org.owasp.esapi.waf

Class ESAPIWebApplicationFirewallFilter

java.lang.Object

org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter

All Implemented Interfaces:

javax.servlet.Filter

public class ESAPIWebApplicationFirewallFilter
extends java.lang.Object
implements javax.servlet.Filter

This is the main class for the ESAPI Web Application Firewall (WAF). It is a standard J2EE servlet filter that, in different methods, invokes the reading of the configuration file and handles the runtime processing and enforcing of the developer-specified rules. Ideally the filter should be configured to catch all requests (/*) in web.xml. If there are URL segments that need to be extremely fast and don't require any protection, the pattern may be modified with extreme caution.

Field Summary

Fields

Modifier and Type	Field and Description
private AppGuardianConfiguration	appGuardConfig
private static java.lang.String	CONFIGURATION_FILE_PARAM
private java.lang.String	configurationFilename
private static int	DEFAULT_POLLING_TIME
private javax.servlet.FilterConfig	fc
private long	lastConfigReadTime
private Logger	logger
private static java.lang.String	LOGGING_FILE_PARAM
private static java.lang.String	POLLING_TIME_PARAM
private long	pollingTime

Constructor Summary

Constructors

Constructor and Description
ESAPIWebApplicationFirewallFilter()

Method Summary

Modifier and Type	Method and Description
void	destroy()
void	doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) This is the where the main interception and rule-checking logic of the WAF resides.
AppGuardianConfiguration	getConfiguration()
void	init(javax.servlet.FilterConfig fc) This function is invoked at application startup and when the configuration file polling period has elapsed and a change in the configuration file has been detected.
private void	sendRedirect(InterceptingHTTPServletResponse response, javax.servlet.http.HttpServletResponse httpResponse)
private void	sendRedirect(InterceptingHTTPServletResponse response, javax.servlet.http.HttpServletResponse httpResponse, java.lang.String redirectURL)
void	setConfiguration(java.lang.String policyFilePath, java.lang.String webRootDir) This function is used in testing to dynamically alter the configuration.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

appGuardConfig

private AppGuardianConfiguration appGuardConfig

CONFIGURATION_FILE_PARAM

private static final java.lang.String CONFIGURATION_FILE_PARAM

See Also:

Constant Field Values

LOGGING_FILE_PARAM

private static final java.lang.String LOGGING_FILE_PARAM

See Also:

Constant Field Values

POLLING_TIME_PARAM

private static final java.lang.String POLLING_TIME_PARAM

See Also:

Constant Field Values

DEFAULT_POLLING_TIME

private static final int DEFAULT_POLLING_TIME

See Also:

Constant Field Values

configurationFilename

private java.lang.String configurationFilename

pollingTime

private long pollingTime

lastConfigReadTime

private long lastConfigReadTime

fc

private javax.servlet.FilterConfig fc

logger

private final Logger logger

Constructor Detail

ESAPIWebApplicationFirewallFilter

public ESAPIWebApplicationFirewallFilter()

Method Detail

setConfiguration

public void setConfiguration(java.lang.String policyFilePath,
                             java.lang.String webRootDir)
                      throws java.io.FileNotFoundException

This function is used in testing to dynamically alter the configuration.

Parameters:

policyFilePath - The path to the policy file

webRootDir - The root directory of the web application.

Throws:

java.io.FileNotFoundException - if the policy file cannot be located

getConfiguration

public AppGuardianConfiguration getConfiguration()

init

public void init(javax.servlet.FilterConfig fc)
          throws javax.servlet.ServletException

This function is invoked at application startup and when the configuration file polling period has elapsed and a change in the configuration file has been detected. It's main purpose is to read the configuration file and establish the configuration object model for use at runtime during the doFilter() method.

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

This is the where the main interception and rule-checking logic of the WAF resides.

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

java.io.IOException

javax.servlet.ServletException

sendRedirect

private void sendRedirect(InterceptingHTTPServletResponse response,
                          javax.servlet.http.HttpServletResponse httpResponse,
                          java.lang.String redirectURL)
                   throws java.io.IOException

Throws:

java.io.IOException

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter

sendRedirect

private void sendRedirect(InterceptingHTTPServletResponse response,
                          javax.servlet.http.HttpServletResponse httpResponse)
                   throws java.io.IOException

Throws:

java.io.IOException