diff options
author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-03-10 03:13:21 +0000 |
---|---|---|
committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-03-10 03:13:21 +0000 |
commit | fd1be05b56c61642243aabfbf43875435f7bdf97 (patch) | |
tree | 28ad0b62bcc7d21721bc24259c31f0512e00342d /pki/base/common/src/com/netscape/cms/servlet/filter | |
parent | b0bf36b86e3b9110abd45debe61f95b41a038181 (diff) | |
download | pki-fd1be05b56c61642243aabfbf43875435f7bdf97.tar.gz pki-fd1be05b56c61642243aabfbf43875435f7bdf97.tar.xz pki-fd1be05b56c61642243aabfbf43875435f7bdf97.zip |
BZ Bug 545935 - Add new client-auth ee port to address CVE-2009-3555
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1011 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/filter')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java new file mode 100644 index 000000000..9a63e1a58 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/filter/EEClientAuthRequestFilter.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2010 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.filter; + +import javax.servlet.http.*; +import javax.servlet.*; +import com.netscape.certsrv.apps.*; + +public class EEClientAuthRequestFilter implements Filter +{ + private static final String HTTPS_SCHEME = "https"; + private static final String HTTPS_PORT = "https_port"; + private static final String HTTPS_ROLE = "EE Client Auth"; + + private FilterConfig config; + + /* Create a new EEClientAuthRequestFilter */ + public EEClientAuthRequestFilter() {} + + public void init( FilterConfig filterConfig ) + throws ServletException + { + this.config = filterConfig; + } + + public void doFilter( ServletRequest request, + ServletResponse response, + FilterChain chain ) + throws java.io.IOException, + ServletException + { + String filterName = getClass().getName(); + + String scheme = null; + int port = 0; + + String request_port = null; + String param_https_port = null; + String msg = null; + + if( request instanceof HttpServletRequest ) { + HttpServletResponse resp = ( HttpServletResponse ) response; + + // RFC 1738: verify that scheme is "https" + scheme = request.getScheme(); + if( ! scheme.equals( HTTPS_SCHEME ) ) { + msg = "The scheme MUST be '" + HTTPS_SCHEME + + "', NOT '" + scheme + "'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, msg ); + return; + } + + // Always obtain an "https" port from request + port = request.getServerPort(); + request_port = Integer.toString( port ); + + // Always obtain the "https" port passed in as a parameter + param_https_port = config.getInitParameter( HTTPS_PORT ); + if( param_https_port == null ) { + msg = "The <param-name> '" + HTTPS_PORT + + "' </param-name> " + "MUST be specified in 'web.xml'!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_IMPLEMENTED, msg ); + return; + } + + // Compare the request and param "https" ports + if( ! param_https_port.equals( request_port ) ) { + msg = "Use HTTPS port '" + param_https_port + + "' instead of '" + request_port + + "' when performing " + HTTPS_ROLE + " tasks!"; + CMS.debug( filterName + ": " + msg ); + resp.sendError( HttpServletResponse.SC_NOT_FOUND, msg ); + return; + } + } + + chain.doFilter( request, response ); + } + + public void destroy() + { + } +} + |