You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:12:59 UTC
[sling-org-apache-sling-security] annotated tag
org.apache.sling.security-1.0.10 created (now 89e4707)
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a change to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git.
at 89e4707 (tag)
tagging d954ef9afcf863d2ab52c39652caf0cfef4634ec (commit)
by Antonio Sanso
on Thu Apr 2 10:02:52 2015 +0000
- Log -----------------------------------------------------------------
org.apache.sling.security-1.0.10
-----------------------------------------------------------------------
This annotated tag includes the following new commits:
new 039593a SLING-2141 - Add a way to check the referrer for modification requests
new 6b5f16b Ignore target
new 78f00c6 SLING-2141 - Add a way to check the referrer for modification requests
new ac5acb3 SLING-2141 - Add a way to check the referrer for modification requests
new 8256705 SLING-2141 - Add a way to check the referrer for modification requests
new 2e74bb2 SLING-2141 - Add a way to check the referrer for modification requests
new a493d9f SLING-2150 : Update plugins to use the latest available versions
new 2989f95 SLING-2141 : Update localhost and server handling
new bb90451 Update to recent snapshot
new 3f3a1c3 Allow empty referrers by default
new ea48c8c Update default list
new e782ad3 Using latest released parent pom
new 04c948c SLING-2664 : Use global filter instead of Sling filter
new dfbcc57 Use latest Commons OSGi and return 403 instead of 500
new d87917c SLING-2198 - allowing request if the referrer host name matches the request host name (also, internalizing the PropertiesUtil class for compatibility purposes)
new 23166c5 SLING-2200 - adding a configuration printer to the referrer filter
new 01f70f8 Remove duplicate entry
new 7a45910 SLING-2279 : ReferrerFilter should not reverse lookup the IPs of interfaces. Apply patch from Tobias Bocanegra
new ceda7a9 [maven-release-plugin] prepare release org.apache.sling.security-1.0.0
new d431bfd [maven-release-plugin] prepare for next development iteration
new 37a4ee1 Use latest parent pom in all projects
new 9962937 Use latest parent pom everywhere
new c537035 Set svn:ignore
new b9b53a5 SLING-2694 : Only check referrer header if request is from a browser
new fa7665e [maven-release-plugin] prepare release org.apache.sling.security-1.0.2
new 38c657b [maven-release-plugin] prepare for next development iteration
new 64faf10 Use latest releases and update to new parent pom
new 0f149ec Update to latest parent pom and use latest releases in launchpad
new fbfc8e8 SLING-2836 : Missing @(De)Activate annotations in ReferrerFilter#(de)activate() methods cause Sling Referrer Filter Tab clones
new 4c40987 [maven-release-plugin] prepare release org.apache.sling.security-1.0.4
new 6c3a2d5 [maven-release-plugin] prepare for next development iteration
new fc2c9e5 Correct reactor pom and update to parent pom 16
new 45dec5c FELIX-2870 : Support allowed hosts patterns in ReferrerFilter . Apply patch from Timothee Maret
new 604b0b7 [maven-release-plugin] prepare release org.apache.sling.security-1.0.6
new 6bd5364 [maven-release-plugin] prepare for next development iteration
new a456ca7 SLING-4019 - ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
new daac5d7 SLING-4019 - ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
new 16d9866 [maven-release-plugin] prepare release org.apache.sling.security-1.0.8
new a04352b [maven-release-plugin] prepare for next development iteration
new bd06fa0 SLING-3829 - Add support for Content-Disposition attachment
new 5621fdb [maven-release-plugin] prepare release org.apache.sling.security-1.0.10
new d954ef9 [maven-release-plugin] copy for tag org.apache.sling.security-1.0.10
The 42 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
--
To stop receiving notification emails like this one, please contact
['"commits@sling.apache.org" <co...@sling.apache.org>'].
[sling-org-apache-sling-security] 09/30: Use latest parent pom in
all projects
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 37a4ee104f13d58997a94cd2f849bee25b1175f4
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Tue Apr 3 11:15:41 2012 +0000
Use latest parent pom in all projects
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1308819 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 83b0a0f..0b27884 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
<parent>
<groupId>org.apache.sling</groupId>
<artifactId>sling</artifactId>
- <version>11</version>
+ <version>12</version>
</parent>
<artifactId>org.apache.sling.security</artifactId>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 15/30: Use latest releases and
update to new parent pom
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 64faf10a65c21b732eafd040ced6d6a67b08ddb5
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Sun Dec 23 06:53:35 2012 +0000
Use latest releases and update to new parent pom
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1425425 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 8765d2c..a6bef27 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
<parent>
<groupId>org.apache.sling</groupId>
<artifactId>sling</artifactId>
- <version>13</version>
+ <version>14</version>
</parent>
<artifactId>org.apache.sling.security</artifactId>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 24/30: SLING-4019 -
ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit a456ca7fc34dd680cdee523c0b873e3a9c532020
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Mon Feb 16 15:44:17 2015 +0000
SLING-4019 - ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1660146 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/security/impl/ReferrerFilter.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index e3dfa5d..f3c4951 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -89,7 +89,7 @@ public class ReferrerFilter implements Filter {
private final Logger logger = LoggerFactory.getLogger(this.getClass());
/** Default value for allow empty. */
- private static final boolean DEFAULT_ALLOW_EMPTY = true;
+ private static final boolean DEFAULT_ALLOW_EMPTY = false;
/** Allow empty property. */
@Property(boolValue=DEFAULT_ALLOW_EMPTY)
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 22/30: [maven-release-plugin]
prepare release org.apache.sling.security-1.0.6
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 604b0b755ad9ea80528707988fb65f112809a100
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Mon Mar 3 09:27:14 2014 +0000
[maven-release-plugin] prepare release org.apache.sling.security-1.0.6
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1573486 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index e30c52f..0ebde34 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.5-SNAPSHOT</version>
+ <version>1.0.6</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.6</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.6</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.6</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 10/30: Use latest parent pom
everywhere
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 996293773d3a106c3b5624e9c4559c70ed950578
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Wed Aug 1 13:53:43 2012 +0000
Use latest parent pom everywhere
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1367998 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 0b27884..3e3d594 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
<parent>
<groupId>org.apache.sling</groupId>
<artifactId>sling</artifactId>
- <version>12</version>
+ <version>13</version>
</parent>
<artifactId>org.apache.sling.security</artifactId>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 05/30: Remove duplicate entry
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 01f70f805e7d76a4bd92a42961af7e27a6b43a64
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Fri Sep 9 12:33:00 2011 +0000
Remove duplicate entry
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1167133 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/security/impl/ReferrerFilter.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index afe33ee..344e9d4 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -134,7 +134,7 @@ public class ReferrerFilter implements Filter {
referrers.add("https://localhost" + ":0");
referrers.add("https://127.0.0.1" + ":0");
referrers.add("https://[::1]" + ":0");
- referrers.add("https://[::1]" + ":0");
+
return referrers;
}
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 14/30: [maven-release-plugin]
prepare for next development iteration
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 38c657b9c6fe1899dcc3e3ba713e8100c0f6db71
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Sat Dec 15 14:56:17 2012 +0000
[maven-release-plugin] prepare for next development iteration
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1422262 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 81db816..8765d2c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.2</version>
+ <version>1.0.3-SNAPSHOT</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.2</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.2</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.2</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 23/30: [maven-release-plugin]
prepare for next development iteration
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 6bd536445512a95ec469bc3251338a29b25bc951
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Mon Mar 3 09:27:37 2014 +0000
[maven-release-plugin] prepare for next development iteration
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1573488 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 0ebde34..f907fbc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.6</version>
+ <version>1.0.7-SNAPSHOT</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.6</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.6</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.6</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 28/30: SLING-3829 - Add support
for Content-Disposition attachment
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit bd06fa0c24bac969ea59c38c9fc53bfe797729be
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Thu Apr 2 09:49:38 2015 +0000
SLING-3829 - Add support for Content-Disposition attachment
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1670869 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 23 +
.../security/impl/ContentDispositionFilter.java | 224 +++++++
.../impl/ContentDispositionFilterTest.java | 653 +++++++++++++++++++++
3 files changed, 900 insertions(+)
diff --git a/pom.xml b/pom.xml
index a401dc6..25f13bf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -73,6 +73,12 @@
<dependencies>
<dependency>
<groupId>org.apache.sling</groupId>
+ <artifactId>org.apache.sling.api</artifactId>
+ <version>2.1.0</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.commons.osgi</artifactId>
<version>2.1.0</version>
<scope>provided</scope>
@@ -111,5 +117,22 @@
<version>1.8.2</version>
<scope>test</scope>
</dependency>
+ <!-- Testing -->
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.jmock</groupId>
+ <artifactId>jmock-junit4</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit-addons</groupId>
+ <artifactId>junit-addons</artifactId>
+ <version>1.4</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
+
</project>
diff --git a/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java b/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
new file mode 100644
index 0000000..aae95dc
--- /dev/null
+++ b/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
@@ -0,0 +1,224 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sling.security.impl;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Dictionary;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import org.apache.felix.scr.annotations.Activate;
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.PropertyUnbounded;
+import org.apache.felix.scr.annotations.Service;
+import org.apache.felix.scr.annotations.Properties;
+import org.apache.felix.scr.annotations.Property;
+import org.apache.sling.api.SlingHttpServletRequest;
+import org.apache.sling.api.SlingHttpServletResponse;
+import org.apache.sling.api.wrappers.SlingHttpServletResponseWrapper;
+import org.apache.sling.commons.osgi.PropertiesUtil;
+import org.osgi.service.component.ComponentContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@Component(metatype = true,
+description = "Request filter adding Content Disposition attachment for certain paths/content types",
+label=" Apache Sling Content Disposition Filter")
+@Service(value = Filter.class)
+@Properties({
+ @Property(name = "sling.filter.scope", value = { "request" }, propertyPrivate = true),
+ @Property(name = "service.ranking", intValue = -25000, propertyPrivate = true) })
+public class ContentDispositionFilter implements Filter {
+
+ /** Logger. */
+ private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+ @Property(label = "Content Disposition Paths",
+ description = "These paths are filtered by the filter. "+
+ "Each entry is of the form 'path [ \":\" CSV of excluded content types ]'. " +
+ "Invalid entries are logged and ignored."
+ , unbounded = PropertyUnbounded.ARRAY, value = { "" })
+ private static final String PROP_CONTENT_DISPOSTION_PATHS = "sling.content.disposition.paths";
+
+ /**
+ * Set of paths
+ */
+ Set<String> contentDispositionPaths;
+
+ /**
+ * Array of prefixes of paths
+ */
+ private String[] contentDispositionPathsPfx;
+
+ private Map<String, Set<String>> contentTypesMapping;
+
+ @Activate
+ private void activate(final ComponentContext ctx) {
+ final Dictionary props = ctx.getProperties();
+
+ String[] contentDispostionProps = PropertiesUtil.toStringArray(props.get(PROP_CONTENT_DISPOSTION_PATHS));
+
+ Set<String> paths = new HashSet<String>();
+ List<String> pfxs = new ArrayList<String>();
+ Map<String, Set<String>> contentTypesMap = new HashMap<String, Set<String>>();
+
+ for (String path : contentDispostionProps) {
+ path = path.trim();
+ if (path.length() > 0) {
+ int idx = path.indexOf('*');
+ int colonIdx = path.indexOf(":");
+
+ if (colonIdx > -1 && colonIdx < idx) {
+ // ':' in paths is not allowed
+ logger.info("':' in paths is not allowed.");
+ } else {
+ String p = null;
+ if (idx >= 0) {
+ if (idx > 0) {
+ p = path.substring(0, idx);
+ pfxs.add(p);
+ } else {
+ // we don't allow "*" - that would defeat the
+ // purpose.
+ logger.info("catch-all wildcard for paths not allowed.");
+ }
+ } else {
+ if (colonIdx > -1) {
+ p = path.substring(0, colonIdx);
+ } else {
+ p = path;
+ }
+ paths.add(p);
+ }
+ if (colonIdx != -1 && p != null) {
+ Set <String> contentTypes = getContentTypes(path.substring(colonIdx+1));
+ contentTypesMap.put(p, contentTypes);
+ }
+ }
+
+ }
+ }
+
+ contentDispositionPaths = paths.isEmpty() ? Collections.<String>emptySet() : paths;
+ contentDispositionPathsPfx = pfxs.toArray(new String[pfxs.size()]);
+ contentTypesMapping = contentTypesMap.isEmpty()?Collections.<String, Set<String>>emptyMap(): contentTypesMap;
+
+ logger.info("Initialized. content disposition paths: {}, content disposition paths-pfx {}", new Object[]{
+ contentDispositionPaths, contentDispositionPathsPfx}
+ );
+ }
+
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ // nothing to do
+ }
+
+ public void destroy() {
+ // nothing to do
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+
+ final SlingHttpServletRequest slingRequest = (SlingHttpServletRequest) request;
+ final SlingHttpServletResponse slingResponse = (SlingHttpServletResponse) response;
+
+ final RewriterResponse rewriterResponse = new RewriterResponse(slingRequest, slingResponse);
+
+ chain.doFilter(request, rewriterResponse);
+ }
+
+ //---------- PRIVATE METHODS ---------
+
+ private static Set<String> getContentTypes(String contentTypes) {
+ Set<String> contentTypesSet = new HashSet<String>();
+ if (contentTypes != null && contentTypes.length() > 0) {
+ String[] contentTypesArray = contentTypes.split(",");
+ for (String contentType : contentTypesArray) {
+ contentTypesSet.add(contentType);
+ }
+ }
+ return contentTypesSet;
+ }
+
+ //----------- INNER CLASSES ------------
+
+ protected class RewriterResponse extends SlingHttpServletResponseWrapper {
+
+ private static final String CONTENT_DISPOSTION = "Content-Disposition";
+
+ private static final String CONTENT_DISPOSTION_ATTACHMENT = "attachment";
+
+ /** The current request. */
+ private final SlingHttpServletRequest request;
+
+ public RewriterResponse(SlingHttpServletRequest request, SlingHttpServletResponse wrappedResponse) {
+ super(wrappedResponse);
+ this.request = request;
+ }
+
+ /**
+ * @see javax.servlet.ServletResponseWrapper#setContentType(java.lang.String)
+ */
+ public void setContentType(String type) {
+ String pathInfo = request.getPathInfo();
+
+ if (contentDispositionPaths.contains(pathInfo)) {
+
+ if (contentTypesMapping.containsKey(pathInfo)) {
+ Set exceptions = contentTypesMapping.get(pathInfo);
+ if (!exceptions.contains(type)) {
+ setContentDisposition();
+ }
+ } else {
+ setContentDisposition();
+ }
+ }
+
+ for (String path : contentDispositionPathsPfx) {
+ if (request.getPathInfo().startsWith(path)) {
+ if (contentTypesMapping.containsKey(path)) {
+ Set exceptions = contentTypesMapping.get(path);
+ if (!exceptions.contains(type)) {
+ setContentDisposition();
+ break;
+ }
+ } else {
+ setContentDisposition();
+ break;
+ }
+
+ }
+ }
+ super.setContentType(type);
+ }
+
+ private void setContentDisposition() {
+ this.addHeader(CONTENT_DISPOSTION, CONTENT_DISPOSTION_ATTACHMENT);
+ }
+ }
+}
diff --git a/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java b/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
new file mode 100644
index 0000000..91d26b1
--- /dev/null
+++ b/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
@@ -0,0 +1,653 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sling.security.impl;
+
+import java.util.Dictionary;
+import java.util.Hashtable;
+import java.util.Map;
+import java.util.Set;
+import junitx.util.PrivateAccessor;
+import org.apache.sling.api.SlingHttpServletRequest;
+import org.apache.sling.api.SlingHttpServletResponse;
+import org.jmock.Expectations;
+import org.jmock.Mockery;
+import org.jmock.integration.junit4.JUnit4Mockery;
+import org.junit.Assert;
+import org.junit.Test;
+import org.osgi.service.component.ComponentContext;
+
+public class ContentDispositionFilterTest {
+
+ private ContentDispositionFilter contentDispositionFilter;
+ private final Mockery context = new JUnit4Mockery();
+
+ @Test
+ public void test_activator1() throws Throwable{
+ contentDispositionFilter = new ContentDispositionFilter();
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ Set<String> contentDispositionPaths = ( Set<String> ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPaths");
+ Assert.assertEquals(1, contentDispositionPaths.size());
+ String[] contentDispositionPathsPfx = ( String[] ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPathsPfx");
+ Assert.assertEquals(0, contentDispositionPathsPfx.length);
+ Map <String, Set<String>> contentTypesMapping = ( Map <String, Set<String>> ) PrivateAccessor.getField(contentDispositionFilter, "contentTypesMapping");
+ Assert.assertEquals(0, contentTypesMapping.size());
+ }
+
+ @Test
+ public void test_activator2() throws Throwable{
+ contentDispositionFilter = new ContentDispositionFilter();
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ Set<String> contentDispositionPaths = ( Set<String> ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPaths");
+ Assert.assertEquals(0, contentDispositionPaths.size());
+ String[] contentDispositionPathsPfx = ( String[] ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPathsPfx");
+ Assert.assertEquals(1, contentDispositionPathsPfx.length);
+ Map <String, Set<String>> contentTypesMapping = ( Map <String, Set<String>> ) PrivateAccessor.getField(contentDispositionFilter, "contentTypesMapping");
+ Assert.assertEquals(0, contentTypesMapping.size());
+ }
+
+ @Test
+ public void test_activator3() throws Throwable{
+ contentDispositionFilter = new ContentDispositionFilter();
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/libs", "/content/usergenerated/*"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ Set<String> contentDispositionPaths = ( Set<String> ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPaths");
+ Assert.assertEquals(1, contentDispositionPaths.size());
+ String[] contentDispositionPathsPfx = ( String[] ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPathsPfx");
+ Assert.assertEquals(1, contentDispositionPathsPfx.length);
+ Map <String, Set<String>> contentTypesMapping = ( Map <String, Set<String>> ) PrivateAccessor.getField(contentDispositionFilter, "contentTypesMapping");
+ Assert.assertEquals(0, contentTypesMapping.size());
+ }
+
+ @Test
+ public void test_activator5() throws Throwable{
+ contentDispositionFilter = new ContentDispositionFilter();
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"*"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ Set<String> contentDispositionPaths = ( Set<String> ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPaths");
+ Assert.assertEquals(0, contentDispositionPaths.size());
+ String[] contentDispositionPathsPfx = ( String[] ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPathsPfx");
+ Assert.assertEquals(0, contentDispositionPathsPfx.length);
+ Map <String, Set<String>> contentTypesMapping = ( Map <String, Set<String>> ) PrivateAccessor.getField(contentDispositionFilter, "contentTypesMapping");
+ Assert.assertEquals(0, contentTypesMapping.size());
+ }
+
+ @Test
+ public void test_activator6() throws Throwable{
+ contentDispositionFilter = new ContentDispositionFilter();
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/libs:*"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ Set<String> contentDispositionPaths = ( Set<String> ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPaths");
+ Assert.assertEquals(0, contentDispositionPaths.size());
+ String[] contentDispositionPathsPfx = ( String[] ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPathsPfx");
+ Assert.assertEquals(0, contentDispositionPathsPfx.length);
+ Map <String, Set<String>> contentTypesMapping = ( Map <String, Set<String>> ) PrivateAccessor.getField(contentDispositionFilter, "contentTypesMapping");
+ Assert.assertEquals(0, contentTypesMapping.size());
+ }
+
+ @Test
+ public void test_activator7() throws Throwable{
+ contentDispositionFilter = new ContentDispositionFilter();
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/libs:text/html,text/plain","/content/usergenerated/*:image/jpeg"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ Set<String> contentDispositionPaths = ( Set<String> ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPaths");
+ Assert.assertEquals(1, contentDispositionPaths.size());
+ String[] contentDispositionPathsPfx = ( String[] ) PrivateAccessor.getField(contentDispositionFilter, "contentDispositionPathsPfx");
+ Assert.assertEquals(1, contentDispositionPathsPfx.length);
+ Map <String, Set<String>> contentTypesMapping = ( Map <String, Set<String>> ) PrivateAccessor.getField(contentDispositionFilter, "contentTypesMapping");
+ Assert.assertEquals(2, contentTypesMapping.size());
+ Set<String> libsMapping = contentTypesMapping.get("/libs");
+ Assert.assertEquals(2, libsMapping.size());
+ libsMapping.contains("text/html");
+ libsMapping.contains("text/plain");
+
+ Set<String> userGeneratedMapping = contentTypesMapping.get("/content/usergenerated/");
+ Assert.assertEquals(1, userGeneratedMapping.size());
+ userGeneratedMapping.contains("image/jpeg");
+ }
+
+ @Test
+ public void test_getContentTypes() throws Throwable{
+ // null content types
+ String contentType = null;
+ Set <String> contentTypesSet = ( Set <String>) PrivateAccessor.invoke(ContentDispositionFilter.class,"getContentTypes", new Class[]{String.class},new Object[]{contentType});
+ Assert.assertEquals(0, contentTypesSet.size());
+ // empty content types
+ contentType = "";
+ contentTypesSet = ( Set <String>) PrivateAccessor.invoke(ContentDispositionFilter.class,"getContentTypes", new Class[]{String.class},new Object[]{contentType});
+ Assert.assertEquals(0, contentTypesSet.size());
+ contentType = "text/html";
+ contentTypesSet = ( Set <String>) PrivateAccessor.invoke(ContentDispositionFilter.class,"getContentTypes", new Class[]{String.class},new Object[]{contentType});
+ Assert.assertEquals(1, contentTypesSet.size());
+ contentType = "text/html,text/plain";
+ contentTypesSet = ( Set <String>) PrivateAccessor.invoke(ContentDispositionFilter.class,"getContentTypes", new Class[]{String.class},new Object[]{contentType});
+ Assert.assertEquals(2, contentTypesSet.size());
+ }
+
+ @Test
+ public void test_doFilter1() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/libs"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter2() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated/author"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter3() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION IS SET
+ exactly(1).of(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter4() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/libs"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter5() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated/author"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION IS SET
+ exactly(1).of(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter6() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION IS SET
+ exactly(1).of(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter7() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/libs"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter8() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated/author"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter9() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter10() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated"));
+ allowing(response).setContentType("image/jpeg");
+ //CONTENT DISPOSITION IS SET
+ exactly(1).of(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("image/jpeg");
+ }
+
+ @Test
+ public void test_doFilter11() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/libs"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter12() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated/author"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter13() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated/author"));
+ allowing(response).setContentType("text/html");
+ //CONTENT DISPOSITION MUST NOT SET
+ never(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("text/html");
+ }
+
+ @Test
+ public void test_doFilter14() throws Throwable{
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ contentDispositionFilter = new ContentDispositionFilter();
+
+ final ComponentContext ctx = context.mock(ComponentContext.class);
+ final Dictionary props = new Hashtable<String, String[]>();
+ props.put("sling.content.disposition.paths", new String []{"/content/usergenerated/*:text/html,text/plain"});
+
+ context.checking(new Expectations() {
+ {
+ allowing(ctx).getProperties();
+ will(returnValue(props));
+
+ }
+ });
+ PrivateAccessor.invoke(contentDispositionFilter,"activate", new Class[]{ComponentContext.class},new Object[]{ctx});
+ ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ context.checking(new Expectations() {
+ {
+ allowing(request).getPathInfo();
+ will(returnValue("/content/usergenerated/author"));
+ allowing(response).setContentType("image/jpeg");
+ //CONTENT DISPOSITION IS SET
+ exactly(1).of(response).addHeader("Content-Disposition", "attachment");
+ }
+ });
+ rewriterResponse.setContentType("image/jpeg");
+ }
+}
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 03/30: SLING-2198 - allowing
request if the referrer host name matches the request host name (also,
internalizing the PropertiesUtil class for compatibility purposes)
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit d87917c332f1e40b273cf6abee2f584897e47a2a
Author: Justin Edelson <ju...@apache.org>
AuthorDate: Wed Aug 31 15:12:00 2011 +0000
SLING-2198 - allowing request if the referrer host name matches the request host name (also, internalizing the PropertiesUtil class for compatibility purposes)
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1163660 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 3 +++
src/main/java/org/apache/sling/security/impl/ReferrerFilter.java | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/pom.xml b/pom.xml
index 7098fd6..3dcda90 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,6 +58,9 @@
<configuration>
<instructions>
<Bundle-Category>sling</Bundle-Category>
+ <Embed-Dependency>
+ org.apache.sling.commons.osgi;inline=org/apache/sling/commons/osgi/PropertiesUtil.*
+ </Embed-Dependency>
<Private-Package>
org.apache.sling.security.impl
</Private-Package>
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index ddb4ca1..0302ac7 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -282,6 +282,12 @@ public class ReferrerFilter implements Filter {
return false;
}
+ // allow the request if the host name of the referrer is
+ // the same as the request's host name
+ if ( info.host.equals(request.getServerName()) ) {
+ return true;
+ }
+
boolean valid = false;
for(final URL ref : this.allowedReferrers) {
if ( info.host.equals(ref.getHost()) && info.scheme.equals(ref.getProtocol()) ) {
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 21/30: FELIX-2870 : Support
allowed hosts patterns in ReferrerFilter . Apply patch from Timothee Maret
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 45dec5c3941a1c121ca0703aeaac522b6405e4f7
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Wed May 22 08:59:33 2013 +0000
FELIX-2870 : Support allowed hosts patterns in ReferrerFilter . Apply patch from Timothee Maret
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1485123 13f79535-47bb-0310-9956-ffa450edef68
---
.../apache/sling/security/impl/ReferrerFilter.java | 130 ++++++++++++++++-----
.../OSGI-INF/metatype/metatype.properties | 9 +-
.../sling/security/impl/ReferrerFilterTest.java | 14 ++-
3 files changed, 116 insertions(+), 37 deletions(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index 000f463..e3dfa5d 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -26,12 +26,14 @@ import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.URL;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Dictionary;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Set;
+import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
@@ -93,19 +95,30 @@ public class ReferrerFilter implements Filter {
@Property(boolValue=DEFAULT_ALLOW_EMPTY)
private static final String PROP_ALLOW_EMPTY = "allow.empty";
- /** Allow empty property. */
+ private static final String[] DEFAULT_PROP_HOSTS = {};
+
+ /** Allow referrer uri hosts property. */
@Property(unbounded=PropertyUnbounded.ARRAY)
private static final String PROP_HOSTS = "allow.hosts";
- /** Allow empty property. */
+ /** Allow referrer regex hosts property */
+ @Property(unbounded=PropertyUnbounded.ARRAY)
+ private static final String PROP_HOSTS_REGEX = "allow.hosts.regexp";
+
+ /** Filtered methods property */
@Property(unbounded=PropertyUnbounded.ARRAY, value={"POST", "PUT", "DELETE"})
private static final String PROP_METHODS = "filter.methods";
+
+
/** Do we allow empty referrer? */
private boolean allowEmpty;
- /** Allowed referrers */
- private URL[] allowedReferrers;
+ /** Allowed uri referrers */
+ private URL[] allowedUriReferrers;
+
+ /** Allowed regexp referrers */
+ private Pattern[] allowedRegexReferrers;
/** Methods to be filtered. */
private String[] filterMethods;
@@ -160,7 +173,7 @@ public class ReferrerFilter implements Filter {
}
/**
- * Create URLs out of the referrer list
+ * Create URLs out of the uri referrer set
*/
private URL[] createReferrerUrls(final Set<String> referrers) {
final List<URL> urls = new ArrayList<URL>();
@@ -179,27 +192,41 @@ public class ReferrerFilter implements Filter {
}
/**
+ * Create Patterns out of the regexp referrer list
+ */
+ private Pattern[] createReferrerPatterns(final String[] regexps) {
+ final List<Pattern> patterns = new ArrayList<Pattern>();
+ for(final String regexp : regexps) {
+ try {
+ final Pattern pattern = Pattern.compile(regexp);
+ patterns.add(pattern);
+ } catch (final Exception e) {
+ logger.warn("Unable to create Pattern from {} : {}", new String[]{regexp, e.getMessage()});
+ }
+ }
+ return patterns.toArray(new Pattern[patterns.size()]);
+ }
+
+ /**
* Activate
*/
@Activate
protected void activate(final ComponentContext ctx) {
- this.allowEmpty = PropertiesUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY);
- String[] allowHosts = PropertiesUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS));
- if ( allowHosts != null ) {
- if ( allowHosts.length == 0 ) {
- allowHosts = null;
- } else if ( allowHosts.length == 1 && allowHosts[0].trim().length() == 0 ) {
- allowHosts = null;
- }
- }
- final Set<String> allowedReferrers = this.getDefaultAllowedReferrers();
- if ( allowHosts != null ) {
- for(final String host : allowHosts) {
- allowedReferrers.add(host);
- }
- }
- this.allowedReferrers = this.createReferrerUrls(allowedReferrers);
- this.filterMethods = PropertiesUtil.toStringArray(ctx.getProperties().get(PROP_METHODS));
+ final Dictionary props = ctx.getProperties();
+
+ this.allowEmpty = PropertiesUtil.toBoolean(props.get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY);
+
+ final String[] allowRegexHosts = defaultIfEmpty(PropertiesUtil.toStringArray(props.get(PROP_HOSTS_REGEX),
+ DEFAULT_PROP_HOSTS), DEFAULT_PROP_HOSTS);
+ this.allowedRegexReferrers = createReferrerPatterns(allowRegexHosts);
+
+ final Set<String> allowUriReferrers = getDefaultAllowedReferrers();
+ final String[] allowHosts = defaultIfEmpty(PropertiesUtil.toStringArray(props.get(PROP_HOSTS),
+ DEFAULT_PROP_HOSTS), DEFAULT_PROP_HOSTS);
+ allowUriReferrers.addAll(Arrays.asList(allowHosts));
+ this.allowedUriReferrers = createReferrerUrls(allowUriReferrers);
+
+ this.filterMethods = PropertiesUtil.toStringArray(props.get(PROP_METHODS));
if ( this.filterMethods != null && this.filterMethods.length == 1 && (this.filterMethods[0] == null || this.filterMethods[0].trim().length() == 0) ) {
this.filterMethods = null;
}
@@ -267,6 +294,9 @@ public class ReferrerFilter implements Filter {
public String host;
public String scheme;
public int port;
+ public String toURI() {
+ return scheme + "://" + host + ":" + port;
+ }
}
HostInfo getHost(final String referrer) {
@@ -330,15 +360,9 @@ public class ReferrerFilter implements Filter {
return true;
}
- boolean valid = false;
- for(final URL ref : this.allowedReferrers) {
- if ( info.host.equals(ref.getHost()) && info.scheme.equals(ref.getProtocol()) ) {
- if ( ref.getPort() == 0 || info.port == ref.getPort() ) {
- valid = true;
- break;
- }
- }
- }
+ // allow the request if the referrer matches any of the allowed referrers
+ boolean valid = isValidUriReferrer(info) || isValidRegexReferrer(info);
+
if ( !valid) {
this.logger.info("Rejected referrer header for {} request to {} : {}",
new Object[] {request.getMethod(), request.getRequestURI(), referrer});
@@ -361,6 +385,45 @@ public class ReferrerFilter implements Filter {
}
/**
+ * @param hostInfo The hostInfo to check for validity
+ * @return <code>true</code> if the hostInfo matches any of the allowed URI referrer.
+ */
+ private boolean isValidUriReferrer(HostInfo hostInfo) {
+ for(final URL ref : this.allowedUriReferrers) {
+ if ( hostInfo.host.equals(ref.getHost()) && hostInfo.scheme.equals(ref.getProtocol()) ) {
+ if ( ref.getPort() == 0 || hostInfo.port == ref.getPort() ) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+ /**
+ * @param hostInfo The hostInfo to check for validity
+ * @return <code>true</code> if the hostInfo matches any of the allowed regexp referrer.
+ */
+ private boolean isValidRegexReferrer(HostInfo hostInfo) {
+ for(final Pattern ref : this.allowedRegexReferrers) {
+ String url = hostInfo.toURI();
+ if (ref.matcher(url).matches()) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * @return The <code>defaultProperties</code> if <code>properties</code> contains a single empty string,
+ * <code>properties</code> otherwise.
+ */
+ private String[] defaultIfEmpty(String[] properties, String[] defaultProperties) {
+ return properties.length == 1 && properties[0].trim().length() == 0
+ ? defaultProperties
+ : properties;
+ }
+
+ /**
* Returns <code>true</code> if the given request can be assumed to be sent
* by a client browser such as Firefix, Internet Explorer, etc.
* <p>
@@ -391,9 +454,12 @@ public class ReferrerFilter implements Filter {
public void printConfiguration(final PrintWriter pw) {
pw.println("Current Apache Sling Referrer Filter Allowed Referrers:");
pw.println();
- for (final URL url : allowedReferrers) {
+ for (final URL url : allowedUriReferrers) {
pw.println(url.toString());
}
+ for (final Pattern pattern : allowedRegexReferrers) {
+ pw.println(pattern.toString());
+ }
}
}
diff --git a/src/main/resources/OSGI-INF/metatype/metatype.properties b/src/main/resources/OSGI-INF/metatype/metatype.properties
index f536075..0905fb1 100644
--- a/src/main/resources/OSGI-INF/metatype/metatype.properties
+++ b/src/main/resources/OSGI-INF/metatype/metatype.properties
@@ -25,14 +25,17 @@
#
# Referrer Filter
referrer.name = Apache Sling Referrer Filter
-referrer.description = Request filter checking the referrer of modification requests.
+referrer.description = Request filter checking the referrer of modification requests.
allow.empty.name = Allow Empty
allow.empty.description = Allow an empty or missing referrer
allow.hosts.name = Allow Hosts
-allow.hosts.description = List of allowed hosts for the referrer. If this is empty only the default\
- hosts are allowed.
+allow.hosts.description = List of allowed hosts for the referrer which are added to the list of default hosts.
+
+
+allow.hosts.regexp.name = Allow Regexp Host
+allow.hosts.regexp.description = List of allowed regexp for the referrer.
filter.methods.name = Filter Methods
filter.methods.description = These methods are filtered by the filter.
\ No newline at end of file
diff --git a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
index 136cb28..567246e 100644
--- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
+++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
@@ -17,7 +17,6 @@
package org.apache.sling.security.impl;
import static org.mockito.Mockito.*;
-import static org.mockito.Matchers.*;
import java.util.Dictionary;
import java.util.Hashtable;
@@ -40,7 +39,10 @@ public class ReferrerFilterTest {
final ComponentContext ctx = mock(ComponentContext.class);
final BundleContext bundleCtx = mock(BundleContext.class);
final ServiceRegistration reg = mock(ServiceRegistration.class);
- final Dictionary<String, Object> props = new Hashtable<String, Object>();
+ final Dictionary<String, Object> props = new Hashtable<String, Object>(){{
+ put("allow.hosts", new String[]{"relhost"});
+ put("allow.hosts.regexp", new String[]{"http://([^.]*.)?abshost:80"});
+ }};
doReturn(props).when(ctx).getProperties();
doReturn(bundleCtx).when(ctx).getBundleContext();
doReturn(reg).when(bundleCtx).registerService(any(String[].class), any(), any(Dictionary.class));
@@ -83,5 +85,13 @@ public class ReferrerFilterTest {
Assert.assertEquals(true, filter.isValidRequest(getRequest("http://localhost")));
Assert.assertEquals(true, filter.isValidRequest(getRequest("http://127.0.0.1")));
Assert.assertEquals(false, filter.isValidRequest(getRequest("http://somehost/but/[illegal]")));
+ Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost")));
+ Assert.assertEquals(true, filter.isValidRequest(getRequest("http://relhost:9001")));
+ Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001")));
+ Assert.assertEquals(false, filter.isValidRequest(getRequest("https://abshost:80")));
+ Assert.assertEquals(true, filter.isValidRequest(getRequest("http://abshost:80")));
+ Assert.assertEquals(false, filter.isValidRequest(getRequest("http://abshost:9001")));
+ Assert.assertEquals(true, filter.isValidRequest(getRequest("http://another.abshost:80")));
+ Assert.assertEquals(false, filter.isValidRequest(getRequest("http://yet.another.abshost:80")));
}
}
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 18/30: [maven-release-plugin]
prepare release org.apache.sling.security-1.0.4
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 4c40987ec6b7a10d678b7334ea0ab52a42deb1a3
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Mon Apr 22 08:05:51 2013 +0000
[maven-release-plugin] prepare release org.apache.sling.security-1.0.4
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1470407 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 3a2dba4..92c79f8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.3-SNAPSHOT</version>
+ <version>1.0.4</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.4</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.4</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.4</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 16/30: Update to latest parent
pom and use latest releases in launchpad
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 0f149ecc333672138115de4a014c40aa70130dbf
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Mon Feb 18 08:38:52 2013 +0000
Update to latest parent pom and use latest releases in launchpad
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1447147 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index a6bef27..3a2dba4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
<parent>
<groupId>org.apache.sling</groupId>
<artifactId>sling</artifactId>
- <version>14</version>
+ <version>15</version>
</parent>
<artifactId>org.apache.sling.security</artifactId>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 08/30: [maven-release-plugin]
prepare for next development iteration
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit d431bfd5cf8d5d2a6d8d7012068e960aa732e9df
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Thu Jan 26 09:03:30 2012 +0000
[maven-release-plugin] prepare for next development iteration
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1236090 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index b8da4c6..83b0a0f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.0</version>
+ <version>1.0.1-SNAPSHOT</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.0</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.0</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.0</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 17/30: SLING-2836 : Missing
@(De)Activate annotations in ReferrerFilter#(de)activate() methods cause
Sling Referrer Filter Tab clones
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit fbfc8e8a4c845490655b7c95fa1c6b79ea7fa99d
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Mon Apr 22 08:03:50 2013 +0000
SLING-2836 : Missing @(De)Activate annotations in ReferrerFilter#(de)activate() methods cause Sling Referrer Filter Tab clones
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1470406 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/security/impl/ReferrerFilter.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index 1c473a5..000f463 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -42,7 +42,9 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Service;
@@ -179,6 +181,7 @@ public class ReferrerFilter implements Filter {
/**
* Activate
*/
+ @Activate
protected void activate(final ComponentContext ctx) {
this.allowEmpty = PropertiesUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY);
String[] allowHosts = PropertiesUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS));
@@ -208,6 +211,7 @@ public class ReferrerFilter implements Filter {
this.configPrinterRegistration = registerConfigPrinter(ctx.getBundleContext());
}
+ @Deactivate
protected void deactivate() {
this.configPrinterRegistration.unregister();
}
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 13/30: [maven-release-plugin]
prepare release org.apache.sling.security-1.0.2
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit fa7665e1dd0e364bb1f869bf411e1a594dd807c7
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Sat Dec 15 14:55:53 2012 +0000
[maven-release-plugin] prepare release org.apache.sling.security-1.0.2
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1422260 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 3e3d594..81db816 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.1-SNAPSHOT</version>
+ <version>1.0.2</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.2</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.2</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.2</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 20/30: Correct reactor pom and
update to parent pom 16
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit fc2c9e5e550151e4bd8ff85b1ae4349a8ebb34e8
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Sun May 5 14:38:24 2013 +0000
Correct reactor pom and update to parent pom 16
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1479333 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index c1f4fb0..e30c52f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
<parent>
<groupId>org.apache.sling</groupId>
<artifactId>sling</artifactId>
- <version>15</version>
+ <version>16</version>
</parent>
<artifactId>org.apache.sling.security</artifactId>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 27/30: [maven-release-plugin]
prepare for next development iteration
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit a04352bbf9848595b07256206672a1af957d7973
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Mon Feb 23 11:58:39 2015 +0000
[maven-release-plugin] prepare for next development iteration
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1661651 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 4ef776d..a401dc6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.8</version>
+ <version>1.0.9-SNAPSHOT</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.8</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.8</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.8</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 12/30: SLING-2694 : Only check
referrer header if request is from a browser
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit b9b53a5454b7fc965c890d76ab6cdb43240f9e33
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Wed Dec 5 13:14:34 2012 +0000
SLING-2694 : Only check referrer header if request is from a browser
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1417407 13f79535-47bb-0310-9956-ffa450edef68
---
.../apache/sling/security/impl/ReferrerFilter.java | 47 +++++++++++++++++++++-
1 file changed, 45 insertions(+), 2 deletions(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index da81f41..1c473a5 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -60,6 +60,27 @@ import org.slf4j.LoggerFactory;
@Service(value=Filter.class)
public class ReferrerFilter implements Filter {
+ /**
+ * Request header providing the clients user agent information used
+ * by {@link #isBrowserRequest(HttpServletRequest)} to decide whether
+ * a request is probably sent by a browser or not.
+ */
+ private static final String USER_AGENT = "User-Agent";
+
+ /**
+ * String contained in a {@link #USER_AGENT} header indicating a Mozilla
+ * class browser. Examples of such browsers are Firefox (generally Gecko
+ * based browsers), Safari, Chrome (probably generally WebKit based
+ * browsers), and Microsoft IE.
+ */
+ private static final String BROWSER_CLASS_MOZILLA = "Mozilla";
+
+ /**
+ * String contained in a {@link #USER_AGENT} header indicating a Opera class
+ * browser. The only known browser in this class is the Opera browser.
+ */
+ private static final String BROWSER_CLASS_OPERA = "Opera";
+
/** Logger. */
private final Logger logger = LoggerFactory.getLogger(this.getClass());
@@ -225,8 +246,8 @@ public class ReferrerFilter implements Filter {
if ( req instanceof HttpServletRequest && res instanceof HttpServletResponse ) {
final HttpServletRequest request = (HttpServletRequest)req;
- // is this a modification request
- if ( this.isModification(request) ) {
+ // is this a modification request from a browser
+ if ( this.isBrowserRequest(request) && this.isModification(request) ) {
if ( !this.isValidRequest(request) ) {
final HttpServletResponse response = (HttpServletResponse)res;
// we use 403
@@ -335,6 +356,28 @@ public class ReferrerFilter implements Filter {
// nothing to do
}
+ /**
+ * Returns <code>true</code> if the given request can be assumed to be sent
+ * by a client browser such as Firefix, Internet Explorer, etc.
+ * <p>
+ * This method inspects the <code>User-Agent</code> header and returns
+ * <code>true</code> if the header contains the string <i>Mozilla</i> (known
+ * to be contained in Firefox, Internet Explorer, WebKit-based browsers
+ * User-Agent) or <i>Opera</i> (known to be contained in the Opera
+ * User-Agent).
+ *
+ * @param request The request to inspect
+ * @return <code>true</code> if the request is assumed to be sent by a
+ * browser.
+ */
+ private boolean isBrowserRequest(final HttpServletRequest request) {
+ final String userAgent = request.getHeader(USER_AGENT);
+ if (userAgent != null && (userAgent.contains(BROWSER_CLASS_MOZILLA) || userAgent.contains(BROWSER_CLASS_OPERA))) {
+ return true;
+ }
+ return false;
+ }
+
public class ConfigurationPrinter {
/**
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 25/30: SLING-4019 -
ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit daac5d71442e57b2b2c3659ee9635eacc06539a2
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Mon Feb 23 11:56:13 2015 +0000
SLING-4019 - ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1661648 13f79535-47bb-0310-9956-ffa450edef68
---
src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
index 567246e..14002bc 100644
--- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
+++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
@@ -77,7 +77,7 @@ public class ReferrerFilterTest {
}
@Test public void testValidRequest() {
- Assert.assertEquals(true, filter.isValidRequest(getRequest(null)));
+ Assert.assertEquals(false, filter.isValidRequest(getRequest(null)));
Assert.assertEquals(true, filter.isValidRequest(getRequest("relative")));
Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/too")));
Assert.assertEquals(true, filter.isValidRequest(getRequest("/relative/but/[illegal]")));
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 01/30: SLING-2664 : Use global
filter instead of Sling filter
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 04c948ce8e761f6e509a8e124983df0632b3926e
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Tue Aug 9 13:15:41 2011 +0000
SLING-2664 : Use global filter instead of Sling filter
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1155355 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/security/impl/ReferrerFilter.java | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index 704b915..b2a784f 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -39,18 +39,19 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
-import org.apache.felix.scr.annotations.sling.SlingFilter;
-import org.apache.felix.scr.annotations.sling.SlingFilterScope;
+import org.apache.felix.scr.annotations.Service;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-@SlingFilter(order=-1500000000,scope=SlingFilterScope.REQUEST,metatype=true,
- description="%referrer.description",
+@Component(metatype=true, description="%referrer.description",
label="%referrer.name")
+@Property(name="pattern", value="/.*", propertyPrivate=true)
+@Service(value=Filter.class)
public class ReferrerFilter implements Filter {
/** Logger. */
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 06/30: SLING-2279 :
ReferrerFilter should not reverse lookup the IPs of interfaces. Apply patch
from Tobias Bocanegra
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 7a459109eef1570e0633e3f3bdf71463ac81d167
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Tue Nov 15 08:30:41 2011 +0000
SLING-2279 : ReferrerFilter should not reverse lookup the IPs of interfaces. Apply patch from Tobias Bocanegra
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1202087 13f79535-47bb-0310-9956-ffa450edef68
---
.../org/apache/sling/security/impl/ReferrerFilter.java | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index 344e9d4..da81f41 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -104,24 +104,13 @@ public class ReferrerFilter implements Filter {
while(ias.hasMoreElements()){
final InetAddress ia = ias.nextElement();
final String address = ia.getHostAddress().trim().toLowerCase();
- final String name = ia.getHostName().trim().toLowerCase();
if ( ia instanceof Inet4Address ) {
referrers.add("http://" + address + ":0");
referrers.add("https://" + address + ":0");
- referrers.add("http://" + name + ":0");
- referrers.add("https://" + name + ":0");
- if (name.indexOf('.')>-1){
- int index = name.indexOf('.');
- String host = name.substring(0, index);
- referrers.add("http://" + host.trim().toLowerCase() + ":0");
- referrers.add("https://" + host.trim().toLowerCase() + ":0");
- }
}
if ( ia instanceof Inet6Address ) {
referrers.add("http://[" + address + "]" + ":0");
referrers.add("https://[" + address + "]" + ":0");
- referrers.add("http://[" + name + "]" + ":0");
- referrers.add("https://[" + name + "]" + ":0");
}
}
}
@@ -335,7 +324,7 @@ public class ReferrerFilter implements Filter {
/**
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
- public void init(FilterConfig arg0) throws ServletException {
+ public void init(final FilterConfig config) throws ServletException {
// nothing to do
}
@@ -352,8 +341,7 @@ public class ReferrerFilter implements Filter {
* Print out the allowedReferrers
* @see org.apache.felix.webconsole.ConfigurationPrinter#printConfiguration(java.io.PrintWriter)
*/
- @SuppressWarnings("unused")
- public void printConfiguration(PrintWriter pw) {
+ public void printConfiguration(final PrintWriter pw) {
pw.println("Current Apache Sling Referrer Filter Allowed Referrers:");
pw.println();
for (final URL url : allowedReferrers) {
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 11/30: Set svn:ignore
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit c537035b72b1a9610e73810ffe1c6f8dbdd65a46
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Mon Oct 1 15:15:41 2012 +0000
Set svn:ignore
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1392381 13f79535-47bb-0310-9956-ffa450edef68
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 30/30: [maven-release-plugin]
copy for tag org.apache.sling.security-1.0.10
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit d954ef9afcf863d2ab52c39652caf0cfef4634ec
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Thu Apr 2 10:02:52 2015 +0000
[maven-release-plugin] copy for tag org.apache.sling.security-1.0.10
git-svn-id: https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.10@1670873 13f79535-47bb-0310-9956-ffa450edef68
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 26/30: [maven-release-plugin]
prepare release org.apache.sling.security-1.0.8
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 16d9866a76b6f035cf63b7cdb89eab2162b321c9
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Mon Feb 23 11:58:24 2015 +0000
[maven-release-plugin] prepare release org.apache.sling.security-1.0.8
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1661649 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index f907fbc..4ef776d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.7-SNAPSHOT</version>
+ <version>1.0.8</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.8</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.8</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.8</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 02/30: Use latest Commons OSGi
and return 403 instead of 500
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit dfbcc5735fca50821bed129b85838fbe2e1c67ad
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Thu Aug 11 12:27:19 2011 +0000
Use latest Commons OSGi and return 403 instead of 500
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1156594 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 2 +-
.../java/org/apache/sling/security/impl/ReferrerFilter.java | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/pom.xml b/pom.xml
index 99b37e5..7098fd6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -71,7 +71,7 @@
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.commons.osgi</artifactId>
- <version>2.0.6</version>
+ <version>2.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index b2a784f..ddb4ca1 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -43,7 +43,7 @@ import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Service;
-import org.apache.sling.commons.osgi.OsgiUtil;
+import org.apache.sling.commons.osgi.PropertiesUtil;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -162,8 +162,8 @@ public class ReferrerFilter implements Filter {
* Activate
*/
protected void activate(final ComponentContext ctx) {
- this.allowEmpty = OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY);
- String[] allowHosts = OsgiUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS));
+ this.allowEmpty = PropertiesUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY);
+ String[] allowHosts = PropertiesUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS));
if ( allowHosts != null ) {
if ( allowHosts.length == 0 ) {
allowHosts = null;
@@ -178,7 +178,7 @@ public class ReferrerFilter implements Filter {
}
}
this.allowedReferrers = this.createReferrerUrls(allowedReferrers);
- this.filterMethods = OsgiUtil.toStringArray(ctx.getProperties().get(PROP_METHODS));
+ this.filterMethods = PropertiesUtil.toStringArray(ctx.getProperties().get(PROP_METHODS));
if ( this.filterMethods != null && this.filterMethods.length == 1 && (this.filterMethods[0] == null || this.filterMethods[0].trim().length() == 0) ) {
this.filterMethods = null;
}
@@ -212,8 +212,8 @@ public class ReferrerFilter implements Filter {
if ( this.isModification(request) ) {
if ( !this.isValidRequest(request) ) {
final HttpServletResponse response = (HttpServletResponse)res;
- // we use 500
- response.sendError(500);
+ // we use 403
+ response.sendError(403);
return;
}
}
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 19/30: [maven-release-plugin]
prepare for next development iteration
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 6c3a2d529d40eedeedd800fbf389089a80222eaa
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Mon Apr 22 08:06:13 2013 +0000
[maven-release-plugin] prepare for next development iteration
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1470409 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 92c79f8..c1f4fb0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.4</version>
+ <version>1.0.5-SNAPSHOT</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.4</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.4</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.4</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 04/30: SLING-2200 - adding a
configuration printer to the referrer filter
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 23166c52b4be4085c2142f61feaad9bd7ed32a64
Author: Justin Edelson <ju...@apache.org>
AuthorDate: Wed Aug 31 16:00:52 2011 +0000
SLING-2200 - adding a configuration printer to the referrer filter
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1163675 13f79535-47bb-0310-9956-ffa450edef68
---
.../apache/sling/security/impl/ReferrerFilter.java | 45 ++++++++++++++++++++++
.../sling/security/impl/ReferrerFilterTest.java | 13 +++++--
2 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
index 0302ac7..afe33ee 100644
--- a/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
@@ -17,6 +17,7 @@
package org.apache.sling.security.impl;
import java.io.IOException;
+import java.io.PrintWriter;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
@@ -25,8 +26,10 @@ import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.URL;
import java.util.ArrayList;
+import java.util.Dictionary;
import java.util.Enumeration;
import java.util.HashSet;
+import java.util.Hashtable;
import java.util.List;
import java.util.Set;
@@ -44,6 +47,9 @@ import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.commons.osgi.PropertiesUtil;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.Constants;
+import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -81,6 +87,8 @@ public class ReferrerFilter implements Filter {
/** Methods to be filtered. */
private String[] filterMethods;
+ private ServiceRegistration configPrinterRegistration;
+
/**
* Create a default list of referrers
*/
@@ -187,8 +195,28 @@ public class ReferrerFilter implements Filter {
filterMethods[i] = filterMethods[i].toUpperCase();
}
}
+ this.configPrinterRegistration = registerConfigPrinter(ctx.getBundleContext());
+ }
+
+ protected void deactivate() {
+ this.configPrinterRegistration.unregister();
}
+ private ServiceRegistration registerConfigPrinter(BundleContext bundleContext) {
+ final ConfigurationPrinter cfgPrinter = new ConfigurationPrinter();
+ final Dictionary<String, String> serviceProps = new Hashtable<String, String>();
+ serviceProps.put(Constants.SERVICE_DESCRIPTION,
+ "Apache Sling Referrer Filter Configuration Printer");
+ serviceProps.put(Constants.SERVICE_VENDOR, "The Apache Software Foundation");
+ serviceProps.put("felix.webconsole.label", "slingreferrerfilter");
+ serviceProps.put("felix.webconsole.title", "Sling Referrer Filter");
+ serviceProps.put("felix.webconsole.configprinter.modes", "always");
+
+ return bundleContext.registerService(Object.class.getName(),
+ cfgPrinter, serviceProps);
+ }
+
+
private boolean isModification(final HttpServletRequest req) {
final String method = req.getMethod();
if ( filterMethods != null ) {
@@ -317,4 +345,21 @@ public class ReferrerFilter implements Filter {
public void destroy() {
// nothing to do
}
+
+ public class ConfigurationPrinter {
+
+ /**
+ * Print out the allowedReferrers
+ * @see org.apache.felix.webconsole.ConfigurationPrinter#printConfiguration(java.io.PrintWriter)
+ */
+ @SuppressWarnings("unused")
+ public void printConfiguration(PrintWriter pw) {
+ pw.println("Current Apache Sling Referrer Filter Allowed Referrers:");
+ pw.println();
+ for (final URL url : allowedReferrers) {
+ pw.println(url.toString());
+ }
+ }
+
+ }
}
diff --git a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
index d1a52da..136cb28 100644
--- a/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
+++ b/src/test/java/org/apache/sling/security/impl/ReferrerFilterTest.java
@@ -16,8 +16,8 @@
*/
package org.apache.sling.security.impl;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;
+import static org.mockito.Matchers.*;
import java.util.Dictionary;
import java.util.Hashtable;
@@ -27,6 +27,8 @@ import javax.servlet.http.HttpServletRequest;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.ComponentContext;
public class ReferrerFilterTest {
@@ -36,8 +38,13 @@ public class ReferrerFilterTest {
@Before public void setup() {
filter = new ReferrerFilter();
final ComponentContext ctx = mock(ComponentContext.class);
+ final BundleContext bundleCtx = mock(BundleContext.class);
+ final ServiceRegistration reg = mock(ServiceRegistration.class);
final Dictionary<String, Object> props = new Hashtable<String, Object>();
- when(ctx.getProperties()).thenReturn(props);
+ doReturn(props).when(ctx).getProperties();
+ doReturn(bundleCtx).when(ctx).getBundleContext();
+ doReturn(reg).when(bundleCtx).registerService(any(String[].class), any(), any(Dictionary.class));
+ doNothing().when(reg).unregister();
filter.activate(ctx);
}
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 29/30: [maven-release-plugin]
prepare release org.apache.sling.security-1.0.10
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 5621fdb07ed145a6322e2d34bc3380eda3481704
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Thu Apr 2 10:02:31 2015 +0000
[maven-release-plugin] prepare release org.apache.sling.security-1.0.10
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1670872 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 25f13bf..df89ee7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>1.0.9-SNAPSHOT</version>
+ <version>1.0.10</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.10</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.10</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.10</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-security] 07/30: [maven-release-plugin]
prepare release org.apache.sling.security-1.0.0
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit ceda7a9eb4a607a6feee040f6d3d28de33949d3c
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Thu Jan 26 09:03:10 2012 +0000
[maven-release-plugin] prepare release org.apache.sling.security-1.0.0
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1236088 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 3dcda90..b8da4c6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
</parent>
<artifactId>org.apache.sling.security</artifactId>
- <version>0.5.0-SNAPSHOT</version>
+ <version>1.0.0</version>
<packaging>bundle</packaging>
<name>Apache Sling Security</name>
@@ -36,9 +36,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.0</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.security-1.0.0</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.security-1.0.0</url>
</scm>
<build>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.