use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class DeleteApplication method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
response.setContentType("application/json");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
/**
* Parsing and securing all required parameters.
*/
String key = policy.sanitize(request.getParameter("application"));
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(key)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Application").replace("%OPERATION%", "Delete").replace("%REASON%", "Application ID (application) is missing!"));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IApplicationService applicationService = appContext.getBean(IApplicationService.class);
AnswerItem resp = applicationService.readByKey(key);
if (!(resp.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode()) && resp.getItem() != null)) {
/**
* Object could not be found. We stop here and report the error.
*/
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Application").replace("%OPERATION%", "Delete").replace("%REASON%", "Application does not exist."));
ans.setResultMessage(msg);
} else {
/**
* The service was able to perform the query and confirm the
* object exist, then we can delete it.
*/
Application applicationData = (Application) resp.getItem();
ans = applicationService.delete(applicationData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Delete was successful. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/DeleteApplication", "DELETE", "Delete Application : ['" + key + "']", request);
}
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse.toString());
response.getWriter().flush();
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class DeleteApplicationObject method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
response.setContentType("application/json");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
/**
* Parsing and securing all required parameters.
*/
String application = policy.sanitize(request.getParameter("application"));
String object = policy.sanitize(request.getParameter("object"));
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(application)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "ApplicationObject").replace("%OPERATION%", "Delete").replace("%REASON%", "Application name is missing!"));
ans.setResultMessage(msg);
} else if (StringUtil.isNullOrEmpty(object)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "ApplicationObject").replace("%OPERATION%", "Delete").replace("%REASON%", "Object name is missing!"));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IApplicationObjectService applicationObjectService = appContext.getBean(IApplicationObjectService.class);
AnswerItem resp = applicationObjectService.readByKey(application, object);
if (!(resp.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode()) && resp.getItem() != null)) {
/**
* Object could not be found. We stop here and report the error.
*/
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "ApplicationObject").replace("%OPERATION%", "Delete").replace("%REASON%", "Application Object does not exist."));
ans.setResultMessage(msg);
} else {
/**
* The service was able to perform the query and confirm the
* object exist, then we can delete it.
*/
ApplicationObject applicationData = (ApplicationObject) resp.getItem();
ans = applicationObjectService.delete(applicationData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Delete was successful. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/DeleteApplication", "DELETE", "Delete Application Object: ['" + application + "','" + object + "']", request);
}
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse.toString());
response.getWriter().flush();
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class CreateBatchInvariant method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
* @throws org.cerberus.exception.CerberusException
* @throws org.json.JSONException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String charset = request.getCharacterEncoding();
response.setContentType("application/json");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
/**
* Parsing and securing all required parameters.
*/
// Parameter that are already controled by GUI (no need to decode) --> We SECURE them
// Parameter that needs to be secured --> We SECURE+DECODE them
String system = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("system"), "", charset);
String batch = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("batch"), null, charset);
String description = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("description"), "", charset);
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(batch)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", "Batch").replace("%OPERATION%", "Create").replace("%REASON%", "Batch name is missing!"));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IBatchInvariantService batchInvariantService = appContext.getBean(IBatchInvariantService.class);
IFactoryBatchInvariant factoryBatchInvariant = appContext.getBean(IFactoryBatchInvariant.class);
BatchInvariant batchData = factoryBatchInvariant.create(system, batch, description);
ans = batchInvariantService.create(batchData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Object created. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/CreateBatchInvariant", "CREATE", "Create BatchInvariant : ['" + batch + "']", request);
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse);
response.getWriter().flush();
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class ReadBatchInvariant method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
* @throws org.cerberus.exception.CerberusException
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException {
String echo = request.getParameter("sEcho");
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
response.setContentType("application/json");
response.setCharacterEncoding("utf8");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
// Default message to unexpected error.
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
/**
* Parsing and securing all required parameters.
*/
String system = policy.sanitize(request.getParameter("system"));
// Global boolean on the servlet that define if the user has permition to edit and delete object.
boolean userHasPermissions = request.isUserInRole("IntegratorRO");
// Get Parameters
String columnName = ParameterParserUtil.parseStringParam(request.getParameter("columnName"), "");
// Init Answer with potencial error from Parsing parameter.
AnswerItem answer = new AnswerItem(msg);
try {
JSONObject jsonResponse = new JSONObject();
if (request.getParameter("batch") != null) {
answer = findBatchInvariantByKey(request.getParameter("batch"), appContext, userHasPermissions);
jsonResponse = (JSONObject) answer.getItem();
} else if (!Strings.isNullOrEmpty(columnName)) {
answer = findDistinctValuesOfColumn(request.getParameter("system"), appContext, request, columnName);
jsonResponse = (JSONObject) answer.getItem();
} else {
answer = findBatchInvariantList(request.getParameter("system"), appContext, userHasPermissions, request);
jsonResponse = (JSONObject) answer.getItem();
}
jsonResponse.put("messageType", answer.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", answer.getResultMessage().getDescription());
jsonResponse.put("sEcho", echo);
response.getWriter().print(jsonResponse.toString());
} catch (JSONException e) {
LOG.warn(e);
// returns a default error message with the json format that is able to be parsed by the client-side
response.getWriter().print(AnswerUtil.createGenericErrorAnswer());
}
}
use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.
the class UpdateBatchInvariant method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
JSONObject jsonResponse = new JSONObject();
Answer ans = new Answer();
MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
ans.setResultMessage(msg);
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String charset = request.getCharacterEncoding();
response.setContentType("application/json");
// Calling Servlet Transversal Util.
ServletUtil.servletStart(request);
/**
* Parsing and securing all required parameters.
*/
// Parameter that are already controled by GUI (no need to decode) --> We SECURE them
// Parameter that needs to be secured --> We SECURE+DECODE them
String system = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("system"), "", charset);
String batch = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("batch"), null, charset);
String description = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("description"), "", charset);
/**
* Checking all constrains before calling the services.
*/
if (StringUtil.isNullOrEmpty(batch)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", OBJECT_NAME).replace("%OPERATION%", "Update").replace("%REASON%", "Batch is missing!"));
ans.setResultMessage(msg);
} else if (StringUtil.isNullOrEmpty(system)) {
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", OBJECT_NAME).replace("%OPERATION%", "Update").replace("%REASON%", "System name is missing!"));
ans.setResultMessage(msg);
} else {
/**
* All data seems cleans so we can call the services.
*/
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
IBatchInvariantService batchInvariantService = appContext.getBean(IBatchInvariantService.class);
AnswerItem resp = batchInvariantService.readByKey(batch);
if (!(resp.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode()) && resp.getItem() != null)) {
/**
* Object could not be found. We stop here and report the error.
*/
msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
msg.setDescription(msg.getDescription().replace("%ITEM%", OBJECT_NAME).replace("%OPERATION%", "Update").replace("%REASON%", "BatchInvariant does not exist."));
ans.setResultMessage(msg);
} else {
/**
* The service was able to perform the query and confirm the
* object exist, then we can update it.
*/
BatchInvariant batchInvariantData = (BatchInvariant) resp.getItem();
batchInvariantData.setSystem(system);
batchInvariantData.setDescription(description);
ans = batchInvariantService.update(batchInvariantData.getBatch(), batchInvariantData);
if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
/**
* Update was successful. Adding Log entry.
*/
ILogEventService logEventService = appContext.getBean(LogEventService.class);
logEventService.createForPrivateCalls("/UpdateBatchInvariant", "UPDATE", "Updated BatchInvariant : ['" + batch + "']", request);
}
}
}
/**
* Formating and returning the json result.
*/
jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
jsonResponse.put("message", ans.getResultMessage().getDescription());
response.getWriter().print(jsonResponse);
response.getWriter().flush();
}
Aggregations