tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject svn commit: r464474 - in /tomcat/tc6.0.x/trunk/java/org/apache/catalina/core: ApplicationFilterConfig.java LocalStrings.properties RestrictedFilters.properties StandardWrapper.java
Date Mon, 16 Oct 2006 13:06:10 GMT
Author: remm
Date: Mon Oct 16 06:06:09 2006
New Revision: 464474

URL: http://svn.apache.org/viewvc?view=rev&rev=464474
Log:
- Add a privileged filter list (I had forgotten about the SSI filter ...).

Added:
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties   (with
props)
Modified:
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java?view=diff&rev=464474&r1=464473&r2=464474
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationFilterConfig.java Mon Oct
16 06:06:09 2006
@@ -18,11 +18,14 @@
 package org.apache.catalina.core;
 
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.io.Serializable;
 import java.lang.reflect.InvocationTargetException;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Map;
+import java.util.Properties;
 
 import javax.naming.NamingException;
 import javax.servlet.Filter;
@@ -35,6 +38,7 @@
 import org.apache.catalina.deploy.FilterDef;
 import org.apache.catalina.security.SecurityUtil;
 import org.apache.catalina.util.Enumerator;
+import org.apache.catalina.util.StringManager;
 import org.apache.tomcat.util.log.SystemLogHandler;
 
 
@@ -50,6 +54,9 @@
 final class ApplicationFilterConfig implements FilterConfig, Serializable {
 
 
+    protected static StringManager sm =
+        StringManager.getManager(Constants.Package);
+    
     // ----------------------------------------------------------- Constructors
 
 
@@ -78,6 +85,23 @@
                ServletException, InvocationTargetException, NamingException {
 
         super();
+
+        if (restrictedFilters == null) {
+            restrictedFilters = new Properties();
+            try {
+                InputStream is = 
+                    this.getClass().getClassLoader().getResourceAsStream
+                        ("org/apache/catalina/core/RestrictedFilters.properties");
+                if (is != null) {
+                    restrictedFilters.load(is);
+                } else {
+                    context.getLogger().error(sm.getString("applicationFilterConfig.restrictedFiltersResources"));
+                }
+            } catch (IOException e) {
+                context.getLogger().error(sm.getString("applicationFilterConfig.restrictedServletsResources"),
e);
+            }
+        }
+        
         this.context = context;
         setFilterDef(filterDef);
 
@@ -105,6 +129,12 @@
     private FilterDef filterDef = null;
 
 
+    /**
+     * Restricted filters (which can only be loaded by a privileged webapp).
+     */
+    protected static Properties restrictedFilters = null;
+
+    
     // --------------------------------------------------- FilterConfig Methods
 
 
@@ -215,6 +245,11 @@
 
         // Instantiate a new instance of this filter and return it
         Class clazz = classLoader.loadClass(filterClass);
+        if (!isFilterAllowed(clazz)) {
+            throw new SecurityException
+                (sm.getString("applicationFilterConfig.privilegedFilter",
+                        filterClass));
+        }
         this.filter = (Filter) clazz.newInstance();
         if (!context.getIgnoreAnnotations()) {
             if (context instanceof StandardContext) {
@@ -249,6 +284,29 @@
     FilterDef getFilterDef() {
 
         return (this.filterDef);
+
+    }
+
+
+    /**
+     * Return <code>true</code> if loading this filter is allowed.
+     */
+    protected boolean isFilterAllowed(Class filterClass) {
+
+        // Privileged webapps may load all servlets without restriction
+        if (context.getPrivileged()) {
+            return true;
+        }
+
+        Class clazz = filterClass;
+        while (clazz != null && !clazz.getName().equals("javax.servlet.Filter"))
{
+            if ("restricted".equals(restrictedFilters.getProperty(clazz.getName()))) {
+                return (false);
+            }
+            clazz = clazz.getSuperclass();
+        }
+        
+        return (true);
 
     }
 

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties?view=diff&rev=464474&r1=464473&r2=464474
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/LocalStrings.properties Mon Oct 16
06:06:09 2006
@@ -188,3 +188,7 @@
 standardWrapper.unloadException=Servlet {0} threw unload() exception
 standardWrapper.unloading=Cannot allocate servlet {0} because it is being unloaded
 standardWrapper.waiting=Waiting for {0} instance(s) to be deallocated
+standardWrapper.restrictedServletsResource=Restricted servlets property file not found
+
+applicationFilterConfig.restrictedFiltersResource=Restricted filters property file not found
+applicationFilterConfig.privilegedFilter=Filter of class {0} is privileged and cannot be
loaded by this web application

Added: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties?view=auto&rev=464474
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties (added)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties Mon Oct
16 06:06:09 2006
@@ -0,0 +1 @@
+org.apache.catalina.ssi.SSIFilter=restricted

Propchange: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/RestrictedFilters.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java?view=diff&rev=464474&r1=464473&r2=464474
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardWrapper.java Mon Oct 16 06:06:09
2006
@@ -104,10 +104,10 @@
                 if (is != null) {
                     restrictedServlets.load(is);
                 } else {
-                    log.error(sm.getString("standardWrapper.restrictedServletsResources"));
+                    log.error(sm.getString("standardWrapper.restrictedServletsResource"));
                 }
             } catch (IOException e) {
-                log.error(sm.getString("standardWrapper.restrictedServletsResources"), e);
+                log.error(sm.getString("standardWrapper.restrictedServletsResource"), e);
             }
         }
         



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message