Search in sources :

Example 6 with ResourceResolver

use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.

the class AuthUtil method isRedirectValid.

/**
     * Returns <code>true</code> if the given redirect <code>target</code> is
     * valid according to the following list of requirements:
     * <ul>
     * <li>The <code>target</code> is neither <code>null</code> nor an empty
     * string</li>
     * <li>The <code>target</code> is not an URL which is identified by the
     * character sequence <code>://</code> separating the scheme from the host</li>
     * <li>The <code>target</code> is normalized such that it contains no
     * consecutive slashes and no path segment contains a single or double dot</li>
     * <li>The <code>target</code> must be prefixed with the servlet context
     * path</li>
     * <li>If a <code>ResourceResolver</code> is available as a request
     * attribute the <code>target</code> (without the servlet context path
     * prefix) must resolve to an existing resource</li>
     * <li>If a <code>ResourceResolver</code> is <i>not</i> available as a
     * request attribute the <code>target</code> must be an absolute path
     * starting with a slash character does not contain any of the characters
     * <code>&lt;</code>, <code>&gt;</code>, <code>'</code>, or <code>"</code>
     * in plain or URL encoding</li>
     * </ul>
     * <p>
     * If any of the conditions does not hold, the method returns
     * <code>false</code> and logs a <i>warning</i> level message with the
     * <i>org.apache.sling.auth.core.AuthUtil</i> logger.
     *
     * @param request Providing the <code>ResourceResolver</code> attribute and
     *            the context to resolve the resource from the
     *            <code>target</code>. This may be <code>null</code> which
     *            causes the target to not be validated with a
     *            <code>ResoureResolver</code>
     * @param target The redirect target to validate. This path must be
     *      prefixed with the request's servlet context path.
     * @return <code>true</code> if the redirect target can be considered valid
     */
public static boolean isRedirectValid(final HttpServletRequest request, final String target) {
    if (target == null || target.length() == 0) {
        getLog().warn("isRedirectValid: Redirect target must not be empty or null");
        return false;
    }
    if (target.contains("://")) {
        getLog().warn("isRedirectValid: Redirect target '{}' must not be an URL", target);
        return false;
    }
    if (target.contains("//") || target.contains("/../") || target.contains("/./") || target.endsWith("/.") || target.endsWith("/..")) {
        getLog().warn("isRedirectValid: Redirect target '{}' is not normalized", target);
        return false;
    }
    final String ctxPath = getContextPath(request);
    if (ctxPath.length() > 0 && !target.startsWith(ctxPath)) {
        getLog().warn("isRedirectValid: Redirect target '{}' does not start with servlet context path '{}'", target, ctxPath);
        return false;
    }
    // special case of requesting the servlet context root path
    if (ctxPath.length() == target.length()) {
        return true;
    }
    final String localTarget = target.substring(ctxPath.length());
    if (!localTarget.startsWith("/")) {
        getLog().warn("isRedirectValid: Redirect target '{}' without servlet context path '{}' must be an absolute path", target, ctxPath);
        return false;
    }
    final int query = localTarget.indexOf('?');
    final String path = (query > 0) ? localTarget.substring(0, query) : localTarget;
    ResourceResolver resolver = getResourceResolver(request);
    if (resolver != null) {
        // assume all is fine if the path resolves to a resource
        if (!ResourceUtil.isNonExistingResource(resolver.resolve(request, path))) {
            return true;
        }
    // not resolving to a resource, check for illegal characters
    }
    final Pattern illegal = Pattern.compile("[<>'\"]");
    if (illegal.matcher(path).find()) {
        getLog().warn("isRedirectValid: Redirect target '{}' must not contain any of <>'\"", target);
        return false;
    }
    return true;
}
Also used : Pattern(java.util.regex.Pattern) ResourceResolver(org.apache.sling.api.resource.ResourceResolver)

Example 7 with ResourceResolver

use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.

the class DefaultConfigurationPersistenceStrategy method deleteChildren.

private void deleteChildren(Resource resource) {
    ResourceResolver resourceResolver = resource.getResourceResolver();
    try {
        for (Resource child : resource.getChildren()) {
            log.trace("! Delete resource {}", child.getPath());
            resourceResolver.delete(child);
        }
    } catch (PersistenceException ex) {
        throw convertPersistenceException("Unable to remove children from " + resource.getPath(), ex);
    }
}
Also used : ResourceResolver(org.apache.sling.api.resource.ResourceResolver) Resource(org.apache.sling.api.resource.Resource) ConfigurationPersistenceException(org.apache.sling.caconfig.spi.ConfigurationPersistenceException) PersistenceException(org.apache.sling.api.resource.PersistenceException)

Example 8 with ResourceResolver

use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.

the class SlingHttpServletRequestImplTest method getUserPrincipal_test2.

@Test
public void getUserPrincipal_test2() {
    final HttpServletRequest servletRequest = context.mock(HttpServletRequest.class);
    context.checking(new Expectations() {

        {
            one(servletRequest).getServletPath();
            will(returnValue("/path"));
            allowing(servletRequest).getPathInfo();
            will(returnValue("/path"));
            allowing(servletRequest).getRemoteUser();
            will(returnValue(null));
        }
    });
    final RequestData requestData = context.mock(RequestData.class, "requestData");
    final ResourceResolver resourceResolver = context.mock(ResourceResolver.class);
    context.checking(new Expectations() {

        {
            allowing(requestData).getResourceResolver();
            will(returnValue(resourceResolver));
            allowing(resourceResolver).adaptTo(Principal.class);
            will(returnValue(null));
        }
    });
    slingHttpServletRequestImpl = new SlingHttpServletRequestImpl(requestData, servletRequest);
    Assert.assertNull(slingHttpServletRequestImpl.getUserPrincipal());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Expectations(org.jmock.Expectations) RequestData(org.apache.sling.engine.impl.request.RequestData) ResourceResolver(org.apache.sling.api.resource.ResourceResolver) Principal(java.security.Principal) Test(org.junit.Test)

Example 9 with ResourceResolver

use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.

the class SlingHttpServletRequestImplTest method getUserPrincipal_test3.

@Test
public void getUserPrincipal_test3() {
    final HttpServletRequest servletRequest = context.mock(HttpServletRequest.class);
    context.checking(new Expectations() {

        {
            one(servletRequest).getServletPath();
            will(returnValue("/path"));
            allowing(servletRequest).getPathInfo();
            will(returnValue("/path"));
        }
    });
    final RequestData requestData = context.mock(RequestData.class, "requestData");
    final ResourceResolver resourceResolver = context.mock(ResourceResolver.class);
    final Principal principal = context.mock(Principal.class);
    context.checking(new Expectations() {

        {
            allowing(requestData).getResourceResolver();
            will(returnValue(resourceResolver));
            allowing(resourceResolver).adaptTo(Principal.class);
            will(returnValue(principal));
        }
    });
    slingHttpServletRequestImpl = new SlingHttpServletRequestImpl(requestData, servletRequest);
    Assert.assertEquals(principal, slingHttpServletRequestImpl.getUserPrincipal());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Expectations(org.jmock.Expectations) RequestData(org.apache.sling.engine.impl.request.RequestData) ResourceResolver(org.apache.sling.api.resource.ResourceResolver) Principal(java.security.Principal) Test(org.junit.Test)

Example 10 with ResourceResolver

use of org.apache.sling.api.resource.ResourceResolver in project sling by apache.

the class SlingHttpServletRequestImplTest method getUserPrincipal_test.

@Test
public void getUserPrincipal_test() {
    final HttpServletRequest servletRequest = context.mock(HttpServletRequest.class);
    context.checking(new Expectations() {

        {
            one(servletRequest).getServletPath();
            will(returnValue("/path"));
            allowing(servletRequest).getPathInfo();
            will(returnValue("/path"));
            allowing(servletRequest).getRemoteUser();
            will(returnValue("remoteUser"));
        }
    });
    final RequestData requestData = context.mock(RequestData.class, "requestData");
    final ResourceResolver resourceResolver = context.mock(ResourceResolver.class);
    context.checking(new Expectations() {

        {
            allowing(requestData).getResourceResolver();
            will(returnValue(resourceResolver));
            allowing(resourceResolver).adaptTo(Principal.class);
            will(returnValue(null));
        }
    });
    slingHttpServletRequestImpl = new SlingHttpServletRequestImpl(requestData, servletRequest);
    Assert.assertEquals("UserPrincipal: remoteUser", slingHttpServletRequestImpl.getUserPrincipal().toString());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Expectations(org.jmock.Expectations) RequestData(org.apache.sling.engine.impl.request.RequestData) ResourceResolver(org.apache.sling.api.resource.ResourceResolver) Principal(java.security.Principal) Test(org.junit.Test)

Aggregations

ResourceResolver (org.apache.sling.api.resource.ResourceResolver)339 Resource (org.apache.sling.api.resource.Resource)168 Test (org.junit.Test)131 HashMap (java.util.HashMap)65 LoginException (org.apache.sling.api.resource.LoginException)53 PersistenceException (org.apache.sling.api.resource.PersistenceException)52 Session (javax.jcr.Session)31 ModifiableValueMap (org.apache.sling.api.resource.ModifiableValueMap)29 ValueMap (org.apache.sling.api.resource.ValueMap)27 SyntheticResource (org.apache.sling.api.resource.SyntheticResource)26 ArrayList (java.util.ArrayList)23 DistributionRequest (org.apache.sling.distribution.DistributionRequest)23 DistributionPackage (org.apache.sling.distribution.packaging.DistributionPackage)21 Map (java.util.Map)19 Before (org.junit.Before)19 IOException (java.io.IOException)17 NonExistingResource (org.apache.sling.api.resource.NonExistingResource)17 ChildResource (org.apache.sling.validation.model.ChildResource)17 HashSet (java.util.HashSet)16 ResourceResolverFactory (org.apache.sling.api.resource.ResourceResolverFactory)15