Example 66 with HttpServletRequest
use of javax.servlet.http.HttpServletRequest in project hive by apache.
the class Utils method doXsrfFilter.
// Method that provides similar filter functionality to filter-holder above, useful when
// calling from code that does not use filters as-is.
public static boolean doXsrfFilter(ServletRequest request, ServletResponse response, Set<String> methodsToIgnore, String headerName) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (methodsToIgnore == null) {
methodsToIgnore = XSRF_METHODS_TO_IGNORE_DEFAULT;
}
if (headerName == null) {
headerName = XSRF_HEADER_DEFAULT;
}
if (methodsToIgnore.contains(httpRequest.getMethod()) || httpRequest.getHeader(headerName) != null) {
return true;
} else {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for Vulnerability Protection");
response.getWriter().println("XSRF filter denial, requests must contain header : " + headerName);
return false;
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Example 67 with HttpServletRequest
use of javax.servlet.http.HttpServletRequest in project hbase by apache.
the class TestHtmlQuoting method testRequestQuoting.
@Test
public void testRequestQuoting() throws Exception {
HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
HttpServer.QuotingInputFilter.RequestQuoter quoter = new HttpServer.QuotingInputFilter.RequestQuoter(mockReq);
Mockito.doReturn("a<b").when(mockReq).getParameter("x");
assertEquals("Test simple param quoting", "a<b", quoter.getParameter("x"));
Mockito.doReturn(null).when(mockReq).getParameter("x");
assertEquals("Test that missing parameters dont cause NPE", null, quoter.getParameter("x"));
Mockito.doReturn(new String[] { "a<b", "b" }).when(mockReq).getParameterValues("x");
assertArrayEquals("Test escaping of an array", new String[] { "a<b", "b" }, quoter.getParameterValues("x"));
Mockito.doReturn(null).when(mockReq).getParameterValues("x");
assertArrayEquals("Test that missing parameters dont cause NPE for array", null, quoter.getParameterValues("x"));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Test(org.junit.Test)
Example 68 with HttpServletRequest
use of javax.servlet.http.HttpServletRequest in project hbase by apache.
the class TestHttpServer method testRequestQuoterWithNull.
@Test
public void testRequestQuoterWithNull() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.doReturn(null).when(request).getParameterValues("dummy");
RequestQuoter requestQuoter = new RequestQuoter(request);
String[] parameterValues = requestQuoter.getParameterValues("dummy");
Assert.assertEquals("It should return null " + "when there are no values for the parameter", null, parameterValues);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
RequestQuoter(org.apache.hadoop.hbase.http.HttpServer.QuotingInputFilter.RequestQuoter)
Test(org.junit.Test)
Example 69 with HttpServletRequest
use of javax.servlet.http.HttpServletRequest in project hbase by apache.
the class TestHttpServer method testHasAdministratorAccess.
@Test
public void testHasAdministratorAccess() throws Exception {
Configuration conf = new Configuration();
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false);
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE)).thenReturn(conf);
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(null);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getRemoteUser()).thenReturn(null);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
//authorization OFF
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
//authorization ON & user NULL
response = Mockito.mock(HttpServletResponse.class);
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
Assert.assertFalse(HttpServer.hasAdministratorAccess(context, request, response));
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
//authorization ON & user NOT NULL & ACLs NULL
response = Mockito.mock(HttpServletResponse.class);
Mockito.when(request.getRemoteUser()).thenReturn("foo");
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
//authorization ON & user NOT NULL & ACLs NOT NULL & user not in ACLs
response = Mockito.mock(HttpServletResponse.class);
AccessControlList acls = Mockito.mock(AccessControlList.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
Assert.assertFalse(HttpServer.hasAdministratorAccess(context, request, response));
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.anyString());
//authorization ON & user NOT NULL & ACLs NOT NULL & user in in ACLs
response = Mockito.mock(HttpServletResponse.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(true);
Mockito.when(context.getAttribute(HttpServer.ADMINS_ACL)).thenReturn(acls);
Assert.assertTrue(HttpServer.hasAdministratorAccess(context, request, response));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
ServletContext(javax.servlet.ServletContext)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Test(org.junit.Test)
Example 70 with HttpServletRequest
use of javax.servlet.http.HttpServletRequest in project tomcat by apache.
the class RequestDumperFilter method doFilter.
/**
* Log the interesting request parameters, invoke the next Filter in the
* sequence, and log the interesting response parameters.
*
* @param request The servlet request to be processed
* @param response The servlet response to be created
* @param chain The filter chain being processed
*
* @exception IOException if an input/output error occurs
* @exception ServletException if a servlet error occurs
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest hRequest = null;
HttpServletResponse hResponse = null;
if (request instanceof HttpServletRequest) {
hRequest = (HttpServletRequest) request;
}
if (response instanceof HttpServletResponse) {
hResponse = (HttpServletResponse) response;
}
// Log pre-service information
doLog("START TIME ", getTimestamp());
if (hRequest == null) {
doLog(" requestURI", NON_HTTP_REQ_MSG);
doLog(" authType", NON_HTTP_REQ_MSG);
} else {
doLog(" requestURI", hRequest.getRequestURI());
doLog(" authType", hRequest.getAuthType());
}
doLog(" characterEncoding", request.getCharacterEncoding());
doLog(" contentLength", Long.toString(request.getContentLengthLong()));
doLog(" contentType", request.getContentType());
if (hRequest == null) {
doLog(" contextPath", NON_HTTP_REQ_MSG);
doLog(" cookie", NON_HTTP_REQ_MSG);
doLog(" header", NON_HTTP_REQ_MSG);
} else {
doLog(" contextPath", hRequest.getContextPath());
Cookie[] cookies = hRequest.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
doLog(" cookie", cookies[i].getName() + "=" + cookies[i].getValue());
}
}
Enumeration<String> hnames = hRequest.getHeaderNames();
while (hnames.hasMoreElements()) {
String hname = hnames.nextElement();
Enumeration<String> hvalues = hRequest.getHeaders(hname);
while (hvalues.hasMoreElements()) {
String hvalue = hvalues.nextElement();
doLog(" header", hname + "=" + hvalue);
}
}
}
doLog(" locale", request.getLocale().toString());
if (hRequest == null) {
doLog(" method", NON_HTTP_REQ_MSG);
} else {
doLog(" method", hRequest.getMethod());
}
Enumeration<String> pnames = request.getParameterNames();
while (pnames.hasMoreElements()) {
String pname = pnames.nextElement();
String[] pvalues = request.getParameterValues(pname);
StringBuilder result = new StringBuilder(pname);
result.append('=');
for (int i = 0; i < pvalues.length; i++) {
if (i > 0) {
result.append(", ");
}
result.append(pvalues[i]);
}
doLog(" parameter", result.toString());
}
if (hRequest == null) {
doLog(" pathInfo", NON_HTTP_REQ_MSG);
} else {
doLog(" pathInfo", hRequest.getPathInfo());
}
doLog(" protocol", request.getProtocol());
if (hRequest == null) {
doLog(" queryString", NON_HTTP_REQ_MSG);
} else {
doLog(" queryString", hRequest.getQueryString());
}
doLog(" remoteAddr", request.getRemoteAddr());
doLog(" remoteHost", request.getRemoteHost());
if (hRequest == null) {
doLog(" remoteUser", NON_HTTP_REQ_MSG);
doLog("requestedSessionId", NON_HTTP_REQ_MSG);
} else {
doLog(" remoteUser", hRequest.getRemoteUser());
doLog("requestedSessionId", hRequest.getRequestedSessionId());
}
doLog(" scheme", request.getScheme());
doLog(" serverName", request.getServerName());
doLog(" serverPort", Integer.toString(request.getServerPort()));
if (hRequest == null) {
doLog(" servletPath", NON_HTTP_REQ_MSG);
} else {
doLog(" servletPath", hRequest.getServletPath());
}
doLog(" isSecure", Boolean.valueOf(request.isSecure()).toString());
doLog("------------------", "--------------------------------------------");
// Perform the request
chain.doFilter(request, response);
// Log post-service information
doLog("------------------", "--------------------------------------------");
if (hRequest == null) {
doLog(" authType", NON_HTTP_REQ_MSG);
} else {
doLog(" authType", hRequest.getAuthType());
}
doLog(" contentType", response.getContentType());
if (hResponse == null) {
doLog(" header", NON_HTTP_RES_MSG);
} else {
Iterable<String> rhnames = hResponse.getHeaderNames();
for (String rhname : rhnames) {
Iterable<String> rhvalues = hResponse.getHeaders(rhname);
for (String rhvalue : rhvalues) {
doLog(" header", rhname + "=" + rhvalue);
}
}
}
if (hRequest == null) {
doLog(" remoteUser", NON_HTTP_REQ_MSG);
} else {
doLog(" remoteUser", hRequest.getRemoteUser());
}
if (hResponse == null) {
doLog(" remoteUser", NON_HTTP_RES_MSG);
} else {
doLog(" status", Integer.toString(hResponse.getStatus()));
}
doLog("END TIME ", getTimestamp());
doLog("==================", "============================================");
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Cookie(javax.servlet.http.Cookie)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Aggregations
HttpServletRequest (javax.servlet.http.HttpServletRequest)2488
HttpServletResponse (javax.servlet.http.HttpServletResponse)1308
Test (org.junit.Test)987
IOException (java.io.IOException)595
ServletException (javax.servlet.ServletException)498
AbstractHandler (org.eclipse.jetty.server.handler.AbstractHandler)223
FilterChain (javax.servlet.FilterChain)200
ContentResponse (org.eclipse.jetty.client.api.ContentResponse)196
Test (org.testng.annotations.Test)168
Request (org.eclipse.jetty.server.Request)164
CountDownLatch (java.util.concurrent.CountDownLatch)160
HttpServlet (javax.servlet.http.HttpServlet)156
HttpSession (javax.servlet.http.HttpSession)150
HashMap (java.util.HashMap)130
PrintWriter (java.io.PrintWriter)121
Map (java.util.Map)100
InterruptedIOException (java.io.InterruptedIOException)97
ServletRequest (javax.servlet.ServletRequest)95
ServletContext (javax.servlet.ServletContext)91
ServletOutputStream (javax.servlet.ServletOutputStream)90
