Package org.owasp.esapi.filters
Class SecurityWrapperResponse
- java.lang.Object
-
- javax.servlet.ServletResponseWrapper
-
- javax.servlet.http.HttpServletResponseWrapper
-
- org.owasp.esapi.filters.SecurityWrapperResponse
-
- All Implemented Interfaces:
javax.servlet.http.HttpServletResponse
,javax.servlet.ServletResponse
public class SecurityWrapperResponse extends javax.servlet.http.HttpServletResponseWrapper implements javax.servlet.http.HttpServletResponse
This response wrapper simply overrides unsafe methods in the HttpServletResponse API with safe versions.
-
-
Field Summary
-
Fields inherited from interface javax.servlet.http.HttpServletResponse
SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY
-
-
Constructor Summary
Constructors Constructor Description SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response)
Construct a safe response that overrides the default response methods with safer versions.SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response, java.lang.String mode)
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
addCookie(javax.servlet.http.Cookie cookie)
Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value.void
addDateHeader(java.lang.String name, long date)
Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.void
addHeader(java.lang.String name, java.lang.String value)
Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value.void
addIntHeader(java.lang.String name, int value)
Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and name.boolean
containsHeader(java.lang.String name)
Same as HttpServletResponse, no security changes required.java.lang.String
encodeRedirectUrl(java.lang.String url)
Deprecated.in servlet spec 2.1.java.lang.String
encodeRedirectURL(java.lang.String url)
Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.java.lang.String
encodeUrl(java.lang.String url)
Deprecated.in servlet spec 2.1.java.lang.String
encodeURL(java.lang.String url)
Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.void
flushBuffer()
Same as HttpServletResponse, no security changes required.int
getBufferSize()
Same as HttpServletResponse, no security changes required.java.lang.String
getCharacterEncoding()
Same as HttpServletResponse, no security changes required.java.lang.String
getContentType()
Same as HttpServletResponse, no security changes required.java.util.Locale
getLocale()
Same as HttpServletResponse, no security changes required.javax.servlet.ServletOutputStream
getOutputStream()
Same as HttpServletResponse, no security changes required.java.io.PrintWriter
getWriter()
Same as HttpServletResponse, no security changes required.boolean
isCommitted()
Same as HttpServletResponse, no security changes required.void
reset()
Same as HttpServletResponse, no security changes required.void
resetBuffer()
Same as HttpServletResponse, no security changes required.void
sendError(int sc)
Override the error code with a 200 in order to confound attackers using automated scanners.void
sendError(int sc, java.lang.String msg)
Override the error code with a 200 in order to confound attackers using automated scanners.void
sendRedirect(java.lang.String location)
This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration.void
setBufferSize(int size)
Same as HttpServletResponse, no security changes required.void
setCharacterEncoding(java.lang.String charset)
Sets the character encoding to the ESAPI configured encoding.void
setContentLength(int len)
Same as HttpServletResponse, no security changes required.void
setContentType(java.lang.String type)
Same as HttpServletResponse, no security changes required.void
setDateHeader(java.lang.String name, long date)
Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.void
setHeader(java.lang.String name, java.lang.String value)
Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value.void
setIntHeader(java.lang.String name, int value)
Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.void
setLocale(java.util.Locale loc)
Same as HttpServletResponse, no security changes required.void
setStatus(int sc)
Override the status code with a 200 in order to confound attackers using automated scanners.void
setStatus(int sc, java.lang.String sm)
Deprecated.In Servlet spec 2.1.-
Methods inherited from class javax.servlet.http.HttpServletResponseWrapper
getHeader, getHeaderNames, getHeaders, getStatus, getTrailerFields, setTrailerFields
-
Methods inherited from class javax.servlet.ServletResponseWrapper
getResponse, isWrapperFor, isWrapperFor, setContentLengthLong, setResponse
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
-
-
-
Constructor Detail
-
SecurityWrapperResponse
public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response)
Construct a safe response that overrides the default response methods with safer versions.- Parameters:
response
-
-
SecurityWrapperResponse
public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response, java.lang.String mode)
- Parameters:
response
-mode
-
-
-
Method Detail
-
addCookie
public void addCookie(javax.servlet.http.Cookie cookie)
Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This method also sets the secure and HttpOnly flags on the cookie. This implementation uses a custom "set-cookie" header instead of using Java's cookie interface which doesn't allow the use of HttpOnly.- Specified by:
addCookie
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
addCookie
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
cookie
-
-
addDateHeader
public void addDateHeader(java.lang.String name, long date)
Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.- Specified by:
addDateHeader
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
addDateHeader
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
name
-date
-
-
addHeader
public void addHeader(java.lang.String name, java.lang.String value)
Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This implementation follows the following recommendation: "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2- Specified by:
addHeader
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
addHeader
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
name
-value
-
-
addIntHeader
public void addIntHeader(java.lang.String name, int value)
Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and name.- Specified by:
addIntHeader
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
addIntHeader
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
name
-value
-
-
containsHeader
public boolean containsHeader(java.lang.String name)
Same as HttpServletResponse, no security changes required.- Specified by:
containsHeader
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
containsHeader
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
name
-- Returns:
-
encodeRedirectUrl
@Deprecated public java.lang.String encodeRedirectUrl(java.lang.String url)
Deprecated.in servlet spec 2.1. UseencodeRedirectUrl(String)
instead.Return the URL without any changes, to prevent disclosure of the Session ID. The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.- Specified by:
encodeRedirectUrl
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
encodeRedirectUrl
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
url
-- Returns:
- original url
-
encodeRedirectURL
public java.lang.String encodeRedirectURL(java.lang.String url)
Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.- Specified by:
encodeRedirectURL
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
encodeRedirectURL
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
url
-- Returns:
- original url
-
encodeUrl
@Deprecated public java.lang.String encodeUrl(java.lang.String url)
Deprecated.in servlet spec 2.1. UseencodeURL(String)
instead.Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.- Specified by:
encodeUrl
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
encodeUrl
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
url
-- Returns:
- original url
-
encodeURL
public java.lang.String encodeURL(java.lang.String url)
Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.- Specified by:
encodeURL
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
encodeURL
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
url
-- Returns:
- original url
-
flushBuffer
public void flushBuffer() throws java.io.IOException
Same as HttpServletResponse, no security changes required.- Specified by:
flushBuffer
in interfacejavax.servlet.ServletResponse
- Overrides:
flushBuffer
in classjavax.servlet.ServletResponseWrapper
- Throws:
java.io.IOException
-
getBufferSize
public int getBufferSize()
Same as HttpServletResponse, no security changes required.- Specified by:
getBufferSize
in interfacejavax.servlet.ServletResponse
- Overrides:
getBufferSize
in classjavax.servlet.ServletResponseWrapper
- Returns:
-
getCharacterEncoding
public java.lang.String getCharacterEncoding()
Same as HttpServletResponse, no security changes required.- Specified by:
getCharacterEncoding
in interfacejavax.servlet.ServletResponse
- Overrides:
getCharacterEncoding
in classjavax.servlet.ServletResponseWrapper
- Returns:
-
getContentType
public java.lang.String getContentType()
Same as HttpServletResponse, no security changes required.- Specified by:
getContentType
in interfacejavax.servlet.ServletResponse
- Overrides:
getContentType
in classjavax.servlet.ServletResponseWrapper
- Returns:
-
getLocale
public java.util.Locale getLocale()
Same as HttpServletResponse, no security changes required.- Specified by:
getLocale
in interfacejavax.servlet.ServletResponse
- Overrides:
getLocale
in classjavax.servlet.ServletResponseWrapper
- Returns:
-
getOutputStream
public javax.servlet.ServletOutputStream getOutputStream() throws java.io.IOException
Same as HttpServletResponse, no security changes required.- Specified by:
getOutputStream
in interfacejavax.servlet.ServletResponse
- Overrides:
getOutputStream
in classjavax.servlet.ServletResponseWrapper
- Returns:
- Throws:
java.io.IOException
-
getWriter
public java.io.PrintWriter getWriter() throws java.io.IOException
Same as HttpServletResponse, no security changes required.- Specified by:
getWriter
in interfacejavax.servlet.ServletResponse
- Overrides:
getWriter
in classjavax.servlet.ServletResponseWrapper
- Returns:
- Throws:
java.io.IOException
-
isCommitted
public boolean isCommitted()
Same as HttpServletResponse, no security changes required.- Specified by:
isCommitted
in interfacejavax.servlet.ServletResponse
- Overrides:
isCommitted
in classjavax.servlet.ServletResponseWrapper
- Returns:
-
reset
public void reset()
Same as HttpServletResponse, no security changes required.- Specified by:
reset
in interfacejavax.servlet.ServletResponse
- Overrides:
reset
in classjavax.servlet.ServletResponseWrapper
-
resetBuffer
public void resetBuffer()
Same as HttpServletResponse, no security changes required.- Specified by:
resetBuffer
in interfacejavax.servlet.ServletResponse
- Overrides:
resetBuffer
in classjavax.servlet.ServletResponseWrapper
-
sendError
public void sendError(int sc) throws java.io.IOException
Override the error code with a 200 in order to confound attackers using automated scanners.- Specified by:
sendError
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
sendError
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
sc
-- Throws:
java.io.IOException
-
sendError
public void sendError(int sc, java.lang.String msg) throws java.io.IOException
Override the error code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters.- Specified by:
sendError
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
sendError
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
sc
-msg
-- Throws:
java.io.IOException
-
sendRedirect
public void sendRedirect(java.lang.String location) throws java.io.IOException
This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration. This method does not that redirect requests can be modified by attackers, so do not rely information contained within redirect requests, and do not include sensitive information in a redirect.- Specified by:
sendRedirect
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
sendRedirect
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
location
-- Throws:
java.io.IOException
-
setBufferSize
public void setBufferSize(int size)
Same as HttpServletResponse, no security changes required.- Specified by:
setBufferSize
in interfacejavax.servlet.ServletResponse
- Overrides:
setBufferSize
in classjavax.servlet.ServletResponseWrapper
- Parameters:
size
-
-
setCharacterEncoding
public void setCharacterEncoding(java.lang.String charset)
Sets the character encoding to the ESAPI configured encoding.- Specified by:
setCharacterEncoding
in interfacejavax.servlet.ServletResponse
- Overrides:
setCharacterEncoding
in classjavax.servlet.ServletResponseWrapper
- Parameters:
charset
-
-
setContentLength
public void setContentLength(int len)
Same as HttpServletResponse, no security changes required.- Specified by:
setContentLength
in interfacejavax.servlet.ServletResponse
- Overrides:
setContentLength
in classjavax.servlet.ServletResponseWrapper
- Parameters:
len
-
-
setContentType
public void setContentType(java.lang.String type)
Same as HttpServletResponse, no security changes required.- Specified by:
setContentType
in interfacejavax.servlet.ServletResponse
- Overrides:
setContentType
in classjavax.servlet.ServletResponseWrapper
- Parameters:
type
-
-
setDateHeader
public void setDateHeader(java.lang.String name, long date)
Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.- Specified by:
setDateHeader
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
setDateHeader
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
name
-date
-
-
setHeader
public void setHeader(java.lang.String name, java.lang.String value)
Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value. "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2- Specified by:
setHeader
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
setHeader
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
name
-value
-
-
setIntHeader
public void setIntHeader(java.lang.String name, int value)
Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.- Specified by:
setIntHeader
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
setIntHeader
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
name
-value
-
-
setLocale
public void setLocale(java.util.Locale loc)
Same as HttpServletResponse, no security changes required.- Specified by:
setLocale
in interfacejavax.servlet.ServletResponse
- Overrides:
setLocale
in classjavax.servlet.ServletResponseWrapper
- Parameters:
loc
-
-
setStatus
public void setStatus(int sc)
Override the status code with a 200 in order to confound attackers using automated scanners.- Specified by:
setStatus
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
setStatus
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
sc
-
-
setStatus
@Deprecated public void setStatus(int sc, java.lang.String sm)
Deprecated.In Servlet spec 2.1.Override the status code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters.- Specified by:
setStatus
in interfacejavax.servlet.http.HttpServletResponse
- Overrides:
setStatus
in classjavax.servlet.http.HttpServletResponseWrapper
- Parameters:
sc
-sm
-
-
-