FilterManager


1   /* ====================================================================
2    * The Jcorporate Apache Style Software License, Version 1.2 05-07-2002
3    *
4    * Copyright (c) 1995-2002 Jcorporate Ltd. All rights reserved.
5    *
6    * Redistribution and use in source and binary forms, with or without
7    * modification, are permitted provided that the following conditions
8    * are met:
9    *
10   * 1. Redistributions of source code must retain the above copyright
11   *    notice, this list of conditions and the following disclaimer.
12   *
13   * 2. Redistributions in binary form must reproduce the above copyright
14   *    notice, this list of conditions and the following disclaimer in
15   *    the documentation and/or other materials provided with the
16   *    distribution.
17   *
18   * 3. The end-user documentation included with the redistribution,
19   *    if any, must include the following acknowledgment:
20   *       "This product includes software developed by Jcorporate Ltd.
21   *        (http://www.jcorporate.com/)."
22   *    Alternately, this acknowledgment may appear in the software itself,
23   *    if and wherever such third-party acknowledgments normally appear.
24   *
25   * 4. "Jcorporate" and product names such as "Expresso" must
26   *    not be used to endorse or promote products derived from this
27   *    software without prior written permission. For written permission,
28   *    please contact info@jcorporate.com.
29   *
30   * 5. Products derived from this software may not be called "Expresso",
31   *    or other Jcorporate product names; nor may "Expresso" or other
32   *    Jcorporate product names appear in their name, without prior
33   *    written permission of Jcorporate Ltd.
34   *
35   * 6. No product derived from this software may compete in the same
36   *    market space, i.e. framework, without prior written permission
37   *    of Jcorporate Ltd. For written permission, please contact
38   *    partners@jcorporate.com.
39   *
40   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
41   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
42   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
43   * DISCLAIMED.  IN NO EVENT SHALL JCORPORATE LTD OR ITS CONTRIBUTORS
44   * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
45   * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
46   * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
47   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
48   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
49   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
50   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51   * SUCH DAMAGE.
52   * ====================================================================
53   *
54   * This software consists of voluntary contributions made by many
55   * individuals on behalf of the Jcorporate Ltd. Contributions back
56   * to the project(s) are encouraged when you make modifications.
57   * Please send them to support@jcorporate.com. For more information
58   * on Jcorporate Ltd. and its products, please see
59   * <http://www.jcorporate.com/>.
60   *
61   * Portions of this software are based upon other open source
62   * products and are subject to their respective licenses.
63   */
64  
65  package com.jcorporate.expresso.core.security.filters;
66  
67  import com.jcorporate.expresso.kernel.util.FastStringBuffer;
68  import org.apache.log4j.Logger;
69  
70  import java.util.HashMap  ;
71  
72  
73  /**
74   * The primary purpose of this class is to filer out particular
75   * characters from a HTTP respone.  The reason for this is that codes can be in-
76   * serted into a string that gets returned to a web browser, and these codes can
77   * cause the web browser to act on them in a way that is not as the site author
78   * inteded, and may be a breach of security.  For more on these see:
79   * <a HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html">
80   * Understanding Malicious Content Mitigation for Web Developers</a>
81   * <p/>
82   * The Filtermanager implements filtering based upon a particular characterset.
83   * It maintains a list of all filters that have been used since the initialization
84   * of the class.  When a particular filter is requested, the manager checks to see
85   * if that particular filter has been loaded.  If not, it loads it and stores a
86   * reference to it in filterList.  Since the number of different charactersets are
87   * actually probably fairly small for most applications, this list is never cleaned
88   * out until the class is gc'ed.  If this becomes a problem, we can implement a
89   * caching system that clears out the least frequently used characterset filters.
90   *
91   * @author Michael Rimov
92   * @since Expresso 3
93   */
94  public class FilterManager {
95      static private FilterManager theManager;
96      private HashMap   filterList;
97      private static Logger log = Logger.getLogger(FilterManager.class);
98  
99      /**
100      * Replace control characters with appropriate values, protect against XSS attacks
101      */
102     public static final String   STANDARD_FILTER = "standardFilter";
103     /**
104      * Strip out any unwanted characters, but do not replace them with anything
105      */
106     public static final String   STRIP_FILTER = "stripFilter";
107     /**
108      * Don't do anything
109      */
110     public static final String   RAW_FILTER = "rawFilter";
111 
112     /**
113      * Manager for filters. Filters are named for their character sets,
114      * generally speaking.  Note that "standardFilter" is not a filter, but
115      * rather a command to a filter (called a "filterType").
116      * A common filter is ISO_8859_1.
117      *
118      * @see Filter
119      */
120     public FilterManager() {
121         //The hashmap is keyed by a string defined by
122         //CharacterSetName + "." + MethodName
123         //The return value is the actual Method object to get the class
124         filterList = new HashMap  (3);
125     } /* FilterManager() */
126 
127     /**
128      * The singleton implementation.   Use getInstance to get an instance of
129      * the one and only FilterManager instance.  If one does not yet exist, then
130      * it is automatically instantiated.
131      *
132      * @return A handle to the one and only FilterManager instance.
133      */
134     synchronized static public FilterManager getInstance() {
135         if (theManager == null) {
136             theManager = new FilterManager();
137         }
138 
139         return theManager;
140     } /* getInstance() */
141 
142     /**
143      * Adds class com.jcorporate.expresso.core.security.filters. to the prefix of
144      * the classname.  <br>
145      * <p/>
146      * Changes all hyphens to underscores.<p>
147      * <p/>
148      * <B>Example</B><p>
149      * Input:  ISO-8859-1
150      * Output:  com.jcorporate.expresso.core.security.filters.ISO_8859_1
151      *
152      * @param characterSetName The name of the characterset to get the filter for.
153      * @return The String of the full name to the class
154      */
155     private String   prepareFilterClassName(String   characterSetName) {
156         char c;
157         int length = characterSetName.length();
158         FastStringBuffer result = FastStringBuffer.getInstance();
159         String   returnValue = null;
160         try {
161             result.append("com.jcorporate.expresso.core.security.filters.");
162             for (int i = 0; i < length; i++) {
163                 c = characterSetName.charAt(i);
164                 result.append((c == '-') ? '_' : c);
165             }
166             returnValue = result.toString();
167         } finally {
168             result.release();
169             result = null;
170         }
171 
172         return returnValue;
173     } /* prepareFilterClassName(String) */
174 
175     /**
176      * The method that does the actual string filtering.
177      *
178      * @param data         The string to filter.
179      * @param filterClass  the class implementing Filter; class name will be used to hash an instance of this filter within FilterManager; use NULL to get default filtering
180      * @param filterMethod one of three filter methods, supported by all filters: <br>
181      *                     (1) &quot;standardFilter&quot; - Replace control characters with
182      *                     appropriate values.
183      *                     (2) &quot;rawFilter&quot; - Don't strip out any control characters
184      *                     (3) &quot;stripFilter&quot; - Strip out all control characters
185      *                     (these strings are defined as static final constants on this object)
186      * @return The string after it has been filtered
187      * @throws IllegalArgumentException if there is a problem with the Method's
188      *                                  parameters
189      * @throws Exception                for any other exception related to loading the specific
190      *                                  filter class
191      */
192     public String   filterString(String   data, Class   filterClass, String   filterMethod)
193             throws IllegalArgumentException  , Exception   {
194         if (data == null) {
195             return null;
196         }
197 
198         if (filterClass == null) {
199             filterClass = HtmlFilter.class;
200         }
201 
202         Filter f = (Filter) filterList.get(filterClass.getName());
203 
204         //If we haven't loaded this filter before, we need to
205         //instantiate it and put it in the hashtable
206         if (f == null) {
207 
208             try {
209                 f = (Filter) filterClass.newInstance();
210                 filterList.put(filterClass.getName(), f);
211             } catch (IllegalAccessException   ex) {
212                 log.error("Unable to get access to Filters package" +
213                         "You must allow the security manager to have access to: " +
214                         filterClass.getName());
215 
216                 return data;
217             } catch (InstantiationException   ex) {
218                 log.error("Unable to instantiate Filter class ", ex);
219                 return data;
220 
221             } catch (ClassCastException   ex) {
222                 log.error("Classes used for filters must extend "
223                         + Filter.class.getName(), ex);
224                 return data;
225             }
226         }
227         //
228         //Once we are done with that, we need to determine which Filter to execute.
229         //
230         if (STANDARD_FILTER.equalsIgnoreCase(filterMethod)) {
231             return f.standardFilter(data);
232         } else if (STRIP_FILTER.equalsIgnoreCase(filterMethod)) {
233             return f.stripFilter(data);
234         } else if (RAW_FILTER.equalsIgnoreCase(filterMethod)) {
235             return f.rawFilter(data);
236         } else {
237             throw new IllegalArgumentException  ("Undefined Filter Method: " +
238                     filterMethod);
239         }
240     }
241 
242 } /* FilterManager */
243
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags