001: /* ====================================================================
002: * The Jcorporate Apache Style Software License, Version 1.2 05-07-2002
003: *
004: * Copyright (c) 1995-2002 Jcorporate Ltd. All rights reserved.
005: *
006: * Redistribution and use in source and binary forms, with or without
007: * modification, are permitted provided that the following conditions
008: * are met:
009: *
010: * 1. Redistributions of source code must retain the above copyright
011: * notice, this list of conditions and the following disclaimer.
012: *
013: * 2. Redistributions in binary form must reproduce the above copyright
014: * notice, this list of conditions and the following disclaimer in
015: * the documentation and/or other materials provided with the
016: * distribution.
017: *
018: * 3. The end-user documentation included with the redistribution,
019: * if any, must include the following acknowledgment:
020: * "This product includes software developed by Jcorporate Ltd.
021: * (http://www.jcorporate.com/)."
022: * Alternately, this acknowledgment may appear in the software itself,
023: * if and wherever such third-party acknowledgments normally appear.
024: *
025: * 4. "Jcorporate" and product names such as "Expresso" must
026: * not be used to endorse or promote products derived from this
027: * software without prior written permission. For written permission,
028: * please contact info@jcorporate.com.
029: *
030: * 5. Products derived from this software may not be called "Expresso",
031: * or other Jcorporate product names; nor may "Expresso" or other
032: * Jcorporate product names appear in their name, without prior
033: * written permission of Jcorporate Ltd.
034: *
035: * 6. No product derived from this software may compete in the same
036: * market space, i.e. framework, without prior written permission
037: * of Jcorporate Ltd. For written permission, please contact
038: * partners@jcorporate.com.
039: *
040: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
041: * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
042: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
043: * DISCLAIMED. IN NO EVENT SHALL JCORPORATE LTD OR ITS CONTRIBUTORS
044: * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
045: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
046: * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
047: * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
048: * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
049: * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
050: * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
051: * SUCH DAMAGE.
052: * ====================================================================
053: *
054: * This software consists of voluntary contributions made by many
055: * individuals on behalf of the Jcorporate Ltd. Contributions back
056: * to the project(s) are encouraged when you make modifications.
057: * Please send them to support@jcorporate.com. For more information
058: * on Jcorporate Ltd. and its products, please see
059: * <http://www.jcorporate.com/>.
060: *
061: * Portions of this software are based upon other open source
062: * products and are subject to their respective licenses.
063: */
064:
065: package com.jcorporate.expresso.core.security.filters;
066:
067: import com.jcorporate.expresso.kernel.util.FastStringBuffer;
068: import org.apache.log4j.Logger;
069:
070: import java.util.HashMap;
071:
072: /**
073: * The primary purpose of this class is to filer out particular
074: * characters from a HTTP respone. The reason for this is that codes can be in-
075: * serted into a string that gets returned to a web browser, and these codes can
076: * cause the web browser to act on them in a way that is not as the site author
077: * inteded, and may be a breach of security. For more on these see:
078: * <a href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">
079: * Understanding Malicious Content Mitigation for Web Developers</a>
080: * <p/>
081: * The Filtermanager implements filtering based upon a particular characterset.
082: * It maintains a list of all filters that have been used since the initialization
083: * of the class. When a particular filter is requested, the manager checks to see
084: * if that particular filter has been loaded. If not, it loads it and stores a
085: * reference to it in filterList. Since the number of different charactersets are
086: * actually probably fairly small for most applications, this list is never cleaned
087: * out until the class is gc'ed. If this becomes a problem, we can implement a
088: * caching system that clears out the least frequently used characterset filters.
089: *
090: * @author Michael Rimov
091: * @since Expresso 3
092: */
093: public class FilterManager {
094: static private FilterManager theManager;
095: private HashMap filterList;
096: private static Logger log = Logger.getLogger(FilterManager.class);
097:
098: /**
099: * Replace control characters with appropriate values, protect against XSS attacks
100: */
101: public static final String STANDARD_FILTER = "standardFilter";
102: /**
103: * Strip out any unwanted characters, but do not replace them with anything
104: */
105: public static final String STRIP_FILTER = "stripFilter";
106: /**
107: * Don't do anything
108: */
109: public static final String RAW_FILTER = "rawFilter";
110:
111: /**
112: * Manager for filters. Filters are named for their character sets,
113: * generally speaking. Note that "standardFilter" is not a filter, but
114: * rather a command to a filter (called a "filterType").
115: * A common filter is ISO_8859_1.
116: *
117: * @see Filter
118: */
119: public FilterManager() {
120: //The hashmap is keyed by a string defined by
121: //CharacterSetName + "." + MethodName
122: //The return value is the actual Method object to get the class
123: filterList = new HashMap(3);
124: } /* FilterManager() */
125:
126: /**
127: * The singleton implementation. Use getInstance to get an instance of
128: * the one and only FilterManager instance. If one does not yet exist, then
129: * it is automatically instantiated.
130: *
131: * @return A handle to the one and only FilterManager instance.
132: */
133: synchronized static public FilterManager getInstance() {
134: if (theManager == null) {
135: theManager = new FilterManager();
136: }
137:
138: return theManager;
139: } /* getInstance() */
140:
141: /**
142: * Adds class com.jcorporate.expresso.core.security.filters. to the prefix of
143: * the classname. <br>
144: * <p/>
145: * Changes all hyphens to underscores.<p>
146: * <p/>
147: * <B>Example</B><p>
148: * Input: ISO-8859-1
149: * Output: com.jcorporate.expresso.core.security.filters.ISO_8859_1
150: *
151: * @param characterSetName The name of the characterset to get the filter for.
152: * @return The String of the full name to the class
153: */
154: private String prepareFilterClassName(String characterSetName) {
155: char c;
156: int length = characterSetName.length();
157: FastStringBuffer result = FastStringBuffer.getInstance();
158: String returnValue = null;
159: try {
160: result
161: .append("com.jcorporate.expresso.core.security.filters.");
162: for (int i = 0; i < length; i++) {
163: c = characterSetName.charAt(i);
164: result.append((c == '-') ? '_' : c);
165: }
166: returnValue = result.toString();
167: } finally {
168: result.release();
169: result = null;
170: }
171:
172: return returnValue;
173: } /* prepareFilterClassName(String) */
174:
175: /**
176: * The method that does the actual string filtering.
177: *
178: * @param data The string to filter.
179: * @param filterClass the class implementing Filter; class name will be used to hash an instance of this filter within FilterManager; use NULL to get default filtering
180: * @param filterMethod one of three filter methods, supported by all filters: <br>
181: * (1) "standardFilter" - Replace control characters with
182: * appropriate values.
183: * (2) "rawFilter" - Don't strip out any control characters
184: * (3) "stripFilter" - Strip out all control characters
185: * (these strings are defined as static final constants on this object)
186: * @return The string after it has been filtered
187: * @throws IllegalArgumentException if there is a problem with the Method's
188: * parameters
189: * @throws Exception for any other exception related to loading the specific
190: * filter class
191: */
192: public String filterString(String data, Class filterClass,
193: String filterMethod) throws IllegalArgumentException,
194: Exception {
195: if (data == null) {
196: return null;
197: }
198:
199: if (filterClass == null) {
200: filterClass = HtmlFilter.class;
201: }
202:
203: Filter f = (Filter) filterList.get(filterClass.getName());
204:
205: //If we haven't loaded this filter before, we need to
206: //instantiate it and put it in the hashtable
207: if (f == null) {
208:
209: try {
210: f = (Filter) filterClass.newInstance();
211: filterList.put(filterClass.getName(), f);
212: } catch (IllegalAccessException ex) {
213: log
214: .error("Unable to get access to Filters package"
215: + "You must allow the security manager to have access to: "
216: + filterClass.getName());
217:
218: return data;
219: } catch (InstantiationException ex) {
220: log.error("Unable to instantiate Filter class ", ex);
221: return data;
222:
223: } catch (ClassCastException ex) {
224: log.error("Classes used for filters must extend "
225: + Filter.class.getName(), ex);
226: return data;
227: }
228: }
229: //
230: //Once we are done with that, we need to determine which Filter to execute.
231: //
232: if (STANDARD_FILTER.equalsIgnoreCase(filterMethod)) {
233: return f.standardFilter(data);
234: } else if (STRIP_FILTER.equalsIgnoreCase(filterMethod)) {
235: return f.stripFilter(data);
236: } else if (RAW_FILTER.equalsIgnoreCase(filterMethod)) {
237: return f.rawFilter(data);
238: } else {
239: throw new IllegalArgumentException(
240: "Undefined Filter Method: " + filterMethod);
241: }
242: }
243:
244: } /* FilterManager */
|