|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface HTTPUtilities
The HTTPUtilities interface is a collection of methods that provide additional security related to HTTP requests, responses, sessions, cookies, headers, and logging.
Field Summary | |
---|---|
static int |
COOKIE
|
static java.lang.String |
CSRF_TOKEN_NAME
|
static java.lang.String |
ESAPI_STATE
|
static int |
HEADER
|
static int |
MAX_COOKIE_LEN
|
static int |
MAX_COOKIE_PAIRS
|
static int |
PARAMETER
|
static java.lang.String |
REMEMBER_TOKEN_COOKIE_NAME
|
Method Summary | ||
---|---|---|
void |
addCookie(javax.servlet.http.Cookie cookie)
Calls addCookie with the *current* request. |
|
void |
addCookie(javax.servlet.http.HttpServletResponse response,
javax.servlet.http.Cookie cookie)
Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value. |
|
java.lang.String |
addCSRFToken(java.lang.String href)
Adds the current user's CSRF token (see User.getCSRFToken()) to the URL for purposes of preventing CSRF attacks. |
|
void |
addHeader(javax.servlet.http.HttpServletResponse response,
java.lang.String name,
java.lang.String value)
Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value. |
|
void |
addHeader(java.lang.String name,
java.lang.String value)
Calls addHeader with the *current* request. |
|
void |
assertSecureChannel()
Calls assertSecureChannel with the *current* request. |
|
void |
assertSecureChannel(javax.servlet.http.HttpServletRequest request)
Ensures the use of SSL to protect any sensitive parameters in the request and any sensitive data in the response. |
|
void |
assertSecureRequest()
Calls assertSecureRequest with the *current* request. |
|
void |
assertSecureRequest(javax.servlet.http.HttpServletRequest request)
Ensures that the request uses both SSL and POST to protect any sensitive parameters in the querystring from being sniffed, logged, bookmarked, included in referer header, etc... |
|
javax.servlet.http.HttpSession |
changeSessionIdentifier()
Calls changeSessionIdentifier with the *current* request. |
|
javax.servlet.http.HttpSession |
changeSessionIdentifier(javax.servlet.http.HttpServletRequest request)
Invalidate the existing session after copying all of its contents to a newly created session with a new session id. |
|
void |
clearCurrent()
Clears the current HttpRequest and HttpResponse associated with the current thread. |
|
java.lang.String |
decryptHiddenField(java.lang.String encrypted)
Decrypts an encrypted hidden field value and returns the cleartext. |
|
java.util.Map<java.lang.String,java.lang.String> |
decryptQueryString(java.lang.String encrypted)
Takes an encrypted querystring and returns a Map containing the original parameters. |
|
java.util.Map<java.lang.String,java.lang.String> |
decryptStateFromCookie()
Calls decryptStateFromCookie with the *current* request. |
|
java.util.Map<java.lang.String,java.lang.String> |
decryptStateFromCookie(javax.servlet.http.HttpServletRequest request)
Retrieves a map of data from a cookie encrypted with encryptStateInCookie(). |
|
java.lang.String |
encryptHiddenField(java.lang.String value)
Encrypts a hidden field value for use in HTML. |
|
java.lang.String |
encryptQueryString(java.lang.String query)
Takes a querystring (everything after the question mark in the URL) and returns an encrypted string containing the parameters. |
|
void |
encryptStateInCookie(javax.servlet.http.HttpServletResponse response,
java.util.Map<java.lang.String,java.lang.String> cleartext)
Stores a Map of data in an encrypted cookie. |
|
void |
encryptStateInCookie(java.util.Map<java.lang.String,java.lang.String> cleartext)
Calls encryptStateInCookie with the *current* response. |
|
java.lang.String |
getCookie(javax.servlet.http.HttpServletRequest request,
java.lang.String name)
A safer replacement for getCookies() in HttpServletRequest that returns the canonicalized value of the named cookie after "global" validation against the general type defined in ESAPI.properties. |
|
java.lang.String |
getCookie(java.lang.String name)
Calls getCookie with the *current* response. |
|
java.lang.String |
getCSRFToken()
Returns the current user's CSRF token. |
|
javax.servlet.http.HttpServletRequest |
getCurrentRequest()
Retrieves the current HttpServletRequest |
|
javax.servlet.http.HttpServletResponse |
getCurrentResponse()
Retrieves the current HttpServletResponse |
|
java.util.List |
getFileUploads()
Calls getFileUploads with the *current* request, default upload directory, and default allowed file extensions |
|
java.util.List |
getFileUploads(javax.servlet.http.HttpServletRequest request)
Call getFileUploads with the specified request, default upload directory, and default allowed file extensions |
|
java.util.List |
getFileUploads(javax.servlet.http.HttpServletRequest request,
java.io.File finalDir)
Call getFileUploads with the specified request, specified upload directory, and default allowed file extensions |
|
java.util.List |
getFileUploads(javax.servlet.http.HttpServletRequest request,
java.io.File destinationDir,
java.util.List allowedExtensions)
Extract uploaded files from a multipart HTTP requests. |
|
java.lang.String |
getHeader(javax.servlet.http.HttpServletRequest request,
java.lang.String name)
A safer replacement for getHeader() in HttpServletRequest that returns the canonicalized value of the named header after "global" validation against the general type defined in ESAPI.properties. |
|
java.lang.String |
getHeader(java.lang.String name)
Calls getHeader with the *current* request. |
|
java.lang.String |
getParameter(javax.servlet.http.HttpServletRequest request,
java.lang.String name)
A safer replacement for getParameter() in HttpServletRequest that returns the canonicalized value of the named parameter after "global" validation against the general type defined in ESAPI.properties. |
|
java.lang.String |
getParameter(java.lang.String name)
Calls getParameter with the *current* request. |
|
|
getRequestAttribute(javax.servlet.http.HttpServletRequest request,
java.lang.String key)
Gets a typed attribute from the HttpServletRequest associated
with the passed in request. |
|
|
getRequestAttribute(java.lang.String key)
Gets a typed attribute from the HttpServletRequest associated
with the caller thread. |
|
|
getSessionAttribute(javax.servlet.http.HttpSession session,
java.lang.String key)
Gets a typed attribute from the passed in session. |
|
|
getSessionAttribute(java.lang.String key)
Gets a typed attribute from the session associated with the calling thread. |
|
void |
killAllCookies()
Calls killAllCookies with the *current* request and response. |
|
void |
killAllCookies(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Kill all cookies received in the last request from the browser. |
|
void |
killCookie(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
java.lang.String name)
Kills the specified cookie by setting a new cookie that expires immediately. |
|
void |
killCookie(java.lang.String name)
Calls killCookie with the *current* request and response. |
|
void |
logHTTPRequest()
Calls logHTTPRequest with the *current* request and logger. |
|
void |
logHTTPRequest(javax.servlet.http.HttpServletRequest request,
Logger logger)
Format the Source IP address, URL, URL parameters, and all form parameters into a string suitable for the log file. |
|
void |
logHTTPRequest(javax.servlet.http.HttpServletRequest request,
Logger logger,
java.util.List parameterNamesToObfuscate)
Format the Source IP address, URL, URL parameters, and all form parameters into a string suitable for the log file. |
|
void |
sendForward(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
java.lang.String location)
This method performs a forward to any resource located inside the WEB-INF directory. |
|
void |
sendForward(java.lang.String location)
Calls sendForward with the *current* request and response. |
|
void |
sendRedirect(javax.servlet.http.HttpServletResponse response,
java.lang.String location)
This method performs a forward to any resource located inside the WEB-INF directory. |
|
void |
sendRedirect(java.lang.String location)
Calls sendRedirect with the *current* response. |
|
void |
setContentType()
Calls setContentType with the *current* request and response. |
|
void |
setContentType(javax.servlet.http.HttpServletResponse response)
Set the content type character encoding header on every HttpServletResponse in order to limit the ways in which the input data can be represented. |
|
void |
setCurrentHTTP(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Stores the current HttpRequest and HttpResponse so that they may be readily accessed throughout ESAPI (and elsewhere) |
|
void |
setHeader(javax.servlet.http.HttpServletResponse response,
java.lang.String name,
java.lang.String value)
Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value. |
|
void |
setHeader(java.lang.String name,
java.lang.String value)
Calls setHeader with the *current* response. |
|
void |
setNoCacheHeaders()
Calls setNoCacheHeaders with the *current* response. |
|
void |
setNoCacheHeaders(javax.servlet.http.HttpServletResponse response)
Set headers to protect sensitive information against being cached in the browser. |
|
java.lang.String |
setRememberToken(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
java.lang.String password,
int maxAge,
java.lang.String domain,
java.lang.String path)
Set a cookie containing the current User's remember me token for automatic authentication. |
|
java.lang.String |
setRememberToken(java.lang.String password,
int maxAge,
java.lang.String domain,
java.lang.String path)
Calls setNoCacheHeaders with the *current* response. |
|
void |
verifyCSRFToken()
Calls verifyCSRFToken with the *current* request. |
|
void |
verifyCSRFToken(javax.servlet.http.HttpServletRequest request)
Checks the CSRF token in the URL (see User.getCSRFToken()) against the user's CSRF token and throws an IntrusionException if it is missing. |
Field Detail |
---|
static final java.lang.String REMEMBER_TOKEN_COOKIE_NAME
static final int MAX_COOKIE_LEN
static final int MAX_COOKIE_PAIRS
static final java.lang.String CSRF_TOKEN_NAME
static final java.lang.String ESAPI_STATE
static final int PARAMETER
static final int HEADER
static final int COOKIE
Method Detail |
---|
void addCookie(javax.servlet.http.Cookie cookie)
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void addCookie(javax.servlet.http.HttpServletResponse response, javax.servlet.http.Cookie cookie)
cookie
- java.lang.String addCSRFToken(java.lang.String href)
href
- the URL to which the CSRF token will be appended
void addHeader(java.lang.String name, java.lang.String value)
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void addHeader(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value)
name
- value
- void assertSecureRequest() throws AccessControlException
AccessControlException
HTTPUtilities#assertSecureRequest(HttpServletRequest)}
,
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void assertSecureChannel() throws AccessControlException
AccessControlException
HTTPUtilities#assertSecureChannel(HttpServletRequest)}
,
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void assertSecureRequest(javax.servlet.http.HttpServletRequest request) throws AccessControlException
request
-
AccessControlException
- if security constraints are not metvoid assertSecureChannel(javax.servlet.http.HttpServletRequest request) throws AccessControlException
request
-
AccessControlException
- if security constraints are not metjavax.servlet.http.HttpSession changeSessionIdentifier() throws AuthenticationException
AuthenticationException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
javax.servlet.http.HttpSession changeSessionIdentifier(javax.servlet.http.HttpServletRequest request) throws AuthenticationException
request
-
AuthenticationException
- the exceptionvoid clearCurrent()
ESAPI.clearCurrent()
java.lang.String decryptHiddenField(java.lang.String encrypted)
encrypted
- hidden field value to decrypt
java.util.Map<java.lang.String,java.lang.String> decryptQueryString(java.lang.String encrypted) throws EncryptionException
encrypted
- the encrypted querystring to decrypt
EncryptionException
java.util.Map<java.lang.String,java.lang.String> decryptStateFromCookie() throws EncryptionException
EncryptionException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
java.util.Map<java.lang.String,java.lang.String> decryptStateFromCookie(javax.servlet.http.HttpServletRequest request) throws EncryptionException
request
-
EncryptionException
java.lang.String encryptHiddenField(java.lang.String value) throws EncryptionException
value
- the cleartext value of the hidden field
EncryptionException
java.lang.String encryptQueryString(java.lang.String query) throws EncryptionException
query
- the querystring to encrypt
EncryptionException
void encryptStateInCookie(java.util.Map<java.lang.String,java.lang.String> cleartext) throws EncryptionException
EncryptionException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void encryptStateInCookie(javax.servlet.http.HttpServletResponse response, java.util.Map<java.lang.String,java.lang.String> cleartext) throws EncryptionException
response
- cleartext
-
EncryptionException
java.lang.String getCookie(java.lang.String name) throws ValidationException
ValidationException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
java.lang.String getCookie(javax.servlet.http.HttpServletRequest request, java.lang.String name) throws ValidationException
request
- name
-
ValidationException
java.lang.String getCSRFToken()
javax.servlet.http.HttpServletRequest getCurrentRequest()
javax.servlet.http.HttpServletResponse getCurrentResponse()
java.util.List getFileUploads() throws ValidationException
ValidationException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
java.util.List getFileUploads(javax.servlet.http.HttpServletRequest request) throws ValidationException
ValidationException
java.util.List getFileUploads(javax.servlet.http.HttpServletRequest request, java.io.File finalDir) throws ValidationException
ValidationException
java.util.List getFileUploads(javax.servlet.http.HttpServletRequest request, java.io.File destinationDir, java.util.List allowedExtensions) throws ValidationException
getCurrentRequest()
to obtain the HttpServletRequest
object
request
-
ValidationException
- if the file fails validationjava.lang.String getHeader(java.lang.String name) throws ValidationException
ValidationException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
java.lang.String getHeader(javax.servlet.http.HttpServletRequest request, java.lang.String name) throws ValidationException
request
- name
-
ValidationException
java.lang.String getParameter(java.lang.String name) throws ValidationException
ValidationException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
java.lang.String getParameter(javax.servlet.http.HttpServletRequest request, java.lang.String name) throws ValidationException
request
- name
-
ValidationException
void killAllCookies()
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void killAllCookies(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
request
- response
- void killCookie(java.lang.String name)
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void killCookie(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String name)
request
- name
- response
- void logHTTPRequest()
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void logHTTPRequest(javax.servlet.http.HttpServletRequest request, Logger logger)
request
- logger
- the logger to write the request tovoid logHTTPRequest(javax.servlet.http.HttpServletRequest request, Logger logger, java.util.List parameterNamesToObfuscate)
request
- logger
- the logger to write the request toparameterNamesToObfuscate
- the sensitive parametersvoid sendForward(java.lang.String location) throws AccessControlException, javax.servlet.ServletException, java.io.IOException
AccessControlException
javax.servlet.ServletException
java.io.IOException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void sendForward(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String location) throws AccessControlException, javax.servlet.ServletException, java.io.IOException
request
- response
- location
- the URL to forward to, including parameters
AccessControlException
javax.servlet.ServletException
java.io.IOException
void sendRedirect(java.lang.String location) throws AccessControlException, java.io.IOException
AccessControlException
java.io.IOException
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void sendRedirect(javax.servlet.http.HttpServletResponse response, java.lang.String location) throws AccessControlException, java.io.IOException
response
- location
- the URL to forward to, including parameters
AccessControlException
javax.servlet.ServletException
java.io.IOException
void setContentType()
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void setContentType(javax.servlet.http.HttpServletResponse response)
response
- The servlet response to set the content type for.void setCurrentHTTP(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
request
- the current requestresponse
- the current responsevoid setHeader(java.lang.String name, java.lang.String value)
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void setHeader(javax.servlet.http.HttpServletResponse response, java.lang.String name, java.lang.String value)
name
- value
- void setNoCacheHeaders()
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void setNoCacheHeaders(javax.servlet.http.HttpServletResponse response)
Cache-Control: no-storeNote that the header "pragma: no-cache" is intended only for use in HTTP requests, not HTTP responses. However, Microsoft has chosen to directly violate the standards, so we need to include that header here. For more information, please refer to the relevant standards:
Cache-Control: no-cache
Cache-Control: must-revalidate
Expires: -1
response
- java.lang.String setRememberToken(java.lang.String password, int maxAge, java.lang.String domain, java.lang.String path)
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
java.lang.String setRememberToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, java.lang.String password, int maxAge, java.lang.String domain, java.lang.String path)
request
- password
- the user's passwordresponse
- maxAge
- the length of time that the token should be valid for in relative secondsdomain
- the domain to restrict the token to or nullpath
- the path to restrict the token to or null
void verifyCSRFToken()
HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
void verifyCSRFToken(javax.servlet.http.HttpServletRequest request) throws IntrusionException
request
-
IntrusionException
- if CSRF token is missing or incorrect<T> T getSessionAttribute(java.lang.String key)
T
- The implied type of object expected.key
- The key that references the session attribute
getSessionAttribute(javax.servlet.http.HttpSession, String)
<T> T getSessionAttribute(javax.servlet.http.HttpSession session, java.lang.String key)
HttpSession
associated with the current
thread.
T
- The implied type of object expectedsession
- The session to retrieve the attribute fromkey
- The key that references the requested object
<T> T getRequestAttribute(java.lang.String key)
HttpServletRequest
associated
with the caller thread. If the attribute on the request is not of the implied
type, a ClassCastException will be thrown back to the caller.
T
- The implied type of the object expectedkey
- The key that references the request attribute.
<T> T getRequestAttribute(javax.servlet.http.HttpServletRequest request, java.lang.String key)
HttpServletRequest
associated
with the passed in request. If the attribute on the request is not of the implied
type, a ClassCastException will be thrown back to the caller.
T
- The implied type of the object expectedrequest
- The request to retrieve the attribute fromkey
- The key that references the request attribute.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |