core: ApplicationFilterConfig.java LocalStrings.properties RestrictedFilters.properties StandardWrapper.java

remm Mon, 16 Oct 2006 06:06:35 -0700

Author: remm
Date: Mon Oct 16 06:06:09 2006
New Revision: 464474

URL: http://svn.apache.org/viewvc?view=rev&rev=464474
Log:
- Add a privileged filter list (I had forgotten about the SSI filter ...).


Added:
    
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties 
  (with props)
Modified:
    
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java?view=diff&rev=464474&r1=464473&r2=464474
==============================================================================
--- 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java 
(original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java 
Mon Oct 16 06:06:09 2006
@@ -18,11 +18,14 @@
 package org.apache.catalina.core;
 
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.io.Serializable;
 import java.lang.reflect.InvocationTargetException;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Map;
+import java.util.Properties;
 
 import javax.naming.NamingException;
 import javax.servlet.Filter;
@@ -35,6 +38,7 @@
 import org.apache.catalina.deploy.FilterDef;
 import org.apache.catalina.security.SecurityUtil;
 import org.apache.catalina.util.Enumerator;
+import org.apache.catalina.util.StringManager;
 import org.apache.tomcat.util.log.SystemLogHandler;
 
 
@@ -50,6 +54,9 @@
 final class ApplicationFilterConfig implements FilterConfig, Serializable {
 
 
+    protected static StringManager sm =
+        StringManager.getManager(Constants.Package);
+    
     // ----------------------------------------------------------- Constructors
 
 
@@ -78,6 +85,23 @@
                ServletException, InvocationTargetException, NamingException {
 
         super();
+
+        if (restrictedFilters == null) {
+            restrictedFilters = new Properties();
+            try {
+                InputStream is = 
+                    this.getClass().getClassLoader().getResourceAsStream
+                        
("org/apache/catalina/core/RestrictedFilters.properties");
+                if (is != null) {
+                    restrictedFilters.load(is);
+                } else {
+                    
context.getLogger().error(sm.getString("applicationFilterConfig.restrictedFiltersResources"));
+                }
+            } catch (IOException e) {
+                
context.getLogger().error(sm.getString("applicationFilterConfig.restrictedServletsResources"),
 e);
+            }
+        }
+        
         this.context = context;
         setFilterDef(filterDef);
 
@@ -105,6 +129,12 @@
     private FilterDef filterDef = null;
 
 
+    /**
+     * Restricted filters (which can only be loaded by a privileged webapp).
+     */
+    protected static Properties restrictedFilters = null;
+
+    
     // --------------------------------------------------- FilterConfig Methods
 
 
@@ -215,6 +245,11 @@
 
         // Instantiate a new instance of this filter and return it
         Class clazz = classLoader.loadClass(filterClass);
+        if (!isFilterAllowed(clazz)) {
+            throw new SecurityException
+                (sm.getString("applicationFilterConfig.privilegedFilter",
+                        filterClass));
+        }
         this.filter = (Filter) clazz.newInstance();
         if (!context.getIgnoreAnnotations()) {
             if (context instanceof StandardContext) {
@@ -249,6 +284,29 @@
     FilterDef getFilterDef() {
 
         return (this.filterDef);
+
+    }
+
+
+    /**
+     * Return <code>true</code> if loading this filter is allowed.
+     */
+    protected boolean isFilterAllowed(Class filterClass) {
+
+        // Privileged webapps may load all servlets without restriction
+        if (context.getPrivileged()) {
+            return true;
+        }
+
+        Class clazz = filterClass;
+        while (clazz != null && 
!clazz.getName().equals("javax.servlet.Filter")) {
+            if 
("restricted".equals(restrictedFilters.getProperty(clazz.getName()))) {
+                return (false);
+            }
+            clazz = clazz.getSuperclass();
+        }
+        
+        return (true);
 
     }
 

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties?view=diff&rev=464474&r1=464473&r2=464474
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties 
Mon Oct 16 06:06:09 2006
@@ -188,3 +188,7 @@
 standardWrapper.unloadException=Servlet {0} threw unload() exception
 standardWrapper.unloading=Cannot allocate servlet {0} because it is being 
unloaded
 standardWrapper.waiting=Waiting for {0} instance(s) to be deallocated
+standardWrapper.restrictedServletsResource=Restricted servlets property file 
not found
+
+applicationFilterConfig.restrictedFiltersResource=Restricted filters property 
file not found
+applicationFilterConfig.privilegedFilter=Filter of class {0} is privileged and 
cannot be loaded by this web application

Added: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties?view=auto&rev=464474
==============================================================================
--- 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties 
(added)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties 
Mon Oct 16 06:06:09 2006
@@ -0,0 +1 @@
+org.apache.catalina.ssi.SSIFilter=restricted

Propchange: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java?view=diff&rev=464474&r1=464473&r2=464474
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java Mon 
Oct 16 06:06:09 2006
@@ -104,10 +104,10 @@
                 if (is != null) {
                     restrictedServlets.load(is);
                 } else {
-                    
log.error(sm.getString("standardWrapper.restrictedServletsResources"));
+                    
log.error(sm.getString("standardWrapper.restrictedServletsResource"));
                 }
             } catch (IOException e) {
-                
log.error(sm.getString("standardWrapper.restrictedServletsResources"), e);
+                
log.error(sm.getString("standardWrapper.restrictedServletsResource"), e);
             }
         }
         



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r464474 - in /tomcat/tc6.0.x/trunk/java/org/apache/catalina/core: ApplicationFilterConfig.java LocalStrings.properties RestrictedFilters.properties StandardWrapper.java

Reply via email to