|
From: Christopher S. <chr...@us...> - 2007-11-07 17:23:41
|
Update of /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter In directory sc8-pr-cvs8.sourceforge.net:/tmp/cvs-serv30079/src/share/org/securityfilter/filter Modified Files: SecurityFilter.java Log Message: Added support for <user-data-constraint>, specifically <transport-guarantee>. Index: SecurityFilter.java =================================================================== RCS file: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v retrieving revision 1.24 retrieving revision 1.25 diff -C2 -d -r1.24 -r1.25 *** SecurityFilter.java 14 Feb 2006 09:28:27 -0000 1.24 --- SecurityFilter.java 7 Nov 2007 17:22:38 -0000 1.25 *************** *** 79,82 **** --- 79,83 ---- public static final String DEFAULT_CONFIG_FILE = "/WEB-INF/securityfilter-config.xml"; public static final String VALIDATE_KEY = "validate"; + public static final String SSL_PORT_INIT_PARAMETER_KEY = "ssl-redirect-port"; public static final String TRUE = "true"; *************** *** 93,96 **** --- 94,102 ---- protected Authenticator authenticator; + /** + * The port to be used when upgrading connections to HTTPS. + */ + protected int sslPort = 443; + /** * Perform filtering operation, and optionally pass the request down the chain. *************** *** 151,155 **** // check security constraint, if any if (match != null) { ! // TODO: check user-data-constraint // check auth constraint AuthConstraint authConstraint = match.getSecurityConstraint().getAuthConstraint(); --- 157,198 ---- // check security constraint, if any if (match != null) { ! ! // Check user-data-constraint (transport-guarantee) ! UserDataConstraint userDataConstraint ! = match.getSecurityConstraint().getUserDataConstraint(); ! if(null != userDataConstraint) ! { ! String tg = userDataConstraint.getTransportGuarantee(); ! if((tg.equals(UserDataConstraint.TRANSPORT_GUARANTEE_INTEGRAL) ! || tg.equals(UserDataConstraint.TRANSPORT_GUARANTEE_CONFIDENTIAL)) ! && !request.isSecure()) ! { ! // Servlet Specification Note: ! // ! // The Servlet Specification does not specify what ought ! // to be done when the connection must be "upgraded" ! // in order to satisfy the transport-guarantee. ! // ! // This implementation matches that of the Apache Tomcat ! // servlet container (as of version 5.5). ! ! // Switch from HTTP to HTTPS via redirection. ! if(0 <= sslPort) ! { ! String url = getSecureURL(wrappedRequest); ! ! hRes.sendRedirect(hRes.encodeRedirectURL(url)); ! } ! else ! { ! // SSL port set to a negative: disable redirection. ! hRes.sendError(HttpServletResponse.SC_FORBIDDEN, ! hReq.getRequestURI()); ! } ! ! return; ! } ! } ! // check auth constraint AuthConstraint authConstraint = match.getSecurityConstraint().getAuthConstraint(); *************** *** 196,199 **** --- 239,275 ---- public void init(FilterConfig config) throws ServletException { this.config = config; + + String sslPortString = config.getInitParameter(SSL_PORT_INIT_PARAMETER_KEY); + if(null != sslPortString) + { + try + { + this.sslPort = Integer.parseInt(sslPortString); + + if(this.sslPort > 65535) + { + System.err.println("ERROR: Invalid " + + SSL_PORT_INIT_PARAMETER_KEY + + ": " + sslPortString); + System.err.println("WARN: SSL port redirection is disabled."); + this.sslPort = -1; + } + else if(this.sslPort < 0) + { + System.err.println("INFO: SSL port redirection is disabled (was set to " + this.sslPort + ")"); + } + } + catch (NumberFormatException nfe) + { + System.err.println("ERROR: Invalid " + + SSL_PORT_INIT_PARAMETER_KEY + + ": " + sslPortString); + System.err.println("WARN: SSL port redirection is disabled."); + nfe.printStackTrace(); + + this.sslPort = -1; + } + } + try { // parse config file *************** *** 264,269 **** * @return the matching URLPattern object, or null if there is no match. */ ! protected URLPattern matchPattern(String pattern, String httpMethod, URLPatternMatcher matcher) throws Exception { ! // PERFORMANCE IMPROVEMENT OPPORTUNITY: cahce pattern matches Iterator i = patternList.iterator(); while (i.hasNext()) { --- 340,345 ---- * @return the matching URLPattern object, or null if there is no match. */ ! protected URLPattern matchPattern(String pattern, String httpMethod, URLPatternMatcher matcher) { ! // PERFORMANCE IMPROVEMENT OPPORTUNITY: cache pattern matches Iterator i = patternList.iterator(); while (i.hasNext()) { *************** *** 357,360 **** --- 433,459 ---- } + protected String getSecureURL(HttpServletRequest request) + { + StringBuffer url = new StringBuffer(); + url.append("https://") + .append(request.getServerName()) + ; + + if(443 != sslPort) + url.append(':') + .append(sslPort) + ; + + url.append(request.getRequestURI()); + + String queryString = request.getQueryString(); + if(null != queryString) + url.append('?') + .append(queryString) + ; + + return url.toString(); + } + ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // The following methods are provided for compatibility with various app servers. // |
