Author: ssmiweve
Date: 2008-04-21 13:53:51 +0200 (Mon, 21 Apr 2008)
New Revision: 6515
Modified:
branches/2.17/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
Log:
fix to avod NPE (when a skin doesn't set any md5. properties)
+ javadoc
Modified:
branches/2.17/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
===================================================================
---
branches/2.17/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
2008-04-21 11:38:39 UTC (rev 6514)
+++
branches/2.17/war/src/main/java/no/sesat/search/http/filters/MD5ProtectedParametersFilter.java
2008-04-21 11:53:51 UTC (rev 6515)
@@ -35,72 +35,73 @@
import javax.servlet.ServletResponse;
import org.apache.log4j.Logger;
-/**
- * @author <a href="mailto:[EMAIL PROTECTED]">Magnus Eklund</a>
- * @version <tt>$Revision$</tt>
+/** Generalised way to protect parameter values through md5 signings.
+ * A skin must define the properties (in configuration.properties):
+ * md5.secret and md5.protectedParameters
+ * Any secret can be chosen. Any parameter matches those listed in
md5.protectedParameters (separated by commas)
+ * are expected to have a paired parameter (called <parameterName>_x)
that represents the signing of the
+ * original parameter value. If this second parameter does not exist or it's
not an accurate signing of the original
+ * parameter then the request immediately returns with a 404 response error.
+ *
+ * @author <a href="mailto:[EMAIL PROTECTED]">Magnus Eklund</a>
+ * @version <tt>$Id$</tt>
*/
public final class MD5ProtectedParametersFilter implements Filter {
private static final Logger LOG =
Logger.getLogger(MD5ProtectedParametersFilter.class);
- /** [EMAIL PROTECTED] **/
public void init(final FilterConfig filterConfig) throws ServletException {
}
- /** [EMAIL PROTECTED] **/
public void doFilter(
final ServletRequest servletRequest,
final ServletResponse servletResponse,
final FilterChain filterChain) throws IOException,
ServletException {
final Enumeration e = servletRequest.getParameterNames();
-
+
if(servletRequest instanceof HttpServletRequest) {
- HttpServletRequest httpServletRequest = (HttpServletRequest)
servletRequest;
-
- DataModel datamodel =
(DataModel)httpServletRequest.getSession().getAttribute(DataModel.KEY);
- SiteConfiguration siteConfig =
datamodel.getSite().getSiteConfiguration();
-
- MD5Generator digestGenerator = new
MD5Generator(siteConfig.getProperty("md5.secret"));
-
- Map<String, Boolean> protectedParameters = new HashMap<String,
Boolean>();
- final String[] p =
siteConfig.getProperty("md5.protectedParameters").split(",");
- for (final String parameter : p) {
- LOG.info("Adding " + parameter + " as protected parameter");
- protectedParameters.put(parameter, Boolean.TRUE);
+ final HttpServletRequest httpServletRequest = (HttpServletRequest)
servletRequest;
+
+ final DataModel datamodel =
(DataModel)httpServletRequest.getSession().getAttribute(DataModel.KEY);
+ final SiteConfiguration siteConf =
datamodel.getSite().getSiteConfiguration();
+
+ if(null != siteConf.getProperty("md5.secret") && null !=
siteConf.getProperty("md5.protectedParameters")){
+
+ final MD5Generator generator = new
MD5Generator(siteConf.getProperty("md5.secret"));
+
+ final Map<String, Boolean> protectedParameters = new
HashMap<String, Boolean>();
+ final String[] p =
siteConf.getProperty("md5.protectedParameters").split(",");
+ for (final String parameter : p) {
+ LOG.info("Adding " + parameter + " as protected
parameter");
+ protectedParameters.put(parameter, Boolean.TRUE);
+ }
+
+ while (e.hasMoreElements()) {
+ final String paramName = (String) e.nextElement();
+
+ LOG.trace("Checking to see if " + paramName + " is
protected");
+
+ if (protectedParameters.containsKey(paramName)) {
+
+ LOG.trace(paramName + " is protected");
+
+ final String md5Param =
servletRequest.getParameter(paramName + "_x");
+
+ if (md5Param == null ||
!generator.validate(servletRequest.getParameter(paramName), md5Param)){
+ final HttpServletResponse response =
(HttpServletResponse) servletResponse;
+
response.sendError(HttpServletResponse.SC_NOT_FOUND);
+ return;
+ }
+ }
+ }
+
+ servletRequest.setAttribute("hashGenerator", generator);
}
-
- while (e.hasMoreElements()) {
- final String parameterName = (String) e.nextElement();
-
- if (LOG.isTraceEnabled()) {
- LOG.trace("Checking to see if " + parameterName + " is
protected");
- }
-
- if (protectedParameters.containsKey(parameterName)) {
-
- if (LOG.isTraceEnabled()) {
- LOG.trace(parameterName + " is protected");
- }
-
- final String md5Parameter =
servletRequest.getParameter(parameterName + "_x");
-
- if (md5Parameter == null
- ||
!digestGenerator.validate(servletRequest.getParameter(parameterName),
md5Parameter))
- {
- final HttpServletResponse response =
(HttpServletResponse) servletResponse;
-
response.sendError(HttpServletResponse.SC_NOT_FOUND);
- return;
- }
- }
- }
-
- servletRequest.setAttribute("hashGenerator", digestGenerator);
}
filterChain.doFilter(servletRequest, servletResponse);
}
- /** [EMAIL PROTECTED] **/
public void destroy() {
}
_______________________________________________
Kernel-commits mailing list
[email protected]
http://sesat.no/mailman/listinfo/kernel-commits
