request.getRequest()).getContextPath(); String requestURI = ((HttpRequest) request).getDecodedRequestURI(); String relativeURI = requestURI.substring(contextPath.length()); // Apply the standard request URI mapping rules from the specification Wrapper wrapper = null; String servletPath = relativeURI; String pathInfo = null; String name = context.findServletMapping(relativeURI); if (name != null) wrapper = (Wrapper) context.findChild(name); return (wrapper); }
/** * Return the SecurityConstraint configured to guard the request URI for * this request, or <code>null</code> if there is no such constraint. * * @param request Request we are processing */ protected SecurityConstraint findConstraint(HttpRequest request) { // Are there any defined security constraints? SecurityConstraint constraints[] = context.findConstraints(); if ((constraints == null) || (constraints.length == 0)) { if (debug >= 2) log(" No applicable constraints defined"); return (null); } // Check each defined security constraint HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); String uri = request.getDecodedRequestURI(); String contextPath = hreq.getContextPath(); if (contextPath.length() > 0) uri = uri.substring(contextPath.length()); String method = hreq.getMethod(); for (int i = 0; i < constraints.length; i++) { if (debug >= 2) log(" Checking constraint '" + constraints[i] + "' against " + method + " " + uri + " --> " + constraints[i].included(uri, method)); if (constraints[i].included(uri, method)) return (constraints[i]); } // No applicable security constraint was found if (debug >= 2) log(" No applicable constraint located"); return (null); }
/** * Register an authenticated Principal and authentication type in our * request, in the current session (if there is one), and with our * SingleSignOn valve, if there is one. Set the appropriate cookie * to be returned. * * @param request The servlet request we are processing * @param response The servlet response we are generating * @param principal The authenticated Principal to be registered * @param authType The authentication type to be registered * @param username Username used to authenticate (if any) * @param password Password used to authenticate (if any) */ protected void register(HttpRequest request, HttpResponse response, Principal principal, String authType, String username, String password) { if (debug >= 1) log("Authenticated '" + principal.getName() + "' with type '" + authType + "'"); // Cache the authentication information in our request request.setAuthType(authType); request.setUserPrincipal(principal); // Cache the authentication information in our session, if any if (cache) { Session session = getSession(request, false); if (session != null) { session.setAuthType(authType); session.setPrincipal(principal); if (username != null) session.setNote(Constants.SESS_USERNAME_NOTE, username); else session.removeNote(Constants.SESS_USERNAME_NOTE); if (password != null) session.setNote(Constants.SESS_PASSWORD_NOTE, password); else session.removeNote(Constants.SESS_PASSWORD_NOTE); } } // Construct a cookie to be returned to the client if (sso == null) return; HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpServletResponse hres = (HttpServletResponse) response.getResponse(); String value = generateSessionId(); Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, value); cookie.setMaxAge(-1); cookie.setPath("/"); hres.addCookie(cookie); // Register this principal with our SSO valve sso.register(value, principal, authType, username, password); request.setNote(Constants.REQ_SSOID_NOTE, value); }
/** * Save the original request information into our session. * * @param request The request to be saved * @param session The session to contain the saved information */ private void saveRequest(HttpRequest request, Session session) { // Create and populate a SavedRequest object for this request HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); SavedRequest saved = new SavedRequest(); Cookie cookies[] = hreq.getCookies(); if (cookies != null) { for (int i = 0; i < cookies.length; i++) saved.addCookie(cookies[i]); } Enumeration names = hreq.getHeaderNames(); while (names.hasMoreElements()) { String name = (String) names.nextElement(); Enumeration values = hreq.getHeaders(name); while (values.hasMoreElements()) { String value = (String) values.nextElement(); saved.addHeader(name, value); } } Enumeration locales = hreq.getLocales(); while (locales.hasMoreElements()) { Locale locale = (Locale) locales.nextElement(); saved.addLocale(locale); } Map parameters = hreq.getParameterMap(); Iterator paramNames = parameters.keySet().iterator(); while (paramNames.hasNext()) { String paramName = (String) paramNames.next(); String paramValues[] = (String[]) parameters.get(paramName); saved.addParameter(paramName, paramValues); } saved.setMethod(hreq.getMethod()); saved.setQueryString(hreq.getQueryString()); saved.setRequestURI(hreq.getRequestURI()); // Stash the SavedRequest in our session for later use session.setNote(Constants.FORM_REQUEST_NOTE, saved); }
/** * Handle an HTTP status code or Java exception by forwarding control * to the location included in the specified errorPage object. It is * assumed that the caller has already recorded any request attributes * that are to be forwarded to this page. Return <code>true</code> if * we successfully utilized the specified error page location, or * <code>false</code> if the default error report should be rendered. * * @param request The request being processed * @param response The response being generated * @param errorPage The errorPage directive we are obeying */ protected boolean custom(Request request, Response response, ErrorPage errorPage) { if (debug >= 1) log("Processing " + errorPage); // Validate our current environment if (!(request instanceof HttpRequest)) { if (debug >= 1) log(" Not processing an HTTP request --> default handling"); return (false); // NOTE - Nothing we can do generically } HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); if (!(response instanceof HttpResponse)) { if (debug >= 1) log("Not processing an HTTP response --> default handling"); return (false); // NOTE - Nothing we can do generically } HttpServletResponse hres = (HttpServletResponse) response.getResponse(); try { // Reset the response if possible (else IllegalStateException) hres.reset(); // Forward control to the specified location ServletContext servletContext = request.getContext().getServletContext(); RequestDispatcher rd = servletContext.getRequestDispatcher(errorPage.getLocation()); rd.forward(hreq, hres); // If we forward, the response is suspended again response.setSuspended(false); // Indicate that we have successfully processed this custom page return (true); } catch (Throwable t) { // Report our failure to process this custom page log("Exception Processing " + errorPage, t); return (false); } }
/** * Create and return a request wrapper that has been inserted in the * appropriate spot in the request chain. */ private ServletRequest wrapRequest() { // Locate the request we should insert in front of ServletRequest previous = null; ServletRequest current = outerRequest; while (current != null) { if ("org.apache.catalina.servlets.InvokerHttpRequest". equals(current.getClass().getName())) break; // KLUDGE - Make nested RD.forward() using invoker work if (!(current instanceof ServletRequestWrapper)) break; if (current instanceof ApplicationHttpRequest) break; if (current instanceof ApplicationRequest) break; if (current instanceof Request) break; previous = current; current = ((ServletRequestWrapper) current).getRequest(); } // Instantiate a new wrapper at this point and insert it in the chain ServletRequest wrapper = null; if ((current instanceof ApplicationHttpRequest) || (current instanceof HttpRequest) || (current instanceof HttpServletRequest)) wrapper = new ApplicationHttpRequest((HttpServletRequest) current); else wrapper = new ApplicationRequest(current); if (previous == null) outerRequest = wrapper; else ((ServletRequestWrapper) previous).setRequest(wrapper); wrapRequest = wrapper; return (wrapper); }
public void invoke(Request request, Response response, ValveContext valveContext) throws IOException, ServletException { // Validate the request and response object types if (!(request.getRequest() instanceof HttpServletRequest) || !(response.getResponse() instanceof HttpServletResponse)) { return; // NOTE - Not much else we can do generically } // Disallow any direct access to resources under WEB-INF or META-INF HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); String contextPath = hreq.getContextPath(); String requestURI = ((HttpRequest) request).getDecodedRequestURI(); String relativeURI = requestURI.substring(contextPath.length()).toUpperCase(); Context context = (Context) getContainer(); // Select the Wrapper to be used for this Request Wrapper wrapper = null; try { wrapper = (Wrapper) context.map(request, true); } catch (IllegalArgumentException e) { badRequest(requestURI, (HttpServletResponse) response.getResponse()); return; } if (wrapper == null) { notFound(requestURI, (HttpServletResponse) response.getResponse()); return; } // Ask this Wrapper to process this Request response.setContext(context); wrapper.invoke(request, response); }
/** * Authenticate the user making this request, based on the specified * login configuration. Return <code>true</code> if any specified * constraint has been satisfied, or <code>false</code> if we have * created a response challenge already. * * @param request Request we are processing * @param response Response we are creating * @param login Login configuration describing how authentication * should be performed * * @exception IOException if an input/output error occurs */ public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException { // Have we already authenticated someone? Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal != null) { if (debug >= 1) log("Already authenticated '" + principal.getName() + "'"); return (true); } // Validate any credentials already included with this request HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpServletResponse hres = (HttpServletResponse) response.getResponse(); String authorization = request.getAuthorization(); String username = parseUsername(authorization); String password = parsePassword(authorization); principal = context.getRealm().authenticate(username, password); if (principal != null) { register(request, response, principal, Constants.BASIC_METHOD, username, password); return (true); } // Send an "unauthorized" response and an appropriate challenge String realmName = config.getRealmName(); if (realmName == null) realmName = hreq.getServerName() + ":" + hreq.getServerPort(); // if (debug >= 1) // log("Challenging for realm '" + realmName + "'"); hres.setHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\""); hres.setStatus(HttpServletResponse.SC_UNAUTHORIZED); // hres.flushBuffer(); return (false); }
/** * Authenticate the user by checking for the existence of a certificate * chain (which should have been made visible by an instance of * <code>CertificatesValve</code), and optionally asking a trust * manager to validate that we trust this user. * * @param request Request we are processing * @param response Response we are creating * @param login Login configuration describing how authentication * should be performed * * @exception IOException if an input/output error occurs */ public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException { // Have we already authenticated someone? Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal != null) { if (debug >= 1) log("Already authenticated '" + principal.getName() + "'"); return (true); } // Retrieve the certificate chain for this client HttpServletResponse hres = (HttpServletResponse) response.getResponse(); if (debug >= 1) log(" Looking up certificates"); X509Certificate certs[] = (X509Certificate[]) request.getRequest().getAttribute(Globals.CERTIFICATES_ATTR); if ((certs == null) || (certs.length < 1)) { certs = (X509Certificate[]) request.getRequest().getAttribute(Globals.SSL_CERTIFICATE_ATTR); } if ((certs == null) || (certs.length < 1)) { if (debug >= 1) log(" No certificates included with this request"); hres.sendError(HttpServletResponse.SC_BAD_REQUEST, sm.getString("authenticator.certificates")); return (false); } // Authenticate the specified certificate chain principal = context.getRealm().authenticate(certs); if (principal == null) { if (debug >= 1) log(" Realm.authenticate() returned false"); hres.sendError(HttpServletResponse.SC_UNAUTHORIZED, sm.getString("authenticator.unauthorized")); return (false); } // Cache the principal (if requested) and record this authentication register(request, response, principal, Constants.CERT_METHOD, null, null); return (true); }
/** * Perform single-sign-on support processing for this request. * * @param request The servlet request we are processing * @param response The servlet response we are creating * @param context The valve context used to invoke the next valve * in the current processing pipeline * * @exception IOException if an input/output error occurs * @exception ServletException if a servlet error occurs */ public void invoke(Request request, Response response, ValveContext context) throws IOException, ServletException { // If this is not an HTTP request and response, just pass them on if (!(request instanceof HttpRequest) || !(response instanceof HttpResponse)) { context.invokeNext(request, response); return; } HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpServletResponse hres = (HttpServletResponse) response.getResponse(); request.removeNote(Constants.REQ_SSOID_NOTE); // Has a valid user already been authenticated? if (debug >= 1) log("Process request for '" + hreq.getRequestURI() + "'"); if (hreq.getUserPrincipal() != null) { if (debug >= 1) log(" Principal '" + hreq.getUserPrincipal().getName() + "' has already been authenticated"); context.invokeNext(request, response); return; } // Check for the single sign on cookie if (debug >= 1) log(" Checking for SSO cookie"); Cookie cookie = null; Cookie cookies[] = hreq.getCookies(); if (cookies == null) cookies = new Cookie[0]; for (int i = 0; i < cookies.length; i++) { if (Constants.SINGLE_SIGN_ON_COOKIE.equals(cookies[i].getName())) { cookie = cookies[i]; break; } } if (cookie == null) { if (debug >= 1) log(" SSO cookie is not present"); context.invokeNext(request, response); return; } // Look up the cached Principal associated with this cookie value if (debug >= 1) log(" Checking for cached principal for " + cookie.getValue()); SingleSignOnEntry entry = lookup(cookie.getValue()); if (entry != null) { if (debug >= 1) log(" Found cached principal '" + entry.principal.getName() + "' with auth type '" + entry.authType + "'"); request.setNote(Constants.REQ_SSOID_NOTE, cookie.getValue()); ((HttpRequest) request).setAuthType(entry.authType); ((HttpRequest) request).setUserPrincipal(entry.principal); } else { if (debug >= 1) log(" No cached principal found, erasing SSO cookie"); cookie.setMaxAge(0); hres.addCookie(cookie); } // Invoke the next Valve in our pipeline context.invokeNext(request, response); }
/** * Authenticate the user making this request, based on the specified * login configuration. Return <code>true</code> if any specified * constraint has been satisfied, or <code>false</code> if we have * created a response challenge already. * * @param request Request we are processing * @param response Response we are creating * @param login Login configuration describing how authentication * should be performed * * @exception IOException if an input/output error occurs */ public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException { // Have we already authenticated someone? Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal != null) return (true); // Validate any credentials already included with this request HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpServletResponse hres = (HttpServletResponse) response.getResponse(); String authorization = request.getAuthorization(); if (authorization != null) { principal = findPrincipal(hreq, authorization, context.getRealm()); if (principal != null) { String username = parseUsername(authorization); register(request, response, principal, Constants.DIGEST_METHOD, username, null); return (true); } } // Send an "unauthorized" response and an appropriate challenge // Next, generate a nOnce token (that is a token which is supposed // to be unique). String nOnce = generateNOnce(hreq); setAuthenticateHeader(hreq, hres, config, nOnce); hres.setStatus(HttpServletResponse.SC_UNAUTHORIZED); // hres.flushBuffer(); return (false); }
/** * Restore the original request from information stored in our session. * If the original request is no longer present (because the session * timed out), return <code>false</code>; otherwise, return * <code>true</code>. * * @param request The request to be restored * @param session The session containing the saved information */ protected boolean restoreRequest(HttpRequest request, Session session) { // Retrieve and remove the SavedRequest object from our session SavedRequest saved = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE); session.removeNote(Constants.FORM_REQUEST_NOTE); session.removeNote(Constants.FORM_PRINCIPAL_NOTE); if (saved == null) return (false); // Modify our current request to reflect the original one request.clearCookies(); Iterator cookies = saved.getCookies(); while (cookies.hasNext()) { request.addCookie((Cookie) cookies.next()); } request.clearHeaders(); Iterator names = saved.getHeaderNames(); while (names.hasNext()) { String name = (String) names.next(); Iterator values = saved.getHeaderValues(name); while (values.hasNext()) { request.addHeader(name, (String) values.next()); } } request.clearLocales(); Iterator locales = saved.getLocales(); while (locales.hasNext()) { request.addLocale((Locale) locales.next()); } request.clearParameters(); if ("POST".equalsIgnoreCase(saved.getMethod())) { Iterator paramNames = saved.getParameterNames(); while (paramNames.hasNext()) { String paramName = (String) paramNames.next(); String paramValues[] = (String[]) saved.getParameterValues(paramName); request.addParameter(paramName, paramValues); } } request.setMethod(saved.getMethod()); request.setQueryString(saved.getQueryString()); request.setRequestURI(saved.getRequestURI()); return (true); }
/** * Return a <code>RequestDispatcher</code> instance that acts as a * wrapper for the resource at the given path. The path must begin * with a "/" and is interpreted as relative to the current context root. * * @param path The path to the desired resource. */ public RequestDispatcher getRequestDispatcher(String path) { // Validate the path argument if (path == null) return (null); if (!path.startsWith("/")) throw new IllegalArgumentException (sm.getString("applicationContext.requestDispatcher.iae", path)); if (normalize(path) == null) return (null); // Construct a "fake" request to be mapped by our Context String contextPath = context.getPath(); if (contextPath == null) contextPath = ""; String relativeURI = path; String queryString = null; int question = path.indexOf('?'); if (question >= 0) { relativeURI = path.substring(0, question); queryString = path.substring(question + 1); } if( System.getSecurityManager() != null ) { PrivilegedGetRequestDispatcher dp = new PrivilegedGetRequestDispatcher(contextPath, relativeURI,queryString); return (RequestDispatcher)AccessController.doPrivileged(dp); } // The remaining code is duplicated in PrivilegedGetRequestDispatcher, // we need to make sure they stay in sync HttpRequest request = new MappingRequest (context.getPath(), contextPath + relativeURI, queryString); /* request.setContext(context); request.setContextPath(context.getPath()); request.setRequestURI(contextPath + relativeURI); request.setQueryString(queryString); */ Wrapper wrapper = (Wrapper) context.map(request, true); if (wrapper == null) return (null); // Construct a RequestDispatcher to process this request HttpServletRequest hrequest = (HttpServletRequest) request.getRequest(); return (RequestDispatcher) new ApplicationDispatcher(wrapper, hrequest.getServletPath(), hrequest.getPathInfo(), hrequest.getQueryString(), null); }
public void invoke(Request request, Response response, ValveContext context) throws IOException, ServletException { ServletRequest servRequest = request.getRequest(); if (servRequest instanceof HttpServletRequest) { // we only set the TomcatLoginImpl for gateway paths HttpServletRequest hrequest = ((HttpServletRequest)servRequest); String path = hrequest.getServletPath(); boolean match = false; if (path == null) { // We need to use a slighly-weaker uri match for 4.1 String uri = hrequest.getRequestURI(); match = (uri != null && (uri.indexOf(MESSAGEBROKER_MATCH) != -1 || uri.indexOf(AMF_MATCH) != -1 || uri.indexOf(GATEWAY_MATCH) != -1 || (CUSTOM_MATCH != null && uri.indexOf(CUSTOM_MATCH) != -1))); } else { match = (path.startsWith(MESSAGEBROKER_MATCH) || path.startsWith(AMF_MATCH) || path.startsWith(GATEWAY_MATCH) || (CUSTOM_MATCH != null && path.startsWith(CUSTOM_MATCH))); } if (match) { HttpRequest httpRequest = (HttpRequest)request; TomcatLoginHolder.setLogin(new TomcatLoginImpl(getContainer(), httpRequest)); // copy over user princicpal and auth type values, just like in AuthenticatorBase.invoke() Principal principal = hrequest.getUserPrincipal(); if (principal == null) { Session session = getSession(httpRequest, false); if (session != null) { principal = session.getPrincipal(); if (principal != null) { httpRequest.setAuthType(session.getAuthType()); httpRequest.setUserPrincipal(principal); } } } } } context.invokeNext(request, response); }
TomcatLoginImpl(Container container, HttpRequest request) { this.container = container; this.request = request; }
/** * Select the appropriate child Wrapper to process this request, * based on the specified request URI. If no matching Wrapper can * be found, return an appropriate HTTP error. * * @param request Request to be processed * @param response Response to be produced * @param valveContext Valve context used to forward to the next Valve * * @exception IOException if an input/output error occurred * @exception ServletException if a servlet error occurred */ public void invoke(Request request, Response response, ValveContext valveContext) throws IOException, ServletException { // Validate the request and response object types if (!(request.getRequest() instanceof HttpServletRequest) || !(response.getResponse() instanceof HttpServletResponse)) { return; // NOTE - Not much else we can do generically } // Disallow any direct access to resources under WEB-INF or META-INF HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); String contextPath = hreq.getContextPath(); String requestURI = ((HttpRequest) request).getDecodedRequestURI(); String relativeURI = requestURI.substring(contextPath.length()).toUpperCase(); if (relativeURI.equals("/META-INF") || relativeURI.equals("/WEB-INF") || relativeURI.startsWith("/META-INF/") || relativeURI.startsWith("/WEB-INF/")) { notFound(requestURI, (HttpServletResponse) response.getResponse()); return; } Context context = (Context) getContainer(); // Select the Wrapper to be used for this Request Wrapper wrapper = null; try { wrapper = (Wrapper) context.map(request, true); } catch (IllegalArgumentException e) { badRequest(requestURI, (HttpServletResponse) response.getResponse()); return; } if (wrapper == null) { notFound(requestURI, (HttpServletResponse) response.getResponse()); return; } // Ask this Wrapper to process this Request response.setContext(context); wrapper.invoke(request, response); }
