01: /*
02:
03: Licensed to the Apache Software Foundation (ASF) under one or more
04: contributor license agreements. See the NOTICE file distributed with
05: this work for additional information regarding copyright ownership.
06: The ASF licenses this file to You under the Apache License, Version 2.0
07: (the "License"); you may not use this file except in compliance with
08: the License. You may obtain a copy of the License at
09:
10: http://www.apache.org/licenses/LICENSE-2.0
11:
12: Unless required by applicable law or agreed to in writing, software
13: distributed under the License is distributed on an "AS IS" BASIS,
14: WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15: See the License for the specific language governing permissions and
16: limitations under the License.
17:
18: */
19: package org.apache.batik.bridge;
20:
21: import org.apache.batik.util.ParsedURL;
22:
23: /**
24: * Default implementation for the <tt>ScriptSecurity</tt> interface.
25: * It allows all types of scripts to be loaded, but only if they
26: * come from the same server as the document they are included into.
27: *
28: * @author <a href="mailto:vhardy@apache.org">Vincent Hardy</a>
29: * @version $Id: DefaultScriptSecurity.java 475477 2006-11-15 22:44:28Z cam $
30: */
31: public class DefaultScriptSecurity implements ScriptSecurity {
32: public static final String DATA_PROTOCOL = "data";
33: /**
34: * Message when trying to load a script file and the Document
35: * does not have a URL
36: */
37: public static final String ERROR_CANNOT_ACCESS_DOCUMENT_URL = "DefaultScriptSecurity.error.cannot.access.document.url";
38:
39: /**
40: * Message when trying to load a script file from a server
41: * different than the one of the document.
42: */
43: public static final String ERROR_SCRIPT_FROM_DIFFERENT_URL = "DefaultScriptSecurity.error.script.from.different.url";
44:
45: /**
46: * The exception is built in the constructor and thrown if
47: * not null and the checkLoadScript method is called.
48: */
49: protected SecurityException se;
50:
51: /**
52: * Controls whether the script should be loaded or not.
53: *
54: * @throws SecurityException if the script should not be loaded.
55: */
56: public void checkLoadScript() {
57: if (se != null) {
58: throw se;
59: }
60: }
61:
62: /**
63: * @param scriptType type of script, as found in the
64: * type attribute of the <script> element.
65: * @param scriptURL url for the script, as defined in
66: * the script's xlink:href attribute. If that
67: * attribute was empty, then this parameter should
68: * be null
69: * @param docURL url for the document into which the
70: * script was found.
71: */
72: public DefaultScriptSecurity(String scriptType,
73: ParsedURL scriptURL, ParsedURL docURL) {
74: // Make sure that the archives comes from the same host
75: // as the document itself
76: if (docURL == null) {
77: se = new SecurityException(Messages.formatMessage(
78: ERROR_CANNOT_ACCESS_DOCUMENT_URL,
79: new Object[] { scriptURL }));
80: } else {
81: String docHost = docURL.getHost();
82: String scriptHost = scriptURL.getHost();
83:
84: if ((docHost != scriptHost)
85: && ((docHost == null) || (!docHost
86: .equals(scriptHost)))) {
87: if (!docURL.equals(scriptURL)
88: && (scriptURL == null || !DATA_PROTOCOL
89: .equals(scriptURL.getProtocol()))) {
90: se = new SecurityException(Messages.formatMessage(
91: ERROR_SCRIPT_FROM_DIFFERENT_URL,
92: new Object[] { scriptURL }));
93: }
94: }
95: }
96:
97: }
98: }
|