Author: sshafroi
Date: 2008-03-13 15:41:50 +0100 (Thu, 13 Mar 2008)
New Revision: 6256
Modified:
branches/2.16/generic.sesam/war/src/main/conf/configuration.properties
branches/2.16/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
branches/2.16/war/src/main/webapp/WEB-INF/web.xml
Log:
Fix for SEARCH-4366
Now reading parameters from configuration.properties via SiteConfiguration.
Modified: branches/2.16/generic.sesam/war/src/main/conf/configuration.properties
===================================================================
--- branches/2.16/generic.sesam/war/src/main/conf/configuration.properties
2008-03-13 14:35:49 UTC (rev 6255)
+++ branches/2.16/generic.sesam/war/src/main/conf/configuration.properties
2008-03-13 14:41:50 UTC (rev 6256)
@@ -48,3 +48,6 @@
[EMAIL PROTECTED]@
[EMAIL PROTECTED]@
+
+md5.secret=S3SAM rockz
+md5.protectedParameters=companyId,personId,emailTo,rssPartnerId
Modified:
branches/2.16/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
===================================================================
---
branches/2.16/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
2008-03-13 14:35:49 UTC (rev 6255)
+++
branches/2.16/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
2008-03-13 14:41:50 UTC (rev 6256)
@@ -17,8 +17,11 @@
*/
package no.sesat.search.http.filters;
+import no.sesat.search.datamodel.DataModel;
import no.sesat.search.security.MD5Generator;
+import no.sesat.search.site.config.SiteConfiguration;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Enumeration;
@@ -38,28 +41,10 @@
*/
public final class MD5ProtectedParametersFilter implements Filter {
- private Map<String, Boolean> protectedParameters;
- private MD5Generator digestGenerator;
-
private static final Logger LOG =
Logger.getLogger(MD5ProtectedParametersFilter.class);
/** [EMAIL PROTECTED] **/
public void init(final FilterConfig filterConfig) throws ServletException {
-
- protectedParameters = new HashMap<String, Boolean>();
-
- final String secret = filterConfig.getInitParameter("secret");
- final String parameters =
filterConfig.getInitParameter("protectedParameters");
-
- final Boolean t = Boolean.TRUE;
-
- final String[] p = parameters.split(",");
- for (final String parameter : p) {
- LOG.info("Adding " + parameter + " as protected parameter");
- protectedParameters.put(parameter, t);
- }
-
- digestGenerator = new MD5Generator(secret);
}
/** [EMAIL PROTECTED] **/
@@ -69,33 +54,49 @@
final FilterChain filterChain) throws IOException,
ServletException {
final Enumeration e = servletRequest.getParameterNames();
-
- while (e.hasMoreElements()) {
- final String parameterName = (String) e.nextElement();
-
- if (LOG.isTraceEnabled()) {
- LOG.trace("Checking to see if " + parameterName + " is
protected");
+
+ if(servletRequest instanceof HttpServletRequest) {
+ HttpServletRequest httpServletRequest = (HttpServletRequest)
servletRequest;
+
+ DataModel datamodel =
(DataModel)httpServletRequest.getSession().getAttribute(DataModel.KEY);
+ SiteConfiguration siteConfig =
datamodel.getSite().getSiteConfiguration();
+
+ MD5Generator digestGenerator = new
MD5Generator(siteConfig.getProperty("md5.secret"));
+
+ Map<String, Boolean> protectedParameters = new HashMap<String,
Boolean>();
+ final String[] p =
siteConfig.getProperty("md5.protectedParameters").split(",");
+ for (final String parameter : p) {
+ LOG.info("Adding " + parameter + " as protected parameter");
+ protectedParameters.put(parameter, Boolean.TRUE);
}
-
- if (protectedParameters.containsKey(parameterName)) {
-
- if (LOG.isTraceEnabled()) {
- LOG.trace(parameterName + " is protected");
- }
-
- final String md5Parameter =
servletRequest.getParameter(parameterName + "_x");
-
- if (md5Parameter == null
- ||
!digestGenerator.validate(servletRequest.getParameter(parameterName),
md5Parameter))
- {
- final HttpServletResponse response = (HttpServletResponse)
servletResponse;
- response.sendError(HttpServletResponse.SC_NOT_FOUND);
- return;
- }
- }
+
+ while (e.hasMoreElements()) {
+ final String parameterName = (String) e.nextElement();
+
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Checking to see if " + parameterName + " is
protected");
+ }
+
+ if (protectedParameters.containsKey(parameterName)) {
+
+ if (LOG.isTraceEnabled()) {
+ LOG.trace(parameterName + " is protected");
+ }
+
+ final String md5Parameter =
servletRequest.getParameter(parameterName + "_x");
+
+ if (md5Parameter == null
+ ||
!digestGenerator.validate(servletRequest.getParameter(parameterName),
md5Parameter))
+ {
+ final HttpServletResponse response =
(HttpServletResponse) servletResponse;
+
response.sendError(HttpServletResponse.SC_NOT_FOUND);
+ return;
+ }
+ }
+ }
+
+ servletRequest.setAttribute("hashGenerator", digestGenerator);
}
-
- servletRequest.setAttribute("hashGenerator", digestGenerator);
filterChain.doFilter(servletRequest, servletResponse);
}
Modified: branches/2.16/war/src/main/webapp/WEB-INF/web.xml
===================================================================
--- branches/2.16/war/src/main/webapp/WEB-INF/web.xml 2008-03-13 14:35:49 UTC
(rev 6255)
+++ branches/2.16/war/src/main/webapp/WEB-INF/web.xml 2008-03-13 14:41:50 UTC
(rev 6256)
@@ -53,14 +53,6 @@
<filter> <!-- TODO desparately needs sesat-ising. fortunately it's not a
required secret anymore. SEARCH-4366 -->
<filter-name>md5ProtectParameters</filter-name>
<filter-class>no.sesat.search.http.filters.MD5ProtectedParametersFilter</filter-class>
- <init-param>
- <param-name>secret</param-name>
- <param-value>S3SAM rockz</param-value>
- </init-param>
- <init-param>
- <param-name>protectedParameters</param-name>
- <param-value>companyId,personId,emailTo,rssPartnerId</param-value>
- </init-param>
</filter>
<filter>
_______________________________________________
Kernel-commits mailing list
[email protected]
http://sesat.no/mailman/listinfo/kernel-commits
