Preventing js and css download from web application
JSP Code
========
<link href="css/XXXX.css?currSessionId=${session.CURR_SEESION_ID}" type="text/css" rel="Stylesheet" />
<script type="text/javascript" src="js/XXX.js?currSessionId=${session.CURR_SEESION_ID}" ></script>
<SCRIPT LANGUAGE="JavaScript" src="javascript/XXXX.js?currSessionId=${session.CURR_SEESION_ID}"></SCRIPT>
Filter Body
===========
log.info("XXXXXXSecurityFilter doFilter start");
HttpServletRequest req= (HttpServletRequest) request;
HttpServletResponse res= (HttpServletResponse) response;
String actionUrlStr = req.getRequestURL().toString();
log.info("actionUrlStr::::::" + actionUrlStr);
boolean isInvalidRequest = false;
int parametersCount = XXXXXXConstants.ZERO;
Enumeration reqParamNames = req.getParameterNames();
int actionStringStart = XXXXXXConstants.MINUS_ONE, actionStringEnd = XXXXXXConstants.MINUS_ONE;
String tempactionUrlStr = XXXXXXConstants.EMPTY_STRING;
actionStringEnd = actionUrlStr.length();
actionStringStart = actionUrlStr.indexOf(XXXXXXConstants.XXXXXX_TOOL_PATH) + XXXXXXConstants.XXXXXX_TOOL_PATH.length();
tempactionUrlStr = actionUrlStr.substring(actionStringStart, actionStringEnd);
if (tempactionUrlStr != null && tempactionUrlStr.indexOf(XXXXXXConstants.ROOT) == XXXXXXConstants.ZERO) {
tempactionUrlStr = tempactionUrlStr.substring(XXXXXXConstants.ONE, tempactionUrlStr.length());
}
String currentReXXXXXXctionString = getCurrentAcionString(tempactionUrlStr);
String paramName = XXXXXXConstants.FILER_SESSION_PARAM;
String paramValue = XXXXXXConstants.EMPTY_STRING;
String currSessionId = req.getSession().getId();
log.info("currentReXXXXXXctionString::::" + currentReXXXXXXctionString);
if ((tempactionUrlStr != null && tempactionUrlStr.equalsIgnoreCase(XXXXXXConstants.EMPTY_STRING)) || tempactionUrlStr != null && tempactionUrlStr.equalsIgnoreCase(XXXXXXConstants.INDEX_JSP_STR) ||
tempactionUrlStr != null && tempactionUrlStr.equalsIgnoreCase(XXXXXXConstants.CALADER_HTML_STR) || XXXXXXConstants.HTTP_IAUDIT_REQUEST.equalsIgnoreCase(actionUrlStr)
|| XXXXXXConstants.HTTP_IAUDIT_REQUEST_WITH_SLASH.equalsIgnoreCase(actionUrlStr) || XXXXXXConstants.HTTPS_IAUDIT_REQUEST.equalsIgnoreCase(actionUrlStr)
|| XXXXXXConstants.HTTPS_IAUDIT_REQUEST_WITH_SLASH.equalsIgnoreCase(actionUrlStr)) {
isInvalidRequest = false;
} else {
boolean isJavascriptAndCss = false;
if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.JAVA_SCRIPT_STR)) {
isJavascriptAndCss = true;
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
String requestParam = (String)reqParamNames.nextElement();
paramValue = req.getParameter(XXXXXXConstants.FILER_SESSION_PARAM);
if (!paramName.equalsIgnoreCase(requestParam) && !paramValue.equalsIgnoreCase(currSessionId)) {
if (!paramValue.equalsIgnoreCase(XXXXXXConstants.INDEX_STR)) {
isInvalidRequest = true;
}
}
parametersCount ++;
}
if (parametersCount > XXXXXXConstants.ONE || parametersCount < XXXXXXConstants.ONE) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.CSS_STR)) {
isJavascriptAndCss = true;
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
String requestParam = (String)reqParamNames.nextElement();
paramValue = req.getParameter(XXXXXXConstants.FILER_SESSION_PARAM);
if (!paramName.equalsIgnoreCase(requestParam) && !paramValue.equalsIgnoreCase(currSessionId)) {
if (!paramValue.equalsIgnoreCase(XXXXXXConstants.INDEX_STR)) {
isInvalidRequest = true;
}
}
parametersCount ++;
}
if (parametersCount > XXXXXXConstants.ONE || parametersCount < XXXXXXConstants.ONE) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && !currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.IMAGES_STR)
&& isJavascriptAndCss == false && XXXXXXConstants.VALID_AACTION_STRINGS.indexOf(currentReXXXXXXctionString) == XXXXXXConstants.MINUS_ONE) {
isInvalidRequest = true;
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.LOGIN_ACT) || currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.LOGIN_ACTION)) {
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
reqParamNames.nextElement();
parametersCount ++;
}
if (parametersCount != XXXXXXConstants.FOUR) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.NEW_USER_ACT) || currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.NEW_USER_ACTION)) {
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
reqParamNames.nextElement();
parametersCount ++;
}
log.info(XXXXXXConstants.NEW_USER_ACT + " :" + parametersCount);
if (parametersCount != XXXXXXConstants.SEVEN) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.FORGOT_PASSWORD_ACT) || currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.FORGOT_PASSWORD_ACTION)) {
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
reqParamNames.nextElement();
parametersCount ++;
}
log.info(XXXXXXConstants.FORGOT_PASSWORD_ACT + " :" + parametersCount);
if (parametersCount != XXXXXXConstants.SEVEN) {
isInvalidRequest = true;
}
}
}
log.info("isInvalidRequest:::::::" + isInvalidRequest);
if (isInvalidRequest){
res.sendRedirect(XXXXXXConstants.INDEX_REQUEST_PATH);
} else {
req.getSession().setAttribute("CURR_SEESION_ID", currSessionId);
// pass the request along the filter chain
chain.doFilter(request, response);
}
log.info("XXXXXXSecurityFilter doFilter end");
JSP Code
========
<link href="css/XXXX.css?currSessionId=${session.CURR_SEESION_ID}" type="text/css" rel="Stylesheet" />
<script type="text/javascript" src="js/XXX.js?currSessionId=${session.CURR_SEESION_ID}" ></script>
<SCRIPT LANGUAGE="JavaScript" src="javascript/XXXX.js?currSessionId=${session.CURR_SEESION_ID}"></SCRIPT>
Filter Body
===========
log.info("XXXXXXSecurityFilter doFilter start");
HttpServletRequest req= (HttpServletRequest) request;
HttpServletResponse res= (HttpServletResponse) response;
String actionUrlStr = req.getRequestURL().toString();
log.info("actionUrlStr::::::" + actionUrlStr);
boolean isInvalidRequest = false;
int parametersCount = XXXXXXConstants.ZERO;
Enumeration reqParamNames = req.getParameterNames();
int actionStringStart = XXXXXXConstants.MINUS_ONE, actionStringEnd = XXXXXXConstants.MINUS_ONE;
String tempactionUrlStr = XXXXXXConstants.EMPTY_STRING;
actionStringEnd = actionUrlStr.length();
actionStringStart = actionUrlStr.indexOf(XXXXXXConstants.XXXXXX_TOOL_PATH) + XXXXXXConstants.XXXXXX_TOOL_PATH.length();
tempactionUrlStr = actionUrlStr.substring(actionStringStart, actionStringEnd);
if (tempactionUrlStr != null && tempactionUrlStr.indexOf(XXXXXXConstants.ROOT) == XXXXXXConstants.ZERO) {
tempactionUrlStr = tempactionUrlStr.substring(XXXXXXConstants.ONE, tempactionUrlStr.length());
}
String currentReXXXXXXctionString = getCurrentAcionString(tempactionUrlStr);
String paramName = XXXXXXConstants.FILER_SESSION_PARAM;
String paramValue = XXXXXXConstants.EMPTY_STRING;
String currSessionId = req.getSession().getId();
log.info("currentReXXXXXXctionString::::" + currentReXXXXXXctionString);
if ((tempactionUrlStr != null && tempactionUrlStr.equalsIgnoreCase(XXXXXXConstants.EMPTY_STRING)) || tempactionUrlStr != null && tempactionUrlStr.equalsIgnoreCase(XXXXXXConstants.INDEX_JSP_STR) ||
tempactionUrlStr != null && tempactionUrlStr.equalsIgnoreCase(XXXXXXConstants.CALADER_HTML_STR) || XXXXXXConstants.HTTP_IAUDIT_REQUEST.equalsIgnoreCase(actionUrlStr)
|| XXXXXXConstants.HTTP_IAUDIT_REQUEST_WITH_SLASH.equalsIgnoreCase(actionUrlStr) || XXXXXXConstants.HTTPS_IAUDIT_REQUEST.equalsIgnoreCase(actionUrlStr)
|| XXXXXXConstants.HTTPS_IAUDIT_REQUEST_WITH_SLASH.equalsIgnoreCase(actionUrlStr)) {
isInvalidRequest = false;
} else {
boolean isJavascriptAndCss = false;
if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.JAVA_SCRIPT_STR)) {
isJavascriptAndCss = true;
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
String requestParam = (String)reqParamNames.nextElement();
paramValue = req.getParameter(XXXXXXConstants.FILER_SESSION_PARAM);
if (!paramName.equalsIgnoreCase(requestParam) && !paramValue.equalsIgnoreCase(currSessionId)) {
if (!paramValue.equalsIgnoreCase(XXXXXXConstants.INDEX_STR)) {
isInvalidRequest = true;
}
}
parametersCount ++;
}
if (parametersCount > XXXXXXConstants.ONE || parametersCount < XXXXXXConstants.ONE) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.CSS_STR)) {
isJavascriptAndCss = true;
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
String requestParam = (String)reqParamNames.nextElement();
paramValue = req.getParameter(XXXXXXConstants.FILER_SESSION_PARAM);
if (!paramName.equalsIgnoreCase(requestParam) && !paramValue.equalsIgnoreCase(currSessionId)) {
if (!paramValue.equalsIgnoreCase(XXXXXXConstants.INDEX_STR)) {
isInvalidRequest = true;
}
}
parametersCount ++;
}
if (parametersCount > XXXXXXConstants.ONE || parametersCount < XXXXXXConstants.ONE) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && !currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.IMAGES_STR)
&& isJavascriptAndCss == false && XXXXXXConstants.VALID_AACTION_STRINGS.indexOf(currentReXXXXXXctionString) == XXXXXXConstants.MINUS_ONE) {
isInvalidRequest = true;
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.LOGIN_ACT) || currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.LOGIN_ACTION)) {
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
reqParamNames.nextElement();
parametersCount ++;
}
if (parametersCount != XXXXXXConstants.FOUR) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.NEW_USER_ACT) || currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.NEW_USER_ACTION)) {
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
reqParamNames.nextElement();
parametersCount ++;
}
log.info(XXXXXXConstants.NEW_USER_ACT + " :" + parametersCount);
if (parametersCount != XXXXXXConstants.SEVEN) {
isInvalidRequest = true;
}
} else if (currentReXXXXXXctionString != null && currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.FORGOT_PASSWORD_ACT) || currentReXXXXXXctionString.equalsIgnoreCase(XXXXXXConstants.FORGOT_PASSWORD_ACTION)) {
reqParamNames = req.getParameterNames();
parametersCount = XXXXXXConstants.ZERO;
while(reqParamNames.hasMoreElements()) {
reqParamNames.nextElement();
parametersCount ++;
}
log.info(XXXXXXConstants.FORGOT_PASSWORD_ACT + " :" + parametersCount);
if (parametersCount != XXXXXXConstants.SEVEN) {
isInvalidRequest = true;
}
}
}
log.info("isInvalidRequest:::::::" + isInvalidRequest);
if (isInvalidRequest){
res.sendRedirect(XXXXXXConstants.INDEX_REQUEST_PATH);
} else {
req.getSession().setAttribute("CURR_SEESION_ID", currSessionId);
// pass the request along the filter chain
chain.doFilter(request, response);
}
log.info("XXXXXXSecurityFilter doFilter end");
No comments:
Post a Comment