org.owasp.esapi.waf.internal

Class InterceptingHTTPServletResponse

java.lang.Object

javax.servlet.ServletResponseWrapper

javax.servlet.http.HttpServletResponseWrapper

org.owasp.esapi.waf.internal.InterceptingHTTPServletResponse

All Implemented Interfaces:

javax.servlet.http.HttpServletResponse, javax.servlet.ServletResponse

public class InterceptingHTTPServletResponse
extends javax.servlet.http.HttpServletResponseWrapper

The wrapper for the HttpServletResponse object which will be passed to the application being protected by the WAF. It contains logic for the response building API in order to allow the WAF rules regarding responses to work. Much of the work is delegated to other classes, especially InterceptingServletOutputStream

Field Summary

Fields

Modifier and Type	Field and Description
private java.util.List<AddHTTPOnlyFlagRule>	addHTTPOnlyFlagRules
private java.util.List<AddSecureFlagRule>	addSecureFlagRules
private boolean	alreadyCalledOutputStream
private boolean	alreadyCalledWriter
private java.lang.String	contentType
private InterceptingPrintWriter	ipw
private InterceptingServletOutputStream	isos

Fields inherited from interface javax.servlet.http.HttpServletResponse

SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY

Constructor Summary

Constructors

Constructor and Description
InterceptingHTTPServletResponse(javax.servlet.http.HttpServletResponse response, boolean buffering, java.util.List<Rule> cookieRules)

Method Summary

Modifier and Type	Method and Description
void	addCookie(javax.servlet.http.Cookie cookie)
void	addCookie(javax.servlet.http.Cookie cookie, boolean isSession)
void	commit()
private java.lang.String	createCookieHeader(java.lang.String name, java.lang.String value, int maxAge, java.lang.String domain, java.lang.String path, boolean secure, boolean httpOnly, boolean isTemporary)
void	flush()
java.lang.String	getContentType()
InterceptingServletOutputStream	getInterceptingServletOutputStream()
javax.servlet.ServletOutputStream	getOutputStream()
java.io.PrintWriter	getWriter()
boolean	isUsingWriter()
void	setContentType(java.lang.String s)

Methods inherited from class javax.servlet.http.HttpServletResponseWrapper

addDateHeader, addHeader, addIntHeader, containsHeader, encodeRedirectUrl, encodeRedirectURL, encodeUrl, encodeURL, getHeader, getHeaderNames, getHeaders, getStatus, getTrailerFields, sendError, sendError, sendRedirect, setDateHeader, setHeader, setIntHeader, setStatus, setStatus, setTrailerFields

Methods inherited from class javax.servlet.ServletResponseWrapper

flushBuffer, getBufferSize, getCharacterEncoding, getLocale, getResponse, isCommitted, isWrapperFor, isWrapperFor, reset, resetBuffer, setBufferSize, setCharacterEncoding, setContentLength, setContentLengthLong, setLocale, setResponse

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.servlet.ServletResponse

flushBuffer, getBufferSize, getCharacterEncoding, getLocale, isCommitted, reset, resetBuffer, setBufferSize, setCharacterEncoding, setContentLength, setContentLengthLong, setLocale

Field Detail

ipw

private InterceptingPrintWriter ipw

isos

private InterceptingServletOutputStream isos

contentType

private java.lang.String contentType

addSecureFlagRules

private java.util.List<AddSecureFlagRule> addSecureFlagRules

addHTTPOnlyFlagRules

private java.util.List<AddHTTPOnlyFlagRule> addHTTPOnlyFlagRules

alreadyCalledWriter

private boolean alreadyCalledWriter

alreadyCalledOutputStream

private boolean alreadyCalledOutputStream

Constructor Detail

InterceptingHTTPServletResponse

public InterceptingHTTPServletResponse(javax.servlet.http.HttpServletResponse response,
                                       boolean buffering,
                                       java.util.List<Rule> cookieRules)
                                throws java.io.IOException

Throws:

java.io.IOException

Method Detail

isUsingWriter

public boolean isUsingWriter()

getInterceptingServletOutputStream

public InterceptingServletOutputStream getInterceptingServletOutputStream()

getOutputStream

public javax.servlet.ServletOutputStream getOutputStream()
                                                  throws java.lang.IllegalStateException,
                                                         java.io.IOException

Specified by:

getOutputStream in interface javax.servlet.ServletResponse

Overrides:

getOutputStream in class javax.servlet.ServletResponseWrapper

Throws:

java.lang.IllegalStateException

java.io.IOException

getWriter

public java.io.PrintWriter getWriter()
                              throws java.io.IOException

Specified by:

getWriter in interface javax.servlet.ServletResponse

Overrides:

getWriter in class javax.servlet.ServletResponseWrapper

Throws:

java.io.IOException

getContentType

public java.lang.String getContentType()

Specified by:

getContentType in interface javax.servlet.ServletResponse

Overrides:

getContentType in class javax.servlet.ServletResponseWrapper

setContentType

public void setContentType(java.lang.String s)

Specified by:

setContentType in interface javax.servlet.ServletResponse

Overrides:

setContentType in class javax.servlet.ServletResponseWrapper

flush

public void flush()

commit

public void commit()
            throws java.io.IOException

Throws:

java.io.IOException

addCookie

public void addCookie(javax.servlet.http.Cookie cookie)

Specified by:

addCookie in interface javax.servlet.http.HttpServletResponse

Overrides:

addCookie in class javax.servlet.http.HttpServletResponseWrapper

addCookie

public void addCookie(javax.servlet.http.Cookie cookie,
                      boolean isSession)

createCookieHeader

private java.lang.String createCookieHeader(java.lang.String name,
                                            java.lang.String value,
                                            int maxAge,
                                            java.lang.String domain,
                                            java.lang.String path,
                                            boolean secure,
                                            boolean httpOnly,
                                            boolean isTemporary)