Package org.astrogrid.samp.web
Class UrlTracker
- java.lang.Object
-
- org.astrogrid.samp.web.UrlTracker
-
public class UrlTracker extends java.lang.Object
Keeps track of which URLs have been seen in communications inbound to and outbound from Web Profile clients. On the basis of these observations it is able to advise whether a Web Profile client ought to be permitted to dereference a given URL. The idea is that a Web Profile client, which may not be entirely trustworthy, has no legitimate reason for dereferencing an arbitrary URL, and should only be permitted to dereference local URLs if they have previously been sent as message arguments to it. (so for instance an attempt to read file:///etc/password is likely to be blocked). Since a SAMP client may be able to provoke some kind of echo, any URL which was mentioned by a Web Profile client before any other client mentions it is automatically marked as suspicious.Details of the implementation are arguable.
- Since:
- 22 Jul 2011
- Author:
- Mark Taylor
-
-
Constructor Summary
Constructors Constructor Description UrlTracker()
Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected boolean
isSensitive(java.net.URL url)
Indicates whether a given URL is potentially sensitive.boolean
isUrlPermitted(java.net.URL url)
Indicates whether access to a given URL should be permitted, according to the strategy implemented by this class, from a Web Profile client.void
noteIncomingUrl(java.net.URL url)
Note that a URL has been communicated to a Web Profile client from the outside world.void
noteOutgoingUrl(java.net.URL url)
Note that a Web Profile client has communicated a URL to the outside world.
-
-
-
Method Detail
-
noteIncomingUrl
public void noteIncomingUrl(java.net.URL url)
Note that a URL has been communicated to a Web Profile client from the outside world.- Parameters:
url
- incoming URL
-
noteOutgoingUrl
public void noteOutgoingUrl(java.net.URL url)
Note that a Web Profile client has communicated a URL to the outside world.- Parameters:
url
- outgoing URL
-
isUrlPermitted
public boolean isUrlPermitted(java.net.URL url)
Indicates whether access to a given URL should be permitted, according to the strategy implemented by this class, from a Web Profile client.- Parameters:
url
- URL to assess- Returns:
- true iff permission to access is appropriate
-
isSensitive
protected boolean isSensitive(java.net.URL url)
Indicates whether a given URL is potentially sensitive. The current implementation always returns true. This is probably correct, since it's not in general possible to tell whether or not a given URL accords privileges to requests from the local host. But if this ends up letting too much through, identifying only file URLs and http/https ones on the local domain would probably be OK.- Parameters:
url
- URL to assess- Returns:
- true iff access should be restricted
-
-