org.owasp.esapi.filters
Class SecurityWrapper
java.lang.Object
org.owasp.esapi.filters.SecurityWrapper
- All Implemented Interfaces:
- javax.servlet.Filter
public class SecurityWrapper
- extends java.lang.Object
- implements javax.servlet.Filter
This filter wraps the incoming request and outgoing response and overrides
many methods with safer versions. Many of the safer versions simply validate
parts of the request or response for unwanted characters before allowing the
call to complete. Some examples of attacks that use these
vectors include request splitting, response splitting, and file download
injection. Attackers use techniques like CRLF injection and null byte injection
to confuse the parsing of requests and responses.
Example Configuration #1 (Default Configuration allows /WEB-INF):
<filter>
<filter-name>SecurityWrapperDefault</filter-name>
<filter-class>org.owasp.filters.SecurityWrapper</filter-class>
</filter>
Example Configuration #2 (Allows /servlet)
<filter>
<filter-name>SecurityWrapperForServlet</filter-name>
<filter-class>org.owasp.filters.SecurityWrapper</filter-class>
<init-param>
<param-name>allowableResourceRoot</param-name>
<param-value>/servlet</param-value>
</init-param>
</filter>
- Author:
- Chris Schmidt ([email protected])
Method Summary |
void |
destroy()
|
void |
doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
|
void |
init(javax.servlet.FilterConfig filterConfig)
|
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
SecurityWrapper
public SecurityWrapper()
doFilter
public void doFilter(javax.servlet.ServletRequest request,
javax.servlet.ServletResponse response,
javax.servlet.FilterChain chain)
throws java.io.IOException,
javax.servlet.ServletException
- Specified by:
doFilter
in interface javax.servlet.Filter
- Parameters:
request
- response
- chain
-
- Throws:
java.io.IOException
javax.servlet.ServletException
destroy
public void destroy()
- Specified by:
destroy
in interface javax.servlet.Filter
init
public void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException
- Specified by:
init
in interface javax.servlet.Filter
- Parameters:
filterConfig
-
- Throws:
javax.servlet.ServletException
Copyright © 2011 The Open Web Application Security Project (OWASP). All Rights Reserved.