SecurityWrapper (ESAPI 2.0 2.0

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.owasp.esapi.filters
Class SecurityWrapper

java.lang.Object
  org.owasp.esapi.filters.SecurityWrapper

All Implemented Interfaces:: javax.servlet.Filter

public class SecurityWrapper
extends java.lang.Object
implements javax.servlet.Filter
extends java.lang.Object
implements javax.servlet.Filter

This filter wraps the incoming request and outgoing response and overrides many methods with safer versions. Many of the safer versions simply validate parts of the request or response for unwanted characters before allowing the call to complete. Some examples of attacks that use these vectors include request splitting, response splitting, and file download injection. Attackers use techniques like CRLF injection and null byte injection to confuse the parsing of requests and responses.

Example Configuration #1 (Default Configuration allows /WEB-INF):

 <filter>
    <filter-name>SecurityWrapperDefault</filter-name>
    <filter-class>org.owasp.filters.SecurityWrapper</filter-class>
 </filter>

Example Configuration #2 (Allows /servlet)

 <filter>
    <filter-name>SecurityWrapperForServlet</filter-name>
    <filter-class>org.owasp.filters.SecurityWrapper</filter-class>
    <init-param>
       <param-name>allowableResourceRoot</param-name>
       <param-value>/servlet</param-value>
    </init-param>
 </filter>

Author:: Chris Schmidt ([email protected])

Constructor Summary
`SecurityWrapper()`

Method Summary
`void`	`destroy()`
`void`	`doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)`
`void`	`init(javax.servlet.FilterConfig filterConfig)`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail