Package org.owasp.esapi.filters

Class SecurityWrapperRequest

  • All Implemented Interfaces:
    javax.servlet.http.HttpServletRequest, javax.servlet.ServletRequest
    public class SecurityWrapperRequest
extends javax.servlet.http.HttpServletRequestWrapper
implements javax.servlet.http.HttpServletRequest
    This request wrapper simply overrides unsafe methods in the HttpServletRequest API with safe versions that return canonicalized data where possible. The wrapper returns a safe value when a validation error is detected, including stripped or empty strings.

    • Field Summary

      • Fields inherited from interface javax.servlet.http.HttpServletRequest

        BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH

    • Constructor Summary

      Constructors 
      Constructor Description
      SecurityWrapperRequest​(javax.servlet.http.HttpServletRequest request)
      Construct a safe request that overrides the default request methods with safer versions.

    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      java.lang.String getAllowableContentRoot()  
      java.lang.Object getAttribute​(java.lang.String name)
      Same as HttpServletRequest, no security changes required.
      java.util.Enumeration getAttributeNames()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getAuthType()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getCharacterEncoding()
      Same as HttpServletRequest, no security changes required.
      int getContentLength()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getContentType()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getContextPath()
      Returns the context path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      javax.servlet.http.Cookie[] getCookies()
      Returns the array of Cookies from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      long getDateHeader​(java.lang.String name)
      Same as HttpServletRequest, no security changes required.
      java.lang.String getHeader​(java.lang.String name)
      Returns the named header from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.util.Enumeration getHeaderNames()
      Returns the enumeration of header names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.util.Enumeration getHeaders​(java.lang.String name)
      Returns the enumeration of headers from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      javax.servlet.ServletInputStream getInputStream()
      Same as HttpServletRequest, no security changes required.
      int getIntHeader​(java.lang.String name)
      Same as HttpServletRequest, no security changes required.
      java.lang.String getLocalAddr()
      Same as HttpServletRequest, no security changes required.
      java.util.Locale getLocale()
      Same as HttpServletRequest, no security changes required.
      java.util.Enumeration getLocales()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getLocalName()
      Same as HttpServletRequest, no security changes required.
      int getLocalPort()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getMethod()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getParameter​(java.lang.String name)
      Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getParameter​(java.lang.String name, boolean allowNull)
      Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getParameter​(java.lang.String name, boolean allowNull, int maxLength)
      Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getParameter​(java.lang.String name, boolean allowNull, int maxLength, java.lang.String regexName)
      Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.util.Map getParameterMap()
      Returns the parameter map from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.util.Enumeration getParameterNames()
      Returns the enumeration of parameter names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String[] getParameterValues​(java.lang.String name)
      Returns the array of matching parameter values from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getPathInfo()
      Returns the path info from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getPathTranslated()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getProtocol()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getQueryString()
      Returns the query string from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.io.BufferedReader getReader()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getRealPath​(java.lang.String path)
      Deprecated.
      in servlet spec 2.1.
      java.lang.String getRemoteAddr()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getRemoteHost()
      Same as HttpServletRequest, no security changes required.
      int getRemotePort()
      Same as HttpServletRequest, no security changes required.
      java.lang.String getRemoteUser()
      Returns the name of the ESAPI user associated with this getHttpServletRequest().
      javax.servlet.RequestDispatcher getRequestDispatcher​(java.lang.String path)
      Checks to make sure the path to forward to is within the WEB-INF directory and then returns the dispatcher.
      java.lang.String getRequestedSessionId()
      Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getRequestURI()
      Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.StringBuffer getRequestURL()
      Returns the URL from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getScheme()
      Returns the scheme from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      java.lang.String getServerName()
      Returns the server name (host header) from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      int getServerPort()
      Returns the server port (after the : in the host header) from the HttpServletRequest after parsing and checking the range 0-65536.
      java.lang.String getServletPath()
      Returns the server path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
      javax.servlet.http.HttpSession getSession()
      Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie.
      javax.servlet.http.HttpSession getSession​(boolean create)
      Returns the current session associated with this request or, if there is no current session and create is true, returns a new session and sets the HttpOnly flag on the session ID cookie.
      java.security.Principal getUserPrincipal()
      Returns the ESAPI User associated with this getHttpServletRequest().
      boolean isRequestedSessionIdFromCookie()
      Same as HttpServletRequest, no security changes required.
      boolean isRequestedSessionIdFromUrl()
      Deprecated.
      in servlet spec 2.1.
      boolean isRequestedSessionIdFromURL()
      Same as HttpServletRequest, no security changes required.
      boolean isRequestedSessionIdValid()
      Same as HttpServletRequest, no security changes required.
      boolean isSecure()
      Same as HttpServletRequest, no security changes required.
      boolean isUserInRole​(java.lang.String role)
      Returns true if the ESAPI User associated with this request has the specified role.
      void removeAttribute​(java.lang.String name)
      Same as HttpServletRequest, no security changes required.
      void setAllowableContentRoot​(java.lang.String allowableContentRoot)  
      void setAttribute​(java.lang.String name, java.lang.Object o)
      Same as HttpServletRequest, no security changes required.
      void setCharacterEncoding​(java.lang.String enc)
      Sets the character encoding scheme to the ESAPI configured encoding scheme.

      • Methods inherited from class javax.servlet.http.HttpServletRequestWrapper

        authenticate, changeSessionId, getHttpServletMapping, getPart, getParts, getTrailerFields, isTrailerFieldsReady, login, logout, newPushBuilder, upgrade

      • Methods inherited from class javax.servlet.ServletRequestWrapper

        getAsyncContext, getContentLengthLong, getDispatcherType, getRequest, getServletContext, isAsyncStarted, isAsyncSupported, isWrapperFor, isWrapperFor, setRequest, startAsync, startAsync

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface javax.servlet.http.HttpServletRequest

        authenticate, changeSessionId, getHttpServletMapping, getPart, getParts, getTrailerFields, isTrailerFieldsReady, login, logout, newPushBuilder, upgrade

      • Methods inherited from interface javax.servlet.ServletRequest

        getAsyncContext, getContentLengthLong, getDispatcherType, getServletContext, isAsyncStarted, isAsyncSupported, startAsync, startAsync

    • Constructor Detail

      • SecurityWrapperRequest

        public SecurityWrapperRequest​(javax.servlet.http.HttpServletRequest request)
        Construct a safe request that overrides the default request methods with safer versions.
        Parameters:
        request - The HttpServletRequest we are wrapping.

    • Method Detail

      • getAttribute

        public java.lang.Object getAttribute​(java.lang.String name)
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getAttribute in interface javax.servlet.ServletRequest
        Overrides:
        getAttribute in class javax.servlet.ServletRequestWrapper
        Parameters:
        name - The attribute name
        Returns:
        The attribute value

      • getAttributeNames

        public java.util.Enumeration getAttributeNames()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getAttributeNames in interface javax.servlet.ServletRequest
        Overrides:
        getAttributeNames in class javax.servlet.ServletRequestWrapper
        Returns:
        An Enumeration of attribute names.

      • getAuthType

        public java.lang.String getAuthType()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getAuthType in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getAuthType in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The authentication type

      • getCharacterEncoding

        public java.lang.String getCharacterEncoding()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getCharacterEncoding in interface javax.servlet.ServletRequest
        Overrides:
        getCharacterEncoding in class javax.servlet.ServletRequestWrapper
        Returns:
        The character-encoding for this HttpServletRequest

      • getContentLength

        public int getContentLength()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getContentLength in interface javax.servlet.ServletRequest
        Overrides:
        getContentLength in class javax.servlet.ServletRequestWrapper
        Returns:
        The content-length for this HttpServletRequest

      • getContentType

        public java.lang.String getContentType()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getContentType in interface javax.servlet.ServletRequest
        Overrides:
        getContentType in class javax.servlet.ServletRequestWrapper
        Returns:
        The content-type for this HttpServletRequest

      • getContextPath

        public java.lang.String getContextPath()
        Returns the context path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getContextPath in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getContextPath in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The context path for this HttpServletRequest

      • getCookies

        public javax.servlet.http.Cookie[] getCookies()
        Returns the array of Cookies from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getCookies in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getCookies in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        An array of Cookies for this HttpServletRequest

      • getDateHeader

        public long getDateHeader​(java.lang.String name)
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getDateHeader in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getDateHeader in class javax.servlet.http.HttpServletRequestWrapper
        Parameters:
        name - Specifies the name of the HTTP request header; e.g., If-Modified-Since.
        Returns:
        a long value representing the date specified in the header expressed as the number of milliseconds since January 1, 1970 GMT, or -1 if the named header was not included with the request.

      • getHeader

        public java.lang.String getHeader​(java.lang.String name)
        Returns the named header from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getHeader in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getHeader in class javax.servlet.http.HttpServletRequestWrapper
        Parameters:
        name - The name of an HTTP request header
        Returns:
        The specified header value is returned.

      • getHeaderNames

        public java.util.Enumeration getHeaderNames()
        Returns the enumeration of header names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getHeaderNames in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getHeaderNames in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        An Enumeration of header names associated with this request.

      • getHeaders

        public java.util.Enumeration getHeaders​(java.lang.String name)
        Returns the enumeration of headers from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getHeaders in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getHeaders in class javax.servlet.http.HttpServletRequestWrapper
        Parameters:
        name - The name of an HTTP request header.
        Returns:
        An Enumeration of headers from the request after canonicalizing and filtering has been performed.

      • getInputStream

        public javax.servlet.ServletInputStream getInputStream()
                                                throws java.io.IOException
        Same as HttpServletRequest, no security changes required. Note that this input stream may contain attacks and the developer is responsible for canonicalizing, validating, and encoding any data from this stream.
        Specified by:
        getInputStream in interface javax.servlet.ServletRequest
        Overrides:
        getInputStream in class javax.servlet.ServletRequestWrapper
        Returns:
        The ServletInputStream associated with this HttpServletRequest.
        Throws:
        java.io.IOException - Thrown if an input exception is thrown, such as the remote peer closing the connection.

      • getIntHeader

        public int getIntHeader​(java.lang.String name)
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getIntHeader in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getIntHeader in class javax.servlet.http.HttpServletRequestWrapper
        Parameters:
        name - The name of an HTTP request header.
        Returns:
        Returns the value of the specified request header as an int.

      • getLocalAddr

        public java.lang.String getLocalAddr()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getLocalAddr in interface javax.servlet.ServletRequest
        Overrides:
        getLocalAddr in class javax.servlet.ServletRequestWrapper
        Returns:
        A String containing the IP address on which the request was received.

      • getLocale

        public java.util.Locale getLocale()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getLocale in interface javax.servlet.ServletRequest
        Overrides:
        getLocale in class javax.servlet.ServletRequestWrapper
        Returns:
        The preferred Locale for the client.

      • getLocales

        public java.util.Enumeration getLocales()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getLocales in interface javax.servlet.ServletRequest
        Overrides:
        getLocales in class javax.servlet.ServletRequestWrapper
        Returns:
        An Enumeration of preferred Locale objects for the client.

      • getLocalName

        public java.lang.String getLocalName()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getLocalName in interface javax.servlet.ServletRequest
        Overrides:
        getLocalName in class javax.servlet.ServletRequestWrapper
        Returns:
        A String containing the host name of the IP on which the request was received.

      • getLocalPort

        public int getLocalPort()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getLocalPort in interface javax.servlet.ServletRequest
        Overrides:
        getLocalPort in class javax.servlet.ServletRequestWrapper
        Returns:
        Returns the Internet Protocol (IP) port number of the interface on which the request was received.

      • getMethod

        public java.lang.String getMethod()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getMethod in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getMethod in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        Returns the name of the HTTP method with which this request was made.

      • getParameter

        public java.lang.String getParameter​(java.lang.String name)
        Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getParameter in interface javax.servlet.ServletRequest
        Overrides:
        getParameter in class javax.servlet.ServletRequestWrapper
        Parameters:
        name - The parameter name for the request
        Returns:
        The "scrubbed" parameter value.

      • getParameter

        public java.lang.String getParameter​(java.lang.String name,
                                     boolean allowNull)
        Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Parameters:
        name - The parameter name for the request
        allowNull - Whether null values are allowed
        Returns:
        The "scrubbed" parameter value.

      • getParameter

        public java.lang.String getParameter​(java.lang.String name,
                                     boolean allowNull,
                                     int maxLength)
        Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Parameters:
        name - The parameter name for the request
        allowNull - Whether null values are allowed
        maxLength - The maximum length allowed
        Returns:
        The "scrubbed" parameter value.

      • getParameter

        public java.lang.String getParameter​(java.lang.String name,
                                     boolean allowNull,
                                     int maxLength,
                                     java.lang.String regexName)
        Returns the named parameter from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Parameters:
        name - The parameter name for the request
        allowNull - Whether null values are allowed
        maxLength - The maximum length allowed
        regexName - The name of the regex mapped from ESAPI.properties
        Returns:
        The "scrubbed" parameter value.

      • getParameterMap

        public java.util.Map getParameterMap()
        Returns the parameter map from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getParameterMap in interface javax.servlet.ServletRequest
        Overrides:
        getParameterMap in class javax.servlet.ServletRequestWrapper
        Returns:
        A Map containing scrubbed parameter names / value pairs.

      • getParameterNames

        public java.util.Enumeration getParameterNames()
        Returns the enumeration of parameter names from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getParameterNames in interface javax.servlet.ServletRequest
        Overrides:
        getParameterNames in class javax.servlet.ServletRequestWrapper
        Returns:
        An Enumeration of properly "scrubbed" parameter names.

      • getParameterValues

        public java.lang.String[] getParameterValues​(java.lang.String name)
        Returns the array of matching parameter values from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getParameterValues in interface javax.servlet.ServletRequest
        Overrides:
        getParameterValues in class javax.servlet.ServletRequestWrapper
        Parameters:
        name - The parameter name
        Returns:
        An array of matching "scrubbed" parameter values or null if the parameter does not exist.

      • getPathInfo

        public java.lang.String getPathInfo()
        Returns the path info from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getPathInfo in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getPathInfo in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        Returns any extra path information, appropriately scrubbed, associated with the URL the client sent when it made this request.

      • getPathTranslated

        public java.lang.String getPathTranslated()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getPathTranslated in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getPathTranslated in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        Returns any extra path information, appropriate scrubbed, after the servlet name but before the query string, and translates it to a real path.

      • getProtocol

        public java.lang.String getProtocol()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getProtocol in interface javax.servlet.ServletRequest
        Overrides:
        getProtocol in class javax.servlet.ServletRequestWrapper
        Returns:
        Returns the name and version of the protocol the request uses in the form protocol/majorVersion.minorVersion, for example, HTTP/1.1.

      • getQueryString

        public java.lang.String getQueryString()
        Returns the query string from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getQueryString in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getQueryString in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The scrubbed query string is returned.

      • getReader

        public java.io.BufferedReader getReader()
                                 throws java.io.IOException
        Same as HttpServletRequest, no security changes required. Note that this reader may contain attacks and the developer is responsible for canonicalizing, validating, and encoding any data from this stream.
        Specified by:
        getReader in interface javax.servlet.ServletRequest
        Overrides:
        getReader in class javax.servlet.ServletRequestWrapper
        Returns:
        aA BufferedReader containing the body of the request.
        Throws:
        java.io.IOException - If an input error occurred while reading the request body (e.g., premature EOF).

      • getRealPath

        @Deprecated
public java.lang.String getRealPath​(java.lang.String path)
        Deprecated.
        in servlet spec 2.1. Use ServletContext.getRealPath(String) instead.
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getRealPath in interface javax.servlet.ServletRequest
        Overrides:
        getRealPath in class javax.servlet.ServletRequestWrapper
        Parameters:
        path - A virtual path on a web or application server; e.g., "/index.htm".
        Returns:
        Returns a String containing the real path for a given virtual path.

      • getRemoteAddr

        public java.lang.String getRemoteAddr()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getRemoteAddr in interface javax.servlet.ServletRequest
        Overrides:
        getRemoteAddr in class javax.servlet.ServletRequestWrapper
        Returns:
        Returns the IP address of the client or last proxy that sent the request.

      • getRemoteHost

        public java.lang.String getRemoteHost()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getRemoteHost in interface javax.servlet.ServletRequest
        Overrides:
        getRemoteHost in class javax.servlet.ServletRequestWrapper
        Returns:
        The remote host

      • getRemotePort

        public int getRemotePort()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        getRemotePort in interface javax.servlet.ServletRequest
        Overrides:
        getRemotePort in class javax.servlet.ServletRequestWrapper
        Returns:
        The remote port

      • getRemoteUser

        public java.lang.String getRemoteUser()
        Returns the name of the ESAPI user associated with this getHttpServletRequest().
        Specified by:
        getRemoteUser in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getRemoteUser in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        Returns the fully qualified name of the client or the last proxy that sent the request

      • getRequestDispatcher

        public javax.servlet.RequestDispatcher getRequestDispatcher​(java.lang.String path)
        Checks to make sure the path to forward to is within the WEB-INF directory and then returns the dispatcher. Otherwise returns null.
        Specified by:
        getRequestDispatcher in interface javax.servlet.ServletRequest
        Overrides:
        getRequestDispatcher in class javax.servlet.ServletRequestWrapper
        Parameters:
        path - The path to create a request dispatcher for
        Returns:
        A RequestDispatcher object that acts as a wrapper for the resource at the specified path, or null if the servlet container cannot return a RequestDispatcher.

      • getRequestedSessionId

        public java.lang.String getRequestedSessionId()
        Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters. Code must be very careful not to depend on the value of a requested session id reported by the user.
        Specified by:
        getRequestedSessionId in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getRequestedSessionId in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The requested Session ID

      • getRequestURI

        public java.lang.String getRequestURI()
        Returns the URI from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getRequestURI in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getRequestURI in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The current request URI

      • getRequestURL

        public java.lang.StringBuffer getRequestURL()
        Returns the URL from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getRequestURL in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getRequestURL in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The currect request URL

      • getScheme

        public java.lang.String getScheme()
        Returns the scheme from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getScheme in interface javax.servlet.ServletRequest
        Overrides:
        getScheme in class javax.servlet.ServletRequestWrapper
        Returns:
        The scheme of the current request

      • getServerName

        public java.lang.String getServerName()
        Returns the server name (host header) from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getServerName in interface javax.servlet.ServletRequest
        Overrides:
        getServerName in class javax.servlet.ServletRequestWrapper
        Returns:
        The local server name

      • getServerPort

        public int getServerPort()
        Returns the server port (after the : in the host header) from the HttpServletRequest after parsing and checking the range 0-65536.
        Specified by:
        getServerPort in interface javax.servlet.ServletRequest
        Overrides:
        getServerPort in class javax.servlet.ServletRequestWrapper
        Returns:
        The local server port

      • getServletPath

        public java.lang.String getServletPath()
        Returns the server path from the HttpServletRequest after canonicalizing and filtering out any dangerous characters.
        Specified by:
        getServletPath in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getServletPath in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The servlet path

      • getSession

        public javax.servlet.http.HttpSession getSession()
        Returns a session, creating it if necessary, and sets the HttpOnly flag on the Session ID cookie. The 'secure' flag is also set if the property HttpUtilities.ForceSecureCookies is set to true in the ESAPI.properties file.
        Specified by:
        getSession in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getSession in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The current session

      • getSession

        public javax.servlet.http.HttpSession getSession​(boolean create)
        Returns the current session associated with this request or, if there is no current session and create is true, returns a new session and sets the HttpOnly flag on the session ID cookie. The 'secure' flag is also set if the property HttpUtilities.ForceSecureCookies is set to true in the ESAPI.properties file.
        Specified by:
        getSession in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getSession in class javax.servlet.http.HttpServletRequestWrapper
        Parameters:
        create - If set to true, create a new session if one doesn't exist, otherwise return null
        Returns:
        The current session

      • getUserPrincipal

        public java.security.Principal getUserPrincipal()
        Returns the ESAPI User associated with this getHttpServletRequest().
        Specified by:
        getUserPrincipal in interface javax.servlet.http.HttpServletRequest
        Overrides:
        getUserPrincipal in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        The ESAPI User

      • isRequestedSessionIdFromCookie

        public boolean isRequestedSessionIdFromCookie()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        isRequestedSessionIdFromCookie in interface javax.servlet.http.HttpServletRequest
        Overrides:
        isRequestedSessionIdFromCookie in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        if requested session id is from a cookie

      • isRequestedSessionIdFromUrl

        @Deprecated
public boolean isRequestedSessionIdFromUrl()
        Deprecated.
        in servlet spec 2.1. Use isRequestedSessionIdFromURL() instead.
        Same as HttpServletRequest, no security changes required.
        Specified by:
        isRequestedSessionIdFromUrl in interface javax.servlet.http.HttpServletRequest
        Overrides:
        isRequestedSessionIdFromUrl in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        Whether the requested session id is from the URL

      • isRequestedSessionIdFromURL

        public boolean isRequestedSessionIdFromURL()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        isRequestedSessionIdFromURL in interface javax.servlet.http.HttpServletRequest
        Overrides:
        isRequestedSessionIdFromURL in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        Whether the requested session id is from the URL

      • isRequestedSessionIdValid

        public boolean isRequestedSessionIdValid()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        isRequestedSessionIdValid in interface javax.servlet.http.HttpServletRequest
        Overrides:
        isRequestedSessionIdValid in class javax.servlet.http.HttpServletRequestWrapper
        Returns:
        Whether the requested session id is valid

      • isSecure

        public boolean isSecure()
        Same as HttpServletRequest, no security changes required.
        Specified by:
        isSecure in interface javax.servlet.ServletRequest
        Overrides:
        isSecure in class javax.servlet.ServletRequestWrapper
        Returns:
        Whether the current request is secure

      • isUserInRole

        public boolean isUserInRole​(java.lang.String role)
        Returns true if the ESAPI User associated with this request has the specified role.
        Specified by:
        isUserInRole in interface javax.servlet.http.HttpServletRequest
        Overrides:
        isUserInRole in class javax.servlet.http.HttpServletRequestWrapper
        Parameters:
        role - The role to check
        Returns:
        Whether the current user is in the passed role

      • removeAttribute

        public void removeAttribute​(java.lang.String name)
        Same as HttpServletRequest, no security changes required.
        Specified by:
        removeAttribute in interface javax.servlet.ServletRequest
        Overrides:
        removeAttribute in class javax.servlet.ServletRequestWrapper
        Parameters:
        name - The attribute name

      • setAttribute

        public void setAttribute​(java.lang.String name,
                         java.lang.Object o)
        Same as HttpServletRequest, no security changes required.
        Specified by:
        setAttribute in interface javax.servlet.ServletRequest
        Overrides:
        setAttribute in class javax.servlet.ServletRequestWrapper
        Parameters:
        name - The attribute name
        o - The attribute value

      • setCharacterEncoding

        public void setCharacterEncoding​(java.lang.String enc)
                          throws java.io.UnsupportedEncodingException
        Sets the character encoding scheme to the ESAPI configured encoding scheme.
        Specified by:
        setCharacterEncoding in interface javax.servlet.ServletRequest
        Overrides:
        setCharacterEncoding in class javax.servlet.ServletRequestWrapper
        Parameters:
        enc - The encoding scheme
        Throws:
        java.io.UnsupportedEncodingException

      • getAllowableContentRoot

        public java.lang.String getAllowableContentRoot()

      • setAllowableContentRoot

        public void setAllowableContentRoot​(java.lang.String allowableContentRoot)