esapi-java-legacy
esapi-java-legacy copied to clipboard
ESAPI
Add method isValidHTTPRequest(HttpServletRequest request) to Validator Interface (1.4.x release )
From [email protected] on February 22, 2012 09:07:07
If we add a method to Validator interface to assert whether an HttpServletRequest is valid, clients will not have to use Safe request. This will improve the "pluggability" of ESAPI api since some application servers do not like wrapping of HttpServletRequest to Safe request. For example, Oracle Application Server 10G throws exception if the HttpServletRequest is wrapped to an ESAPI SafeRequest when it checks whether a JSP page needs compilation.
The method signature is below:
boolean isValidHTTPRequest(HttpServletRequest request) throws IntrusionException;
DefaultValidator.java already has this method as public.
One can now call something like this from within a filter:
if (ESAPI.validator().isValidHTTPRequest(httprequest)) { chain.doFilter(request, response); } else { response.setContentType("text/html"); response.getWriter().print("Can't process: Unsafe data send in request.");
}
1.4.x release Milestone 2.1
Attachment: Validator.java
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=263
From [email protected] on February 22, 2012 06:08:49
On the code sample above, ESAPI.validator().isValidHTTPRequest(httprequest) can be called w/o calling ESAPI.httpUtilities().setCurrentHTTP();
From [email protected] on February 22, 2012 07:27:06
Attached is DefaultValidator.java with the new public method.
Attachment: DefaultValidator.java