use of teammates.common.exception.InvalidOriginException in project teammates by TEAMMATES.
the class ControllerServlet method doPost.
@Override
// used as fallback
@SuppressWarnings("PMD.AvoidCatchingThrowable")
public final void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
UserType userType = new GateKeeper().getCurrentUser();
String url = HttpRequestHelper.getRequestedUrl(req);
Map<String, String[]> params = HttpRequestHelper.getParameterMap(req);
try {
/* We are using the Template Method Design Pattern here.
* This method contains the high level logic of the request processing.
* Concrete details of the processing steps are to be implemented by child
* classes, based on request-specific needs.
*/
long startTime = System.currentTimeMillis();
log.info("Request received : [" + req.getMethod() + "] " + req.getRequestURL().toString() + ":" + HttpRequestHelper.printRequestParameters(req));
log.info("User agent : " + req.getHeader("User-Agent"));
Action c = new ActionFactory().getAction(req);
if (c.isValidUser()) {
ActionResult actionResult = c.executeAndPostProcess();
actionResult.writeSessionTokenToCookieIfRequired(req, resp);
actionResult.send(req, resp);
} else {
resp.sendRedirect(c.getAuthenticationRedirectUrl());
}
long timeTaken = System.currentTimeMillis() - startTime;
// This is the log message that is used to generate the 'activity log' for the admin.
log.info(c.getLogMessage() + "|||" + timeTaken);
} catch (PageNotFoundException e) {
log.warning(new LogMessageGenerator().generateActionFailureLogMessage(url, params, e, userType));
cleanUpStatusMessageInSession(req);
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.ACTION_NOT_FOUND_PAGE, params, url));
} catch (EntityNotFoundException e) {
log.warning(new LogMessageGenerator().generateActionFailureLogMessage(url, params, e, userType));
cleanUpStatusMessageInSession(req);
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.ENTITY_NOT_FOUND_PAGE, params, url));
} catch (FeedbackSessionNotVisibleException e) {
log.warning(new LogMessageGenerator().generateActionFailureLogMessage(url, params, e, userType));
cleanUpStatusMessageInSession(req);
req.getSession().setAttribute(Const.ParamsNames.FEEDBACK_SESSION_NOT_VISIBLE, e.getStartTimeString());
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.FEEDBACK_SESSION_NOT_VISIBLE, params, url));
} catch (InvalidOriginException e) {
log.warning(new LogMessageGenerator().generateActionFailureLogMessage(url, params, e, userType));
cleanUpStatusMessageInSession(req);
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.INVALID_ORIGIN, params, url));
} catch (UnauthorizedAccessException e) {
log.warning(new LogMessageGenerator().generateActionFailureLogMessage(url, params, e, userType));
cleanUpStatusMessageInSession(req);
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.UNAUTHORIZED, params, url));
} catch (DeadlineExceededException | DatastoreTimeoutException e) {
/*This exception may not be caught because GAE kills
the request soon after throwing it. In that case, the error
message in the log will be emailed to the admin by a separate
cron job.*/
cleanUpStatusMessageInSession(req);
log.severe("Deadline exceeded exception caught by ControllerServlet : " + TeammatesException.toStringWithStackTrace(e));
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.DEADLINE_EXCEEDED_ERROR_PAGE, params, url));
} catch (InvalidPostParametersException e) {
String requestUrl = req.getRequestURL().toString();
log.info(e.getMessage());
cleanUpStatusMessageInSession(req);
List<StatusMessage> statusMessagesToUser = new ArrayList<>();
statusMessagesToUser.add(new StatusMessage(Const.StatusMessages.NULL_POST_PARAMETER_MESSAGE, StatusMessageColor.WARNING));
req.getSession().setAttribute(Const.ParamsNames.STATUS_MESSAGES_LIST, statusMessagesToUser);
if (requestUrl.contains("/instructor")) {
resp.sendRedirect(Const.ActionURIs.INSTRUCTOR_HOME_PAGE);
} else if (requestUrl.contains("/student")) {
resp.sendRedirect(Const.ActionURIs.STUDENT_HOME_PAGE);
} else if (requestUrl.contains("/admin")) {
resp.sendRedirect(Const.ActionURIs.ADMIN_HOME_PAGE);
} else {
cleanUpStatusMessageInSession(req);
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.ERROR_PAGE, params, url));
}
} catch (Throwable t) {
/* Log only stack trace to prevent delay in termination of request
* which can result in GAE shutting down the instance.
* Note that severe logs are sent by email automatically in the cron job auto/compileLogs.
*/
log.severe("Unexpected exception caught by ControllerServlet : " + TeammatesException.toStringWithStackTrace(t));
cleanUpStatusMessageInSession(req);
resp.sendRedirect(appendParamsToErrorPageUrl(Const.ViewURIs.ERROR_PAGE, params, url));
}
}
use of teammates.common.exception.InvalidOriginException in project teammates by TEAMMATES.
the class Action method validateOriginIfRequired.
// These methods are used for Cross-Site Request Forgery (CSRF) prevention
private void validateOriginIfRequired() {
if (!Const.SystemParams.PAGES_REQUIRING_ORIGIN_VALIDATION.contains(request.getRequestURI())) {
return;
}
String referrer = request.getHeader("referer");
if (referrer == null) {
// Requests with missing referrer information are given the benefit of the doubt to
// accommodate users who choose to disable the HTTP referrer setting in their browser
// for privacy reasons
} else if (!isHttpReferrerValid(referrer)) {
throw new InvalidOriginException("Invalid HTTP referrer");
}
String sessionToken = getRequestParamValue(Const.ParamsNames.SESSION_TOKEN);
if (sessionToken == null) {
throw new InvalidOriginException("Missing session token");
}
if (!isSessionTokenValid(sessionToken)) {
throw new InvalidOriginException("Invalid session token");
}
}
Aggregations