That works a treat. Fantastic. Thanks very much. 

-----Original Message-----
From: resin-interest-boun...@caucho.com
[mailto:resin-interest-boun...@caucho.com] On Behalf Of Aaron Freeman
Sent: 16 February 2009 17:04
To: 'General Discussion for the Resin application server'
Subject: Re: [Resin-interest] j_uri sanitising

Richard,

This is a guess on my part, but perhaps you want a Custom Security
Constraint.  

This page shows an example of setting up constraints:
http://my-messages.setar.aw/ref/security.xtp

So here is a tact you might try .. I didn't try to compile this so it's
probably loaded with errors:

package foo;

public class SanitizedConstraint extends AbstractConstraint {

    private ArrayList<String> _validURIList = new ArrayList<String>();

    public void setValidURI(String validURIList) {
        
        String[] uriArray = validURIList.split(",");
    
        for(int index=0; index < uriArray.length; index++) {
            _validURIList.add(uriArray[index]);
        }
    }

    public boolean isAuthorized(HttpServletRequest request,
                              HttpServletResponse response,
                              ServletContext application)
    throws ServletException, IOException {

        for(String uri:_validURIList) {
        
            if ( uri.equals(request.getRequestURI()) ) {
              return true;
            }
        }

        response.sendError(response.SC_FORBIDDEN);

        return false;
    }

}

then the resin.xml's security-constraint might look like:

<security-constraint>
  <constraint>
    <class-name>foo.SanitizedConstraint</class-name>
    <!-- add any URIs you want to check here -->
    <init-param valudURI='/secure/index.jsp,/admin/page.html'/>
  </constraint>
  <web-resource-collection url-pattern='/*'/> </security-constraint>

- Aaron

> -----Original Message-----
> From: resin-interest-boun...@caucho.com [mailto:resin-interest- 
> boun...@caucho.com] On Behalf Of Richard Grantham
> Sent: Monday, February 16, 2009 7:50 AM
> To: General Discussion for the Resin application server
> Subject: [Resin-interest] j_uri sanitising
> 
> Hi list,
> 
> Is it possible to inspect/manipulte the value of j_uri after it has 
> been posted to j_security_check and before it's acted upon on a 
> successful authentication? It has been suggested to us that 
> parameter-based redirection is something of a security risk, so if we 
> can ensure that the value of j_uri when posted conforms to certain 
> guidelines it would keep people happy.
> 
> rgds,
> 
> Richard
> 
> 
> 
> Richard Grantham
> Development
> 
> -------------------------------
> rgrant...@limehousesoftware.co.uk
> Limehouse Software Ltd
> 
> DDI: (020) 7566 3336
> Main: (020) 7566 3320
> Fax: (020) 7566 3321
> 
> Limehouse Software Ltd
> Bridewell Gate
> 9 Bridewell Place
> London
> EC4V 6AW
> 
> 
> Check out Limehouse Software's innovative solutions 
> www.limehousesoftware.co.uk - Transforming the way you publish and 
> consult on information
> 
> The information contained in this e-mail or in any attachments is 
> confidential and is intended solely for the named addressee only.
> Access to this e-mail by anyone else is unauthorised. If you are not 
> the intended recipient, please notify Limehouse Software Ltd 
> immediately by returning this e-mail to sender or calling 020 7566 
> 3320 and do not read, use or disseminate the information. Opinions 
> expressed in this e-mail are those of the sender and not necessarily
the company.
> Although an active anti-virus policy is operated, the company accepts 
> no liability for any damage caused by any virus transmitted by this e-

> mail, including any attachments.
> 
> 
> _______________________________________________
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest



_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest


_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to