Example 1 with ResourceValidator
use of com.liferay.faces.util.application.ResourceValidator in project liferay-faces-bridge-impl by liferay.
the class ResourceHandlerInnerImpl method handleResourceRequest.
@Override
public void handleResourceRequest(FacesContext facesContext) throws IOException {
ExternalContext externalContext = facesContext.getExternalContext();
Map<String, String> requestParameterMap = externalContext.getRequestParameterMap();
String resourceName = requestParameterMap.get("javax.faces.resource");
if (resourceName == null) {
resourceName = "";
}
String libraryName = requestParameterMap.get("ln");
if (libraryName == null) {
libraryName = "";
}
String resourceId = libraryName + "/" + resourceName;
ResourceValidator resourceValidator = ResourceValidatorFactory.getResourceValidatorInstance(externalContext);
// the resource.
if (resourceValidator.containsBannedPath(resourceId)) {
logger.warn("Invalid path for resourceId=[{0}]", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else // do not serve the resource.
if (resourceValidator.isBannedSequence(resourceId)) {
logger.warn("Invalid sequence for resourceId=[{0}]", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else // resource.
if (resourceValidator.isFaceletDocument(facesContext, resourceId)) {
logger.warn("Invalid request for Facelet document resourceId=[{0}]", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else if (!resourceValidator.isValidResourceName(resourceName)) {
logger.warn("Invalid request due to invalid resourceName=[{0}]", resourceName);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else if (!resourceValidator.isValidLibraryName(libraryName)) {
logger.warn("Invalid request due to invalid libraryName=[{0}]", libraryName);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else {
super.handleResourceRequest(facesContext);
}
}
Also used :
ResourceValidator(com.liferay.faces.util.application.ResourceValidator)
ExternalContext(javax.faces.context.ExternalContext)
Example 2 with ResourceValidator
use of com.liferay.faces.util.application.ResourceValidator in project liferay-faces-bridge-impl by liferay.
the class BridgePhaseResourceImpl method execute.
@Override
public void execute() throws BridgeDefaultViewNotSpecifiedException, BridgeException {
logger.debug(Logger.SEPARATOR);
logger.debug("execute(ResourceRequest, ResourceResponse) portletName=[{0}]", portletName);
try {
init(resourceRequest, resourceResponse, Bridge.PortletPhase.RESOURCE_PHASE);
// resource, then
if (isJSF2ResourceRequest(facesContext)) {
logger.debug("Detected JSF2 resource request");
// Ask the Faces resource handler to copy the contents of the resource to the response.
handleJSF2ResourceRequest(facesContext);
} else if ((resourceRequest.getResourceID() != null) && !resourceRequest.getResourceID().equals("wsrp")) {
logger.debug("Detected non-Faces resource");
String resourceId = resourceRequest.getResourceID();
String autoResourceDispatch = portletConfig.getInitParameter("javax.portlet.automaticResourceDispatching");
if ((autoResourceDispatch != null) && autoResourceDispatch.equalsIgnoreCase("true")) {
ExternalContext externalContext = facesContext.getExternalContext();
ResourceValidator resourceValidator = ResourceValidatorFactory.getResourceValidatorInstance(externalContext);
// resource.
if (resourceValidator.containsBannedPath(resourceId)) {
// Simulate Liferay Portal's behavior for containers like Pluto
logger.warn("Invalid request for resource with banned path: resourceId=[{0}]", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_OK);
} else // serve the resource.
if (resourceValidator.isBannedSequence(resourceId)) {
logger.warn("Invalid request for resource with banned sequence: resourceId=[{0}]", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else // Otherwise, if the resourceId targets a Facelet document, then do not serve the resource.
if (resourceValidator.isFaceletDocument(facesContext, resourceId)) {
logger.warn("Invalid request for Facelet document: resourceId=[{0}]", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else // Otherwise,
{
// Sanitize the resource path by removing special characters that indicate URL fragments, URL
// query-strings, etc.
String resourcePath = resourceId;
for (String urlSeparatorChar : URL_SEPARATOR_CHARS) {
int pos = resourcePath.indexOf(urlSeparatorChar);
if (pos > 0) {
resourcePath = resourcePath.substring(0, pos);
}
}
// has been enforced.
if (resourcePath.trim().length() == 0) {
final Product LIFERAY_PORTAL = ProductFactory.getProductInstance(externalContext, Product.Name.LIFERAY_PORTAL);
if (LIFERAY_PORTAL.isDetected()) {
logger.warn("Invalid request for resourceId=[] possibly due to Liferay Portal enforcing the portlet.resource.id.banned.paths.regexp property.");
} else {
logger.warn("Invalid request for resourceId=[].");
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
}
} else // Otherwise,
{
// portlet, then do not serve the resource.
if (resourceValidator.isSelfReferencing(facesContext, resourcePath)) {
logger.warn("Invalid request for resource that is self-referencing: resourceId=[{0}]", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else // Otherwise,
{
// If the resourceId maps to the FacesServlet, then do not serve the resource.
boolean mappedToFacesServlet = false;
ConfiguredServletMapping explicitFacesServletExtensionMapping = getExplicitFacesServletExtensionMapping(resourcePath);
if (explicitFacesServletExtensionMapping != null) {
logger.warn("Invalid request for resource that is EXPLICITLY extension-mapped to the FacesServlet: resourceId=[{0}] resourcePath=[{1}] servlet-mapping extension=[{2}]", resourceId, resourcePath, explicitFacesServletExtensionMapping.getExtension());
mappedToFacesServlet = true;
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
} else {
ConfiguredServletMapping facesServletPathMapping = getFacesServletPathMapping(resourceId);
if (facesServletPathMapping != null) {
logger.warn("Invalid request for resource that is path-mapped to the FacesServlet: resourceId=[{0}] resourcePath=[{1}] servlet-mapping url-pattern=[{2}]", resourceId, resourcePath, facesServletPathMapping.getUrlPattern());
mappedToFacesServlet = true;
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
}
}
// Otherwise, attempt to serve the resource.
if (!mappedToFacesServlet) {
PortletRequestDispatcher portletRequestDispatcher = portletContext.getRequestDispatcher(resourceId);
if (portletRequestDispatcher != null) {
portletRequestDispatcher.forward(resourceRequest, resourceResponse);
} else {
logger.warn("Request for non-Faces resource=[{0}] but request dispatcher was null.", resourceId);
externalContext.setResponseStatus(HttpServletResponse.SC_NOT_FOUND);
}
}
}
}
}
} else {
logger.warn("Request for non-Faces resource=[{0}] but automatic dispatching is disabled.", resourceId);
}
} else // Otherwise, must be an Ajax (partial-submit) request. Though technically a postback type of request,
// Ajax requests also utilize the portlet RESOURCE_PHASE. Therefore treat it like a postback, and
// execute the entire Faces lifecycle: RESTORE_VIEW, APPLY_REQUEST_VALUES, PROCESS_VALIDATIONS,
// UPDATE_MODEL, INVOKE_APPLICATION.
{
ExternalContext externalContext = facesContext.getExternalContext();
if (logger.isDebugEnabled()) {
String facesAjaxParameter = externalContext.getRequestParameterMap().get(Bridge.FACES_AJAX_PARAMETER);
if (BooleanHelper.isTrueToken(facesAjaxParameter)) {
logger.debug("Detected Ajax ResourceRequest");
} else {
logger.debug("Detected Non-Ajax ResourceRequest");
}
}
String viewId = getFacesViewId(externalContext);
logger.debug("Running Faces lifecycle for viewId=[{0}]", viewId);
// Attach the JSF 2.2 client window to the JSF lifecycle so that Faces Flows can be utilized.
attachClientWindowToLifecycle(facesContext, facesLifecycle);
// Execute the JSF lifecycle.
facesLifecycle.execute(facesContext);
// Also execute the RENDER_RESPONSE phase of the Faces lifecycle, which will ultimately return a
// DOM-update back to the jsf.js Javascript code that issued the XmlHttpRequest in the first place.
facesLifecycle.render(facesContext);
// "javax.portlet.faces.BRIDGE_REQUEST_SCOPE_AJAX_ENABLED" configuration parameter, then
if (bridgeRequestScope != null) {
// PROPOSED-FOR-BRIDGE3-API: https://issues.apache.org/jira/browse/PORTLETBRIDGE-202
bridgeRequestScope.setPortletMode(resourceRequest.getPortletMode());
// TCK: nonFacesResourceTest
// TCK: resourceAttrRetainedAfterRedisplayPPRTest -- Preserve the non-excluded request
// attributes in the BridgeRequestScope so that they can be restored in subsequent render requests.
bridgeRequestScope.saveState(facesContext);
maintainBridgeRequestScope(resourceRequest, resourceResponse, BridgeRequestScope.Transport.PORTLET_SESSION_ATTRIBUTE);
}
// Spec 6.6 (Namespacing)
indicateNamespacingToConsumers(facesContext.getViewRoot(), resourceResponse);
}
} catch (Throwable t) {
throw new BridgeException(t);
} finally {
cleanup(resourceRequest);
}
logger.debug(Logger.SEPARATOR);
}
Also used :
PortletRequestDispatcher(javax.portlet.PortletRequestDispatcher)
BridgeException(javax.portlet.faces.BridgeException)
ResourceValidator(com.liferay.faces.util.application.ResourceValidator)
ExternalContext(javax.faces.context.ExternalContext)
Product(com.liferay.faces.util.product.Product)
ConfiguredServletMapping(com.liferay.faces.util.config.ConfiguredServletMapping)
Aggregations
ResourceValidator (com.liferay.faces.util.application.ResourceValidator)2
ExternalContext (javax.faces.context.ExternalContext)2
ConfiguredServletMapping (com.liferay.faces.util.config.ConfiguredServletMapping)1
Product (com.liferay.faces.util.product.Product)1
PortletRequestDispatcher (javax.portlet.PortletRequestDispatcher)1
BridgeException (javax.portlet.faces.BridgeException)1
