use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.
the class AuthUtil method isRedirectValid.
/**
* Returns <code>true</code> if the given redirect <code>target</code> is
* valid according to the following list of requirements:
* <ul>
* <li>The <code>target</code> is neither <code>null</code> nor an empty
* string</li>
* <li>The <code>target</code> is not an URL which is identified by the
* character sequence <code>://</code> separating the scheme from the host</li>
* <li>The <code>target</code> is normalized such that it contains no
* consecutive slashes and no path segment contains a single or double dot</li>
* <li>The <code>target</code> must be prefixed with the servlet context
* path</li>
* <li>If a <code>ResourceResolver</code> is available as a request
* attribute the <code>target</code> (without the servlet context path
* prefix) must resolve to an existing resource</li>
* <li>If a <code>ResourceResolver</code> is <i>not</i> available as a
* request attribute the <code>target</code> must be an absolute path
* starting with a slash character does not contain any of the characters
* <code><</code>, <code>></code>, <code>'</code>, or <code>"</code>
* in plain or URL encoding</li>
* </ul>
* <p>
* If any of the conditions does not hold, the method returns
* <code>false</code> and logs a <i>warning</i> level message with the
* <i>org.apache.sling.auth.core.AuthUtil</i> logger.
*
* @param request Providing the <code>ResourceResolver</code> attribute and
* the context to resolve the resource from the
* <code>target</code>. This may be <code>null</code> which
* causes the target to not be validated with a
* <code>ResoureResolver</code>
* @param target The redirect target to validate. This path must be
* prefixed with the request's servlet context path.
* @return <code>true</code> if the redirect target can be considered valid
*/
public static boolean isRedirectValid(final HttpServletRequest request, final String target) {
if (target == null || target.length() == 0) {
getLog().warn("isRedirectValid: Redirect target must not be empty or null");
return false;
}
if (target.contains("://")) {
getLog().warn("isRedirectValid: Redirect target '{}' must not be an URL", target);
return false;
}
if (target.contains("//") || target.contains("/../") || target.contains("/./") || target.endsWith("/.") || target.endsWith("/..")) {
getLog().warn("isRedirectValid: Redirect target '{}' is not normalized", target);
return false;
}
final String ctxPath = getContextPath(request);
if (ctxPath.length() > 0 && !target.startsWith(ctxPath)) {
getLog().warn("isRedirectValid: Redirect target '{}' does not start with servlet context path '{}'", target, ctxPath);
return false;
}
// special case of requesting the servlet context root path
if (ctxPath.length() == target.length()) {
return true;
}
final String localTarget = target.substring(ctxPath.length());
if (!localTarget.startsWith("/")) {
getLog().warn("isRedirectValid: Redirect target '{}' without servlet context path '{}' must be an absolute path", target, ctxPath);
return false;
}
final int query = localTarget.indexOf('?');
final String path = (query > 0) ? localTarget.substring(0, query) : localTarget;
ResourceResolver resolver = getResourceResolver(request);
if (resolver != null) {
// assume all is fine if the path resolves to a resource
if (!ResourceUtil.isNonExistingResource(resolver.resolve(request, path))) {
return true;
}
// not resolving to a resource, check for illegal characters
}
final Pattern illegal = Pattern.compile("[<>'\"]");
if (illegal.matcher(path).find()) {
getLog().warn("isRedirectValid: Redirect target '{}' must not contain any of <>'\"", target);
return false;
}
return true;
}
use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.
the class DefaultConfigurationPersistenceStrategy method deleteChildren.
private void deleteChildren(Resource resource) {
ResourceResolver resourceResolver = resource.getResourceResolver();
try {
for (Resource child : resource.getChildren()) {
log.trace("! Delete resource {}", child.getPath());
resourceResolver.delete(child);
}
} catch (PersistenceException ex) {
throw convertPersistenceException("Unable to remove children from " + resource.getPath(), ex);
}
}
use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.
the class SlingHttpServletRequestImplTest method getUserPrincipal_test2.
@Test
public void getUserPrincipal_test2() {
final HttpServletRequest servletRequest = context.mock(HttpServletRequest.class);
context.checking(new Expectations() {
{
one(servletRequest).getServletPath();
will(returnValue("/path"));
allowing(servletRequest).getPathInfo();
will(returnValue("/path"));
allowing(servletRequest).getRemoteUser();
will(returnValue(null));
}
});
final RequestData requestData = context.mock(RequestData.class, "requestData");
final ResourceResolver resourceResolver = context.mock(ResourceResolver.class);
context.checking(new Expectations() {
{
allowing(requestData).getResourceResolver();
will(returnValue(resourceResolver));
allowing(resourceResolver).adaptTo(Principal.class);
will(returnValue(null));
}
});
slingHttpServletRequestImpl = new SlingHttpServletRequestImpl(requestData, servletRequest);
Assert.assertNull(slingHttpServletRequestImpl.getUserPrincipal());
}
use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.
the class SlingHttpServletRequestImplTest method getUserPrincipal_test3.
@Test
public void getUserPrincipal_test3() {
final HttpServletRequest servletRequest = context.mock(HttpServletRequest.class);
context.checking(new Expectations() {
{
one(servletRequest).getServletPath();
will(returnValue("/path"));
allowing(servletRequest).getPathInfo();
will(returnValue("/path"));
}
});
final RequestData requestData = context.mock(RequestData.class, "requestData");
final ResourceResolver resourceResolver = context.mock(ResourceResolver.class);
final Principal principal = context.mock(Principal.class);
context.checking(new Expectations() {
{
allowing(requestData).getResourceResolver();
will(returnValue(resourceResolver));
allowing(resourceResolver).adaptTo(Principal.class);
will(returnValue(principal));
}
});
slingHttpServletRequestImpl = new SlingHttpServletRequestImpl(requestData, servletRequest);
Assert.assertEquals(principal, slingHttpServletRequestImpl.getUserPrincipal());
}
use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.
the class SlingHttpServletRequestImplTest method getUserPrincipal_test.
@Test
public void getUserPrincipal_test() {
final HttpServletRequest servletRequest = context.mock(HttpServletRequest.class);
context.checking(new Expectations() {
{
one(servletRequest).getServletPath();
will(returnValue("/path"));
allowing(servletRequest).getPathInfo();
will(returnValue("/path"));
allowing(servletRequest).getRemoteUser();
will(returnValue("remoteUser"));
}
});
final RequestData requestData = context.mock(RequestData.class, "requestData");
final ResourceResolver resourceResolver = context.mock(ResourceResolver.class);
context.checking(new Expectations() {
{
allowing(requestData).getResourceResolver();
will(returnValue(resourceResolver));
allowing(resourceResolver).adaptTo(Principal.class);
will(returnValue(null));
}
});
slingHttpServletRequestImpl = new SlingHttpServletRequestImpl(requestData, servletRequest);
Assert.assertEquals("UserPrincipal: remoteUser", slingHttpServletRequestImpl.getUserPrincipal().toString());
}
Aggregations