Package org.owasp.esapi.filters
Class SecurityWrapper
- java.lang.Object
-
- org.owasp.esapi.filters.SecurityWrapper
-
- All Implemented Interfaces:
javax.servlet.Filter
public class SecurityWrapper extends java.lang.Object implements javax.servlet.Filter
This filter wraps the incoming request and outgoing response and overrides many methods with safer versions. Many of the safer versions simply validate parts of the request or response for unwanted characters before allowing the call to complete. Some examples of attacks that use these vectors include request splitting, response splitting, and file download injection. Attackers use techniques like CRLF injection and null byte injection to confuse the parsing of requests and responses. Example Configuration #1 (Default Configuration allows /WEB-INF):<filter> <filter-name>SecurityWrapperDefault</filter-name> <filter-class>org.owasp.filters.SecurityWrapper</filter-class> </filter>
Example Configuration #2 (Allows /servlet)<filter> <filter-name>SecurityWrapperForServlet</filter-name> <filter-class>org.owasp.filters.SecurityWrapper</filter-class> <init-param> <param-name>allowableResourceRoot</param-name> <param-value>/servlet</param-value> </init-param> </filter>
- Author:
- Chris Schmidt (chrisisbeef@gmail.com)
-
-
Constructor Summary
Constructors Constructor Description SecurityWrapper()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
destroy()
void
doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
void
init(javax.servlet.FilterConfig filterConfig)
-
-
-
Method Detail
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Parameters:
request
-response
-chain
-- Throws:
java.io.IOException
javax.servlet.ServletException
-
destroy
public void destroy()
- Specified by:
destroy
in interfacejavax.servlet.Filter
-
init
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
- Specified by:
init
in interfacejavax.servlet.Filter
- Parameters:
filterConfig
-- Throws:
javax.servlet.ServletException
-
-