Package org.owasp.esapi.filters
Class SecurityWrapperRequest
- java.lang.Object
-
- javax.servlet.ServletRequestWrapper
-
- javax.servlet.http.HttpServletRequestWrapper
-
- org.owasp.esapi.filters.SecurityWrapperRequest
-
- All Implemented Interfaces:
javax.servlet.http.HttpServletRequest
,javax.servlet.ServletRequest
public class SecurityWrapperRequest extends javax.servlet.http.HttpServletRequestWrapper implements javax.servlet.http.HttpServletRequest
This request wrapper simply overrides unsafe methods in the HttpServletRequest API with safe versions that return canonicalized data where possible. The wrapper returns a safe value when a validation error is detected, including stripped or empty strings.
-
-
Constructor Summary
Constructors Constructor Description SecurityWrapperRequest(javax.servlet.http.HttpServletRequest request)
Construct a safe request that overrides the default request methods with safer versions.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description java.lang.String
getAllowableContentRoot()
java.lang.Object
getAttribute(java.lang.String name)
Same as HttpServletRequest, no security changes required.java.util.Enumeration
getAttributeNames()
Same as HttpServletRequest, no security changes required.java.lang.String
getAuthType()
Same as HttpServletRequest, no security changes required.java.lang.String
getCharacterEncoding()
Same as HttpServletRequest, no security changes required.int
getContentLength()
Same as HttpServletRequest, no security changes required.java.lang.String
getContentType()
Same as HttpServletRequest, no security changes required.java.lang.String
getContextPath()
Returns the context path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.javax.servlet.http.Cookie[]
getCookies()
Returns the array of Cookies from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.long
getDateHeader(java.lang.String name)
Same as HttpServletRequest, no security changes required.java.lang.String
getHeader(java.lang.String name)
Returns the named header from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.util.Enumeration
getHeaderNames()
Returns the enumeration of header names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.util.Enumeration
getHeaders(java.lang.String name)
Returns the enumeration of headers from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.javax.servlet.ServletInputStream
getInputStream()
Same as HttpServletRequest, no security changes required.int
getIntHeader(java.lang.String name)
Same as HttpServletRequest, no security changes required.java.lang.String
getLocalAddr()
Same as HttpServletRequest, no security changes required.java.util.Locale
getLocale()
Same as HttpServletRequest, no security changes required.java.util.Enumeration
getLocales()
Same as HttpServletRequest, no security changes required.java.lang.String
getLocalName()
Same as HttpServletRequest, no security changes required.int
getLocalPort()
Same as HttpServletRequest, no security changes required.java.lang.String
getMethod()
Same as HttpServletRequest, no security changes required.java.lang.String
getParameter(java.lang.String name)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getParameter(java.lang.String name, boolean allowNull)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getParameter(java.lang.String name, boolean allowNull, int maxLength)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getParameter(java.lang.String name, boolean allowNull, int maxLength, java.lang.String regexName)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.util.Map
getParameterMap()
Returns the parameter map from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.util.Enumeration
getParameterNames()
Returns the enumeration of parameter names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String[]
getParameterValues(java.lang.String name)
Returns the array of matching parameter values from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getPathInfo()
Returns the path info from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getPathTranslated()
Same as HttpServletRequest, no security changes required.java.lang.String
getProtocol()
Same as HttpServletRequest, no security changes required.java.lang.String
getQueryString()
Returns the query string from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.io.BufferedReader
getReader()
Same as HttpServletRequest, no security changes required.java.lang.String
getRealPath(java.lang.String path)
Deprecated.in servlet spec 2.1.java.lang.String
getRemoteAddr()
Same as HttpServletRequest, no security changes required.java.lang.String
getRemoteHost()
Same as HttpServletRequest, no security changes required.int
getRemotePort()
Same as HttpServletRequest, no security changes required.java.lang.String
getRemoteUser()
Returns the name of the ESAPI user associated with this getHttpServletRequest().javax.servlet.RequestDispatcher
getRequestDispatcher(java.lang.String path)
Checks to make sure the path to forward to is within the WEB-INF directory and then returns the dispatcher.java.lang.String
getRequestedSessionId()
Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getRequestURI()
Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.StringBuffer
getRequestURL()
Returns the URL from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getScheme()
Returns the scheme from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.java.lang.String
getServerName()
Returns the server name (host header) from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.int
getServerPort()
Returns the server port (after the : in the host header) from the HttpServletRequest after parsing and checking the range 0-65536.java.lang.String
getServletPath()
Returns the server path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.javax.servlet.http.HttpSession
getSession()
Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie.javax.servlet.http.HttpSession
getSession(boolean create)
Returns the current session associated with this request or, if there is no current session andcreate
istrue
, returns a new session and sets the HttpOnly flag on the session ID cookie.java.security.Principal
getUserPrincipal()
Returns the ESAPI User associated with this getHttpServletRequest().boolean
isRequestedSessionIdFromCookie()
Same as HttpServletRequest, no security changes required.boolean
isRequestedSessionIdFromUrl()
Deprecated.in servlet spec 2.1.boolean
isRequestedSessionIdFromURL()
Same as HttpServletRequest, no security changes required.boolean
isRequestedSessionIdValid()
Same as HttpServletRequest, no security changes required.boolean
isSecure()
Same as HttpServletRequest, no security changes required.boolean
isUserInRole(java.lang.String role)
Returns true if the ESAPI User associated with this request has the specified role.void
removeAttribute(java.lang.String name)
Same as HttpServletRequest, no security changes required.void
setAllowableContentRoot(java.lang.String allowableContentRoot)
void
setAttribute(java.lang.String name, java.lang.Object o)
Same as HttpServletRequest, no security changes required.void
setCharacterEncoding(java.lang.String enc)
Sets the character encoding scheme to the ESAPI configured encoding scheme.-
Methods inherited from class javax.servlet.http.HttpServletRequestWrapper
authenticate, changeSessionId, getHttpServletMapping, getPart, getParts, getTrailerFields, isTrailerFieldsReady, login, logout, newPushBuilder, upgrade
-
Methods inherited from class javax.servlet.ServletRequestWrapper
getAsyncContext, getContentLengthLong, getDispatcherType, getRequest, getServletContext, isAsyncStarted, isAsyncSupported, isWrapperFor, isWrapperFor, setRequest, startAsync, startAsync
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
-
-
-
Method Detail
-
getAttribute
public java.lang.Object getAttribute(java.lang.String name)
Same as HttpServletRequest, no security changes required.- Specified by:
getAttribute
in interfacejavax.servlet.ServletRequest
- Overrides:
getAttribute
in classjavax.servlet.ServletRequestWrapper
- Parameters:
name
- The attribute name- Returns:
- The attribute value
-
getAttributeNames
public java.util.Enumeration getAttributeNames()
Same as HttpServletRequest, no security changes required.- Specified by:
getAttributeNames
in interfacejavax.servlet.ServletRequest
- Overrides:
getAttributeNames
in classjavax.servlet.ServletRequestWrapper
- Returns:
- An
Enumeration
of attribute names.
-
getAuthType
public java.lang.String getAuthType()
Same as HttpServletRequest, no security changes required.- Specified by:
getAuthType
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getAuthType
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The authentication type
-
getCharacterEncoding
public java.lang.String getCharacterEncoding()
Same as HttpServletRequest, no security changes required.- Specified by:
getCharacterEncoding
in interfacejavax.servlet.ServletRequest
- Overrides:
getCharacterEncoding
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The character-encoding for this
HttpServletRequest
-
getContentLength
public int getContentLength()
Same as HttpServletRequest, no security changes required.- Specified by:
getContentLength
in interfacejavax.servlet.ServletRequest
- Overrides:
getContentLength
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The content-length for this
HttpServletRequest
-
getContentType
public java.lang.String getContentType()
Same as HttpServletRequest, no security changes required.- Specified by:
getContentType
in interfacejavax.servlet.ServletRequest
- Overrides:
getContentType
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The content-type for this
HttpServletRequest
-
getContextPath
public java.lang.String getContextPath()
Returns the context path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getContextPath
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getContextPath
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The context path for this
HttpServletRequest
-
getCookies
public javax.servlet.http.Cookie[] getCookies()
Returns the array of Cookies from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getCookies
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getCookies
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- An array of
Cookie
s for thisHttpServletRequest
-
getDateHeader
public long getDateHeader(java.lang.String name)
Same as HttpServletRequest, no security changes required.- Specified by:
getDateHeader
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getDateHeader
in classjavax.servlet.http.HttpServletRequestWrapper
- Parameters:
name
- Specifies the name of the HTTP request header; e.g.,If-Modified-Since
.- Returns:
- a long value representing the date specified in the header
expressed as the number of milliseconds since
January 1, 1970 GMT
, or-1
if the named header was not included with the request.
-
getHeader
public java.lang.String getHeader(java.lang.String name)
Returns the named header from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getHeader
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getHeader
in classjavax.servlet.http.HttpServletRequestWrapper
- Parameters:
name
- The name of an HTTP request header- Returns:
- The specified header value is returned.
-
getHeaderNames
public java.util.Enumeration getHeaderNames()
Returns the enumeration of header names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getHeaderNames
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getHeaderNames
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- An
Enumeration
of header names associated with this request.
-
getHeaders
public java.util.Enumeration getHeaders(java.lang.String name)
Returns the enumeration of headers from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getHeaders
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getHeaders
in classjavax.servlet.http.HttpServletRequestWrapper
- Parameters:
name
- The name of an HTTP request header.- Returns:
- An
Enumeration
of headers from the request after canonicalizing and filtering has been performed.
-
getInputStream
public javax.servlet.ServletInputStream getInputStream() throws java.io.IOException
Same as HttpServletRequest, no security changes required. Note that this input stream may contain attacks and the developer is responsible for canonicalizing, validating, and encoding any data from this stream.- Specified by:
getInputStream
in interfacejavax.servlet.ServletRequest
- Overrides:
getInputStream
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The
ServletInputStream
associated with thisHttpServletRequest
. - Throws:
java.io.IOException
- Thrown if an input exception is thrown, such as the remote peer closing the connection.
-
getIntHeader
public int getIntHeader(java.lang.String name)
Same as HttpServletRequest, no security changes required.- Specified by:
getIntHeader
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getIntHeader
in classjavax.servlet.http.HttpServletRequestWrapper
- Parameters:
name
- The name of an HTTP request header.- Returns:
- Returns the value of the specified request header as an
int
.
-
getLocalAddr
public java.lang.String getLocalAddr()
Same as HttpServletRequest, no security changes required.- Specified by:
getLocalAddr
in interfacejavax.servlet.ServletRequest
- Overrides:
getLocalAddr
in classjavax.servlet.ServletRequestWrapper
- Returns:
- A
String
containing the IP address on which the request was received.
-
getLocale
public java.util.Locale getLocale()
Same as HttpServletRequest, no security changes required.- Specified by:
getLocale
in interfacejavax.servlet.ServletRequest
- Overrides:
getLocale
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The preferred
Locale
for the client.
-
getLocales
public java.util.Enumeration getLocales()
Same as HttpServletRequest, no security changes required.- Specified by:
getLocales
in interfacejavax.servlet.ServletRequest
- Overrides:
getLocales
in classjavax.servlet.ServletRequestWrapper
- Returns:
- An
Enumeration
of preferredLocale
objects for the client.
-
getLocalName
public java.lang.String getLocalName()
Same as HttpServletRequest, no security changes required.- Specified by:
getLocalName
in interfacejavax.servlet.ServletRequest
- Overrides:
getLocalName
in classjavax.servlet.ServletRequestWrapper
- Returns:
- A
String
containing the host name of the IP on which the request was received.
-
getLocalPort
public int getLocalPort()
Same as HttpServletRequest, no security changes required.- Specified by:
getLocalPort
in interfacejavax.servlet.ServletRequest
- Overrides:
getLocalPort
in classjavax.servlet.ServletRequestWrapper
- Returns:
- Returns the Internet Protocol (IP) port number of the interface on which the request was received.
-
getMethod
public java.lang.String getMethod()
Same as HttpServletRequest, no security changes required.- Specified by:
getMethod
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getMethod
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- Returns the name of the HTTP method with which this request was made.
-
getParameter
public java.lang.String getParameter(java.lang.String name)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getParameter
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameter
in classjavax.servlet.ServletRequestWrapper
- Parameters:
name
- The parameter name for the request- Returns:
- The "scrubbed" parameter value.
-
getParameter
public java.lang.String getParameter(java.lang.String name, boolean allowNull)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Parameters:
name
- The parameter name for the requestallowNull
- Whether null values are allowed- Returns:
- The "scrubbed" parameter value.
-
getParameter
public java.lang.String getParameter(java.lang.String name, boolean allowNull, int maxLength)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Parameters:
name
- The parameter name for the requestallowNull
- Whether null values are allowedmaxLength
- The maximum length allowed- Returns:
- The "scrubbed" parameter value.
-
getParameter
public java.lang.String getParameter(java.lang.String name, boolean allowNull, int maxLength, java.lang.String regexName)
Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Parameters:
name
- The parameter name for the requestallowNull
- Whether null values are allowedmaxLength
- The maximum length allowedregexName
- The name of the regex mapped from ESAPI.properties- Returns:
- The "scrubbed" parameter value.
-
getParameterMap
public java.util.Map getParameterMap()
Returns the parameter map from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getParameterMap
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameterMap
in classjavax.servlet.ServletRequestWrapper
- Returns:
- A
Map
containing scrubbed parameter names / value pairs.
-
getParameterNames
public java.util.Enumeration getParameterNames()
Returns the enumeration of parameter names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getParameterNames
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameterNames
in classjavax.servlet.ServletRequestWrapper
- Returns:
- An
Enumeration
of properly "scrubbed" parameter names.
-
getParameterValues
public java.lang.String[] getParameterValues(java.lang.String name)
Returns the array of matching parameter values from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getParameterValues
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameterValues
in classjavax.servlet.ServletRequestWrapper
- Parameters:
name
- The parameter name- Returns:
- An array of matching "scrubbed" parameter values or
null
if the parameter does not exist.
-
getPathInfo
public java.lang.String getPathInfo()
Returns the path info from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getPathInfo
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getPathInfo
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- Returns any extra path information, appropriately scrubbed, associated with the URL the client sent when it made this request.
-
getPathTranslated
public java.lang.String getPathTranslated()
Same as HttpServletRequest, no security changes required.- Specified by:
getPathTranslated
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getPathTranslated
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- Returns any extra path information, appropriate scrubbed, after the servlet name but before the query string, and translates it to a real path.
-
getProtocol
public java.lang.String getProtocol()
Same as HttpServletRequest, no security changes required.- Specified by:
getProtocol
in interfacejavax.servlet.ServletRequest
- Overrides:
getProtocol
in classjavax.servlet.ServletRequestWrapper
- Returns:
- Returns the name and version of the protocol the request uses in the form protocol/majorVersion.minorVersion, for example, HTTP/1.1.
-
getQueryString
public java.lang.String getQueryString()
Returns the query string from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getQueryString
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getQueryString
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The scrubbed query string is returned.
-
getReader
public java.io.BufferedReader getReader() throws java.io.IOException
Same as HttpServletRequest, no security changes required. Note that this reader may contain attacks and the developer is responsible for canonicalizing, validating, and encoding any data from this stream.- Specified by:
getReader
in interfacejavax.servlet.ServletRequest
- Overrides:
getReader
in classjavax.servlet.ServletRequestWrapper
- Returns:
- aA
BufferedReader
containing the body of the request. - Throws:
java.io.IOException
- If an input error occurred while reading the request body (e.g., premature EOF).
-
getRealPath
@Deprecated public java.lang.String getRealPath(java.lang.String path)
Deprecated.in servlet spec 2.1. UseServletContext.getRealPath(String)
instead.Same as HttpServletRequest, no security changes required.- Specified by:
getRealPath
in interfacejavax.servlet.ServletRequest
- Overrides:
getRealPath
in classjavax.servlet.ServletRequestWrapper
- Parameters:
path
- A virtual path on a web or application server; e.g., "/index.htm".- Returns:
- Returns a String containing the real path for a given virtual path.
-
getRemoteAddr
public java.lang.String getRemoteAddr()
Same as HttpServletRequest, no security changes required.- Specified by:
getRemoteAddr
in interfacejavax.servlet.ServletRequest
- Overrides:
getRemoteAddr
in classjavax.servlet.ServletRequestWrapper
- Returns:
- Returns the IP address of the client or last proxy that sent the request.
-
getRemoteHost
public java.lang.String getRemoteHost()
Same as HttpServletRequest, no security changes required.- Specified by:
getRemoteHost
in interfacejavax.servlet.ServletRequest
- Overrides:
getRemoteHost
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The remote host
-
getRemotePort
public int getRemotePort()
Same as HttpServletRequest, no security changes required.- Specified by:
getRemotePort
in interfacejavax.servlet.ServletRequest
- Overrides:
getRemotePort
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The remote port
-
getRemoteUser
public java.lang.String getRemoteUser()
Returns the name of the ESAPI user associated with this getHttpServletRequest().- Specified by:
getRemoteUser
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getRemoteUser
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- Returns the fully qualified name of the client or the last proxy that sent the request
-
getRequestDispatcher
public javax.servlet.RequestDispatcher getRequestDispatcher(java.lang.String path)
Checks to make sure the path to forward to is within the WEB-INF directory and then returns the dispatcher. Otherwise returns null.- Specified by:
getRequestDispatcher
in interfacejavax.servlet.ServletRequest
- Overrides:
getRequestDispatcher
in classjavax.servlet.ServletRequestWrapper
- Parameters:
path
- The path to create a request dispatcher for- Returns:
- A
RequestDispatcher
object that acts as a wrapper for the resource at the specified path, or null if the servlet container cannot return aRequestDispatcher
.
-
getRequestedSessionId
public java.lang.String getRequestedSessionId()
Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. Code must be very careful not to depend on the value of a requested session id reported by the user.- Specified by:
getRequestedSessionId
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getRequestedSessionId
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The requested Session ID
-
getRequestURI
public java.lang.String getRequestURI()
Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getRequestURI
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getRequestURI
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The current request URI
-
getRequestURL
public java.lang.StringBuffer getRequestURL()
Returns the URL from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getRequestURL
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getRequestURL
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The currect request URL
-
getScheme
public java.lang.String getScheme()
Returns the scheme from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getScheme
in interfacejavax.servlet.ServletRequest
- Overrides:
getScheme
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The scheme of the current request
-
getServerName
public java.lang.String getServerName()
Returns the server name (host header) from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getServerName
in interfacejavax.servlet.ServletRequest
- Overrides:
getServerName
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The local server name
-
getServerPort
public int getServerPort()
Returns the server port (after the : in the host header) from the HttpServletRequest after parsing and checking the range 0-65536.- Specified by:
getServerPort
in interfacejavax.servlet.ServletRequest
- Overrides:
getServerPort
in classjavax.servlet.ServletRequestWrapper
- Returns:
- The local server port
-
getServletPath
public java.lang.String getServletPath()
Returns the server path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.- Specified by:
getServletPath
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getServletPath
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The servlet path
-
getSession
public javax.servlet.http.HttpSession getSession()
Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie. The 'secure' flag is also set if the propertyHttpUtilities.ForceSecureCookies
is set totrue
in the ESAPI.properties file.- Specified by:
getSession
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getSession
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The current session
-
getSession
public javax.servlet.http.HttpSession getSession(boolean create)
Returns the current session associated with this request or, if there is no current session andcreate
istrue
, returns a new session and sets the HttpOnly flag on the session ID cookie. The 'secure' flag is also set if the propertyHttpUtilities.ForceSecureCookies
is set totrue
in the ESAPI.properties file.- Specified by:
getSession
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getSession
in classjavax.servlet.http.HttpServletRequestWrapper
- Parameters:
create
- If set totrue
, create a new session if one doesn't exist, otherwise returnnull
- Returns:
- The current session
-
getUserPrincipal
public java.security.Principal getUserPrincipal()
Returns the ESAPI User associated with this getHttpServletRequest().- Specified by:
getUserPrincipal
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
getUserPrincipal
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- The ESAPI User
-
isRequestedSessionIdFromCookie
public boolean isRequestedSessionIdFromCookie()
Same as HttpServletRequest, no security changes required.- Specified by:
isRequestedSessionIdFromCookie
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
isRequestedSessionIdFromCookie
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- if requested session id is from a cookie
-
isRequestedSessionIdFromUrl
@Deprecated public boolean isRequestedSessionIdFromUrl()
Deprecated.in servlet spec 2.1. UseisRequestedSessionIdFromURL()
instead.Same as HttpServletRequest, no security changes required.- Specified by:
isRequestedSessionIdFromUrl
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
isRequestedSessionIdFromUrl
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- Whether the requested session id is from the URL
-
isRequestedSessionIdFromURL
public boolean isRequestedSessionIdFromURL()
Same as HttpServletRequest, no security changes required.- Specified by:
isRequestedSessionIdFromURL
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
isRequestedSessionIdFromURL
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- Whether the requested session id is from the URL
-
isRequestedSessionIdValid
public boolean isRequestedSessionIdValid()
Same as HttpServletRequest, no security changes required.- Specified by:
isRequestedSessionIdValid
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
isRequestedSessionIdValid
in classjavax.servlet.http.HttpServletRequestWrapper
- Returns:
- Whether the requested session id is valid
-
isSecure
public boolean isSecure()
Same as HttpServletRequest, no security changes required.- Specified by:
isSecure
in interfacejavax.servlet.ServletRequest
- Overrides:
isSecure
in classjavax.servlet.ServletRequestWrapper
- Returns:
- Whether the current request is secure
-
isUserInRole
public boolean isUserInRole(java.lang.String role)
Returns true if the ESAPI User associated with this request has the specified role.- Specified by:
isUserInRole
in interfacejavax.servlet.http.HttpServletRequest
- Overrides:
isUserInRole
in classjavax.servlet.http.HttpServletRequestWrapper
- Parameters:
role
- The role to check- Returns:
- Whether the current user is in the passed role
-
removeAttribute
public void removeAttribute(java.lang.String name)
Same as HttpServletRequest, no security changes required.- Specified by:
removeAttribute
in interfacejavax.servlet.ServletRequest
- Overrides:
removeAttribute
in classjavax.servlet.ServletRequestWrapper
- Parameters:
name
- The attribute name
-
setAttribute
public void setAttribute(java.lang.String name, java.lang.Object o)
Same as HttpServletRequest, no security changes required.- Specified by:
setAttribute
in interfacejavax.servlet.ServletRequest
- Overrides:
setAttribute
in classjavax.servlet.ServletRequestWrapper
- Parameters:
name
- The attribute nameo
- The attribute value
-
setCharacterEncoding
public void setCharacterEncoding(java.lang.String enc) throws java.io.UnsupportedEncodingException
Sets the character encoding scheme to the ESAPI configured encoding scheme.- Specified by:
setCharacterEncoding
in interfacejavax.servlet.ServletRequest
- Overrides:
setCharacterEncoding
in classjavax.servlet.ServletRequestWrapper
- Parameters:
enc
- The encoding scheme- Throws:
java.io.UnsupportedEncodingException
-
getAllowableContentRoot
public java.lang.String getAllowableContentRoot()
-
setAllowableContentRoot
public void setAllowableContentRoot(java.lang.String allowableContentRoot)
-
-