com.jalios.jcms
Class HttpUtil

java.lang.Object
  com.jalios.jcms.HttpUtil

All Implemented Interfaces:

JcmsConstants, JaliosConstants

public class HttpUtil
extends Object
implements JcmsConstants

This class contains a set of static utility methods for validation, encoding and decoding of http and html input/output.

As of current implementation, it is mainly a facade in front the OWASP ESAPI library.

Version:

$Revision: 63591 $

Field Summary

static String	ALPHANUM_REGEX Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).
static String	CLASSNAME_REGEX Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).
static String	CSRF_TOKEN_HEADER_NAME HTTP Header name from which CSRF token to be validated can be retrieved
static String	CSRF_TOKEN_MEMBER_EXTRADBDATA ExtraDBData attribute name used to store the current and expected value of the CSRF token.
static String	CSRF_TOKEN_PARAMETER_NAME Parameter name from which CSRF token to be validated can be retrieved
static String	CSRF_TOKEN_SESSION_ATTRIBUTE Session attribute name used to store the current and expected value of the CSRF token.
static String	CSRF_TOKEN_TIME_MEMBER_EXTRADBDATA ExtraDBData attribute name used to store the time at which member csrf token was saved (epoch time).
static String	DATAID_REGEX Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).
static String	PROPERTYNAME_REGEX Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).
static String	REVISION
static String	TEMPLATEUSAGE_REGEX Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).

Fields inherited from interface com.jalios.jcms.JcmsConstants

ADATE_SEARCH, ADMIN_NOTES_PROP, ADVANCED_TAB, ARCHIVES_DIR, ASCII_WIDTH, CATEGORY_TAB, CDATE_SEARCH, COMMON_ALARM, CONTENT_TAB, COOKIE_MAX_AGE, CTRL_TOPIC_INTERNAL, CTRL_TOPIC_REF, CTRL_TOPIC_VALUE, CTRL_TOPIC_WRITE, CUSTOM_PROP, DOCCHOOSER_HEIGHT, DOCCHOOSER_WIDTH, DOCS_DIR, EDATE_SEARCH, EMAIL_REGEXP, ERROR_MSG, FORBIDDEN_FILE_ACCESS, FORBIDDEN_REDIRECT, FORCE_REDIRECT, ICON_ARCHIVE, ICON_LOCK, ICON_LOCK_STRONG, ICON_WARN, ICON_WH_BOOK_CLOSED, ICON_WH_BOOK_OPEN, INFORMATION_MSG, JALIOS_JUNIT_PROP, JCMS_CADDY, JCMS_MSG_LIST, JSYNC_DOWNLOAD_DIR, JSYNC_SYNC_ALARM, LOG_FILE, LOG_TOPIC_SECURITY, LOGGER_PROP, LOGGER_XMLPROP, MBR_PHOTO_DIR, MDATE_SEARCH, MONITOR_XML, OP_CREATE, OP_DEEP_COPY, OP_DEEP_DELETE, OP_DELETE, OP_MERGE, OP_UPDATE, PDATE_SEARCH, PHOTO_DIR, PHOTO_ICON, PHOTO_ICON_HEIGHT, PHOTO_ICON_WIDTH, PHOTO_LARGE, PHOTO_LARGE_HEIGHT, PHOTO_LARGE_WIDTH, PHOTO_NORMAL, PHOTO_NORMAL_HEIGHT, PHOTO_NORMAL_WIDTH, PHOTO_SMALL, PHOTO_SMALL_HEIGHT, PHOTO_SMALL_WIDTH, PHOTO_TINY, PHOTO_TINY_HEIGHT, PHOTO_TINY_WIDTH, PREVIOUS_TAB, PRINT_VIEW, PRIVATE_FILE_ACCESS, PUBLIC_FILE_ACCESS, READ_RIGHT_TAB, SDATE_SEARCH, SEARCHENGINE_ALARM, SESSION_AUTHORIZED_FILENAMES_SET, STATS_REPORT_DIR, STATUS_PROP, STORE_XML, TEMPLATE_TAB, THUMBNAIL_LARGE_HEIGHT, THUMBNAIL_LARGE_WIDTH, THUMBNAIL_SMALL_HEIGHT, THUMBNAIL_SMALL_WIDTH, UDATE_SEARCH, UPDATE_RIGHT_TAB, UPLOAD_DIR, URL_REGEXP, WARNING_MSG, WEBAPP_PROP, WFEXPRESS_ALARM, WFREMINDER_ALARM, WORKFLOW_TAB, WORKFLOW_XML

Fields inherited from interface com.jalios.util.JaliosConstants

CRLF, MILLIS_IN_ONE_DAY, MILLIS_IN_ONE_HOUR, MILLIS_IN_ONE_MINUTE, MILLIS_IN_ONE_MONTH, MILLIS_IN_ONE_SECOND, MILLIS_IN_ONE_WEEK, MILLIS_IN_ONE_YEAR

Constructor Summary

HttpUtil()

Method Summary

static void	addCookie(javax.servlet.http.HttpServletResponse response, javax.servlet.http.Cookie cookie) Add a cookie to the response.
static boolean	checkCSRF(javax.servlet.http.HttpServletRequest request) Check if the specified request is valid against CSRF attack.
static void	clearMemberCSRFToken(Member member) Remove CSRF token of the specified member
static String	encodeForHTML(String input) Encode data for use in HTML using HTML entity encoding
static String	encodeForHTMLAttribute(String input) Encode data for use in HTML attributes.
static String	encodeForJavaScript(String input) Encode data for insertion inside a data value or function argument in JavaScript.
static String	encodeForURL(String input) Encode for use in a URL.
static String	encodeForXML(String input) Encode data for use in an XML element.
static String	encodeForXMLAttribute(String input) Encode data for use in an XML attribute.
static String	getAlphaNumParameter(javax.servlet.http.HttpServletRequest request, String parameterName, String defaultValue) Retrieve a String value from specified HTTP request parameter.
static boolean	getBooleanParameter(javax.servlet.http.HttpServletRequest request, String parameterName, boolean defaultValue) Retrieve a boolean value from specified HTTP request parameter.
static Category	getCategoryParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a Category from its id received in parameter.
static String	getChooserParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a verified targetInput, targetLabel or other target value used by JCMS Choosers inside javascript code.
static long	getCSRFMemberTokenMaxAge() Retrieve the duration in milliseconds above which a member token is considered invalid.
static String	getCSRFToken(javax.servlet.http.HttpServletRequest request) Retrieve the value of CSRF token (both session & member) for the current request.
static String	getCurrentCSRFToken(javax.servlet.http.HttpServletRequest request) Retrieve the current valid CSRF Token expected on critical requests of the current session.
static String	getCurrentCSRFToken(javax.servlet.http.HttpSession session) Retrieve the current valid CSRF Token expected on critical requests of the current session.
static String	getCurrentMemberCSRFToken(Member member) Retrieve the current valid CSRF Token expected on critical requests of the specified member.
static String	getDataIdParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a Data id from parameter.
static <T extends Data> List<T>	getDataListParameter(javax.servlet.http.HttpServletRequest request, String parameterName, Class<T> clazz) Retrieve a list of Data from ids received in only one value of the parameter (seperated with spaces or coma).
static Data	getDataParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a Data from its id received in parameter.
static <T> T	getDataParameter(javax.servlet.http.HttpServletRequest request, String parameterName, Class<T> clazz) Retrieve a typed Data from its id received in parameter.
static Date	getDateParameter(javax.servlet.http.HttpServletRequest request, String parameterName, DateFormat dateFormat, Date defaultValue) Retrieve a Date value from specified HTTP request parameter.
static Date	getDateParameter(javax.servlet.http.HttpServletRequest request, String parameterName, String dateLanguage, Date defaultValue) Retrieve a Date (date only) value from specified HTTP request parameter.
static Date	getDateTimeParameter(javax.servlet.http.HttpServletRequest request, String parameterName, String dateLanguage, Date defaultValue) Retrieve a Date (date and time) value from specified HTTP request parameter.
static double	getDoubleParameter(javax.servlet.http.HttpServletRequest request, String parameterName, double defaultValue) Retrieve a double value from specified HTTP request parameter.
static Group	getGroupParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a Group from its id received in parameter.
static int	getIntParameter(javax.servlet.http.HttpServletRequest request, String parameterName, int defaultValue) Retrieve an integer value from specified HTTP request parameter.
static long	getLongParameter(javax.servlet.http.HttpServletRequest request, String parameterName, long defaultValue) Retrieve a long value from specified HTTP request parameter.
static Member	getMemberParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a Member from its id received in parameter.
static Publication	getPublicationParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a Publication from its id received in parameter.
static String	getStringEnumParameter(javax.servlet.http.HttpServletRequest request, String parameterName, String defaultValue, String... possibleValues) Retrieve a String value from specified HTTP request parameter.
static String	getStringParameter(javax.servlet.http.HttpServletRequest request, String parameterName, String defaultValue, String regex) Retrieve a String value from specified HTTP request parameter.
static String[]	getStringParameterValues(javax.servlet.http.HttpServletRequest request, String parameterName, String regex) Retrieve array of String values from specified HTTP request parameter.
static String	getUntrustedStringParameter(javax.servlet.http.HttpServletRequest request, String parameterName, String defaultValue) Retrieve any String value from the specified HTTP request parameter.
static String	getUrlWithCSRFToken(String url, javax.servlet.http.HttpServletRequest request, boolean escapeAmpersand) Adds the current CSRF token to the specified URL and returns it.
static String	getValidHttpUrl(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a verified URL parameter value.
static Workspace	getWorkspaceParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Retrieve a Workspace from its id received in parameter.
static boolean	hasParameter(javax.servlet.http.HttpServletRequest request, String parameterName) Check if a parameter was received in the specified request.
static void	initializeCSRFToken(javax.servlet.http.HttpSession session) Initialize a new CSRF Token for the current session (if any)
static void	initializeMemberCSRFToken(Member member, javax.servlet.http.HttpServletRequest request) Initialize the CSRF Token for the specified member from the current CSRF token of the request (if any)
static boolean	isCSRFEnabled() Check if CSRF attack prevention is enabled for site.
static boolean	isCSRFMemberTokenAllowed() Check if CSRF token should be allowed through different session in order to allow a submition after session expiration.
static boolean	isValidDisplayServletPath(String displayServletPath) Check if the specified path is valid for use by the display servlet
static boolean	isValidHttpUrl(String url) Check that the specified URL (absolute or relative) is a valid URL authorized for use in redirection.
static String	validateHttpUrl(String url) Validate an URL and returns it.
static String	validateString(String value, String regex) Validate a String value against specified regular expression.
static String[]	validateStringValues(String[] values, String regex) Validate each value in the specified array of String values against specified regular expression.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REVISION

public static final String REVISION

See Also:

Constant Field Values

DATAID_REGEX

public static final String DATAID_REGEX

Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).

Match all characters which could be used as a JCMS data id (JStore/JcmsDB), this includes virtual id such as "$channel.root-cat" : . Beware that this regex does not validate that the id matchs a valid data.

See Also:

Constant Field Values

ALPHANUM_REGEX

public static final String ALPHANUM_REGEX

Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).

Match all alpha-numeric characters and the underscore (_ as in perl regex) and the dash (-): .

See Also:

Constant Field Values

CLASSNAME_REGEX

public static final String CLASSNAME_REGEX

Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).

Match Java class names, such as com.jalios.jcms.Content.

See Also:

Constant Field Values

PROPERTYNAME_REGEX

public static final String PROPERTYNAME_REGEX

Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).

Match JCMS property names, such as $channel.root-category, some.important-property.foo_bar22/zig.

See Also:

Constant Field Values

TEMPLATEUSAGE_REGEX

public static final String TEMPLATEUSAGE_REGEX

Regular expression suitable for use in getStringParameter(HttpServletRequest, String, String, String).

Match JCMS template usage name, such as box, full, front, query, ...

See Also:

Constant Field Values

CSRF_TOKEN_SESSION_ATTRIBUTE

public static final String CSRF_TOKEN_SESSION_ATTRIBUTE

Session attribute name used to store the current and expected value of the CSRF token.

Do not use directly, instead use initializeCSRFToken(HttpSession).

See Also:

Constant Field Values

CSRF_TOKEN_MEMBER_EXTRADBDATA

public static final String CSRF_TOKEN_MEMBER_EXTRADBDATA

ExtraDBData attribute name used to store the current and expected value of the CSRF token.

Do not use directly, instead use initializeMemberCSRFToken(Member, HttpServletRequest).

See Also:

Constant Field Values

CSRF_TOKEN_TIME_MEMBER_EXTRADBDATA

public static final String CSRF_TOKEN_TIME_MEMBER_EXTRADBDATA

ExtraDBData attribute name used to store the time at which member csrf token was saved (epoch time). Used to control its validity in time. (expiration).

Do not use directly, instead use initializeMemberCSRFToken(Member, HttpServletRequest).

See Also:

Constant Field Values

CSRF_TOKEN_PARAMETER_NAME

public static final String CSRF_TOKEN_PARAMETER_NAME

Parameter name from which CSRF token to be validated can be retrieved

See Also:

Constant Field Values

CSRF_TOKEN_HEADER_NAME

public static final String CSRF_TOKEN_HEADER_NAME

HTTP Header name from which CSRF token to be validated can be retrieved

See Also:

Constant Field Values

Constructor Detail

HttpUtil

public HttpUtil()

Method Detail

encodeForXML

public static String encodeForXML(String input)

Encode data for use in an XML element. The implementation should follow the XML Encoding Standard from the W3C.

The use of a real XML parser is strongly encouraged. However, in the hopefully rare case that you need to make sure that data is safe for inclusion in an XML document and cannot use a parse, this method provides a safe mechanism to do so.

Parameters:

input - the text to encode for XML

Returns:

input encoded for XML, return empty string if null was specified as input parameter

See Also:

XML Encoding Standard

encodeForXMLAttribute

public static String encodeForXMLAttribute(String input)

Encode data for use in an XML attribute. The implementation should follow the XML Encoding Standard from the W3C.

The use of a real XML parser is highly encouraged. However, in the hopefully rare case that you need to make sure that data is safe for inclusion in an XML document and cannot use a parse, this method provides a safe mechanism to do so.

Parameters:

input - the text to encode for use as an XML attribute

Returns:

input encoded for XML attribute, return empty string if null was specified as input parameter

See Also:

XML Encoding Standard

encodeForHTML

public static String encodeForHTML(String input)

Encode data for use in HTML using HTML entity encoding

Note that the following characters: 00-08, 0B-0C, 0E-1F, and 7F-9F

cannot be used in HTML.

Parameters:

input - the text to encode for HTML

Returns:

input encoded for HTML, return empty string if null was specified as input parameter

See Also:

HTML Encodings [wikipedia.org], SGML Specification [w3.org], XML Specification [w3.org]

encodeForHTMLAttribute

public static String encodeForHTMLAttribute(String input)

Encode data for use in HTML attributes.

Parameters:

input - the text to encode for an HTML attribute

Returns:

input encoded for use as an HTML attribute, return empty string if null was specified as input parameter

encodeForJavaScript

public static String encodeForJavaScript(String input)

Encode data for insertion inside a data value or function argument in JavaScript. Including user data directly inside a script is quite dangerous. Great care must be taken to prevent including user data directly into script code itself, as no amount of encoding will prevent attacks there. Please note there are some JavaScript functions that can never safely receive untrusted data as input – even if the user input is encoded. For example:

Parameters:

input - the text to encode for JavaScript

Returns:

input encoded for use in JavaScript, return empty string if null was specified as input parameter

encodeForURL

public static String encodeForURL(String input)

Encode for use in a URL. This method performs URL encoding on the entire string.

Parameters:

input - the text to encode for use in a URL

Returns:

input encoded for use in a URL, return empty string if null was specified as input parameter

See Also:

URL encoding

getValidHttpUrl

public static String getValidHttpUrl(javax.servlet.http.HttpServletRequest request,
                                     String parameterName)

Retrieve a verified URL parameter value.

Example :

  String redirect = getValidHttpUrl(request, "redirect");
 

Parameters:

request - the request from which the parameter will be read

parameterName - the name of the HTTP parameter to be retrieved

Returns:

the URL or null if parameter was missing or received URL was invalid

validateHttpUrl

public static String validateHttpUrl(String url)

Validate an URL and returns it.

Example :

  String redirect = validateHttpUrl("http://www.example.com/");
 

Parameters:

url - the value to be verified

Returns:

the URL or null if URL was invalid

isValidHttpUrl

public static boolean isValidHttpUrl(String url)

Check that the specified URL (absolute or relative) is a valid URL authorized for use in redirection.

As of current implementation, the following behavior applies : All URLs are accepted (NO verification performed) when JCMS propery channel.security.validate-redirect is set to false (default is true).

Otherwise, the following rules are required :

• URLs must not exceed 2000 characters
• URLs must match dedicated regex property JCMSRedirectURL configured in ESAPI.properties (prevent HTTPSplitting)

And the following validation is performed :

• Relative URLs are always accepted
• URLs starting with site's base URL are accepted
• URLs starting with base URL of current servlet request are accepted
• URLs starting with any active configuration of reverse proxy's base URL are accepted (http or https)
• URLs matching any regex configured in JCMS properties channel.security.authorized-redirect.* are accepted
• Other URLs are rejected

You can enable TRACE logging on this class for detailed information of validation being performed.

 <logger name="com.jalios.jcms.HttpUtil"> <level value="TRACE" /> </logger>
 

Parameters:

url - the URL to check

Returns:

true if a redirect can be perform with this URL, false otherwise

isValidDisplayServletPath

public static boolean isValidDisplayServletPath(String displayServletPath)

Check if the specified path is valid for use by the display servlet

Parameters:

displayServletPath - a servlet path such as "/jcms/c_42/foo-bar"

Returns:

true if the path is valid, false otherwise

getChooserParameter

public static String getChooserParameter(javax.servlet.http.HttpServletRequest request,
                                         String parameterName)

Retrieve a verified targetInput, targetLabel or other target value used by JCMS Choosers inside javascript code.

Example :

  String targetInput = getChooserParameter("targetInput");
  String targetLabel = getChooserParameter("targetLabel");
 

Parameters:

request - HttpServletRequest from which parameter must be read

parameterName - the name of the HTTP parameter to be retrieved

Returns:

a valid and sanitized target (input, label, ...) or null if parameter was missing or invalid

getDataParameter

public static <T> T getDataParameter(javax.servlet.http.HttpServletRequest request,
                                     String parameterName,
                                     Class<T> clazz)

Retrieve a typed Data from its id received in parameter.

Examples :

  Portal portal = getDataParameter(request, "portal", Portal.class);
  SmallNews sm = getDataParameter(request, "id", SmallNews.class);
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

clazz - the expected class of Data

Returns:

the Data corresponding to the id received in parameter or null if parameter was missing, empty, invalid, or for a Data of another class

getDataListParameter

public static <T extends Data> List<T> getDataListParameter(javax.servlet.http.HttpServletRequest request,
                                                            String parameterName,
                                                            Class<T> clazz)

Retrieve a list of Data from ids received in only one value of the parameter (seperated with spaces or coma).

Examples :

  List groupList = getDataListParameter(request, "groups", Portal.class);
  SmallNews sm = getDataParameter(request, "id", SmallNews.class);
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data ids will be retrieved, must not be null

clazz - the expected class of Data

Returns:

the List of Data, corresponding to the ids received in parameter or empty list if parameter was missing, empty or invalid

getDataParameter

public static Data getDataParameter(javax.servlet.http.HttpServletRequest request,
                                    String parameterName)

Retrieve a Data from its id received in parameter.

Example :

  Data data = getDataParameter(request, "id");
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

Returns:

the Data corresponding to the id received in parameter or null if parameter was missing, empty, invalid, or for a Data of another class

getWorkspaceParameter

public static Workspace getWorkspaceParameter(javax.servlet.http.HttpServletRequest request,
                                              String parameterName)

Retrieve a Workspace from its id received in parameter.

Example :

  Workspace ws = getWorkspaceParameter(request, "ws");
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

Returns:

the Workspace corresponding to the id received in parameter or null if parameter was missing, empty, invalid, or for a Data of another class

getCategoryParameter

public static Category getCategoryParameter(javax.servlet.http.HttpServletRequest request,
                                            String parameterName)

Retrieve a Category from its id received in parameter.

Example :

  Category cat = getCategoryParameter(request, "cid");
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

Returns:

the Category corresponding to the id received in parameter or null if parameter was missing, empty, invalid, or for a Data of another class

getPublicationParameter

public static Publication getPublicationParameter(javax.servlet.http.HttpServletRequest request,
                                                  String parameterName)

Retrieve a Publication from its id received in parameter.

Example :

  Publication pub = getPublicationParameter(request, "id");
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

Returns:

the Publication corresponding to the id received in parameter or null if parameter was missing, empty, invalid, or for a Data of another class

getMemberParameter

public static Member getMemberParameter(javax.servlet.http.HttpServletRequest request,
                                        String parameterName)

Retrieve a Member from its id received in parameter.

Example :

  Member mbr = getMemberParameter(request, "mbrId");
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

Returns:

the Member corresponding to the id received in parameter or null if parameter was missing, empty, invalid, or for a Data of another class

getGroupParameter

public static Group getGroupParameter(javax.servlet.http.HttpServletRequest request,
                                      String parameterName)

Retrieve a Group from its id received in parameter.

Example :

  Group grp = getGroupParameter(request, "grpId");
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

Returns:

the Group corresponding to the id received in parameter or null if parameter was missing, empty, invalid, or for a Data of another class

hasParameter

public static boolean hasParameter(javax.servlet.http.HttpServletRequest request,
                                   String parameterName)

Check if a parameter was received in the specified request.

Example :

 if (hasParameter(request, "opRefresh")) {
   //...
 }
 

This method is the same as doing :

  String value = getUntrustedStringParameter(request, parameterName); // request.getParameter(parameterName);
  return value != null;
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

Returns:

false if parameter was not in the request (null value) true in any other case

getBooleanParameter

public static boolean getBooleanParameter(javax.servlet.http.HttpServletRequest request,
                                          String parameterName,
                                          boolean defaultValue)

Retrieve a boolean value from specified HTTP request parameter.

Important remark regarding behavior on missing/invalid parameter :

• Use the specified defaultValue if parameter is missing (null).
• Always returns false when parameter value contains invalid data (neither "true" nor "false").
This is the same behavior applied by method Util.toBoolean(Object, boolean).

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing or invalid

Returns:

a boolean value extracted from the value of the HTTP parameter if any, or the default value if parameter was missing or invalid

getIntParameter

public static int getIntParameter(javax.servlet.http.HttpServletRequest request,
                                  String parameterName,
                                  int defaultValue)

Retrieve an integer value from specified HTTP request parameter.

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing or invalid

Returns:

an integer value extracted from the value of the HTTP parameter if any, or the default value if parameter was missing or invalid

getLongParameter

public static long getLongParameter(javax.servlet.http.HttpServletRequest request,
                                    String parameterName,
                                    long defaultValue)

Retrieve a long value from specified HTTP request parameter.

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing, empty or invalid

Returns:

a long value extracted from the value of the HTTP parameter if any, or the default value if parameter was missing, empty or invalid

getDoubleParameter

public static double getDoubleParameter(javax.servlet.http.HttpServletRequest request,
                                        String parameterName,
                                        double defaultValue)

Retrieve a double value from specified HTTP request parameter.

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing, empty or invalid

Returns:

a double value extracted from the value of the HTTP parameter if any, or the default value if parameter was missing, empty or invalid

getDateTimeParameter

public static Date getDateTimeParameter(javax.servlet.http.HttpServletRequest request,
                                        String parameterName,
                                        String dateLanguage,
                                        Date defaultValue)

Retrieve a Date (date and time) value from specified HTTP request parameter.

The parameter will be parsed using date format specified in property date-time-format of the specified language.

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be parsed, must not be null

dateLanguage - the language in which the received parameter will be parsed

defaultValue - the default value to use if parameter is missing, empty or invalid

Returns:

a Date value extracted from the value of the HTTP parameter if any, or the default value if parameter was missing, empty or invalid

See Also:

Channel.getDateTimeFormat(String)

getDateParameter

public static Date getDateParameter(javax.servlet.http.HttpServletRequest request,
                                    String parameterName,
                                    String dateLanguage,
                                    Date defaultValue)

Retrieve a Date (date only) value from specified HTTP request parameter.

The parameter will be parsed using date format specified in property date-format of the specified language.

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be parsed, must not be null

dateLanguage - the language in which the received parameter will be parsed

defaultValue - the default value to use if parameter is missing, empty or invalid

Returns:

a Date value extracted from the value of the HTTP parameter if any, or the default value if parameter was missing, empty or invalid

See Also:

Channel.getDateFormat(String)

getDateParameter

public static Date getDateParameter(javax.servlet.http.HttpServletRequest request,
                                    String parameterName,
                                    DateFormat dateFormat,
                                    Date defaultValue)

Retrieve a Date value from specified HTTP request parameter.

The parameter will be parsed using the specified date format

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be parsed, must not be null

dateFormat - the DateFormat to use to parse the date parameter, must not be null

defaultValue - the default value to use if parameter is missing, empty or invalid

Returns:

a Date value extracted from the value of the HTTP parameter if any, or the default value if parameter was missing, empty or invalid

See Also:

Channel.getDateFormat(String)

getStringEnumParameter

public static String getStringEnumParameter(javax.servlet.http.HttpServletRequest request,
                                            String parameterName,
                                            String defaultValue,
                                            String... possibleValues)

Retrieve a String value from specified HTTP request parameter.

The parameter value must match one of the possible value specified, otherwise default value is used.

Example, read the "align" parameter expecting only values from authorized HTML table align :

 
  getStringEnumParameter(request, "align", "left", new String[] { "left", "center", "right" });
 

Verification is case sensitive.

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing or invalid

possibleValues - the values authorized, must not be null

Returns:

a String value, or the default value if parameter was missing or invalid (did not match any possible value)

getAlphaNumParameter

public static String getAlphaNumParameter(javax.servlet.http.HttpServletRequest request,
                                          String parameterName,
                                          String defaultValue)

Retrieve a String value from specified HTTP request parameter.

The parameter value must match the alpha numeric regular expression ALPHANUM_REGEX.

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing or invalid

Returns:

a String value, or the default value if parameter was missing or invalid (did not match regex)

getDataIdParameter

public static String getDataIdParameter(javax.servlet.http.HttpServletRequest request,
                                        String parameterName)

Retrieve a Data id from parameter.

Contrary to most get*Parameter method in HttpUtil, this method returns an empty string if parameter value was missing, empty or invalid.

Beware that this method will NOT check that the id match an existing or valid data.

Example :

  In Java : String id = HttpUtil.getDataIdParameter(request, "id");
  In JSP : <input name="id" value="<%= getDataIdParameter("id") %>"/>
 

This method is the same as doing :

  String id = HttpUtil.getStringParameter(request, parameterName, "", HttpUtil.DATAID_REGEX);
 

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - the name of the HTTP parameter from which data id will be retrieved, must not be null

Returns:

an id, or an empty string if parameter was missing, empty or invalid (never returns null)

getStringParameter

public static String getStringParameter(javax.servlet.http.HttpServletRequest request,
                                        String parameterName,
                                        String defaultValue,
                                        String regex)

Retrieve a String value from specified HTTP request parameter.

The parameter value must match the specified regular expression.

You are encouraged to use predefined constants for regular expression :

• ALPHANUM_REGEX for alpha numeric characters (eg FooBar_42)
• CLASSNAME_REGEX for Java class names (eg com.jalios.jcms.Content)
• PROPERTYNAME_REGEX for JCMS property key (eg channel.data-write.enabled)
• TEMPLATEUSAGE_REGEX for JCMS template usage name (eg box, full, front, query)

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing or invalid

regex - the regular expression the string is expected to match, must not be null

Returns:

a String value, or the default value if parameter was missing or invalid (did not match regex)

validateString

public static String validateString(String value,
                                    String regex)

Validate a String value against specified regular expression.

You are encouraged to use predefined constants for regular expression :

• ALPHANUM_REGEX for alpha numeric characters (eg FooBar_42)
• CLASSNAME_REGEX for Java class names (eg com.jalios.jcms.Content)
• PROPERTYNAME_REGEX for JCMS property key (eg channel.data-write.enabled)
• TEMPLATEUSAGE_REGEX for JCMS template usage name (eg box, full, front, query)

Parameters:

value - value to validate

regex - the regular expression the string is expected to matchn, must not be null

Returns:

a String value, or null if specified value was null or invalid (did not match regex)

getStringParameterValues

public static String[] getStringParameterValues(javax.servlet.http.HttpServletRequest request,
                                                String parameterName,
                                                String regex)

Retrieve array of String values from specified HTTP request parameter.

The parameter values must match the specified regular expression.

You are encouraged to use predefined constants for regular expression :

• ALPHANUM_REGEX for alpha numeric characters (eg FooBar_42)
• CLASSNAME_REGEX for Java class names (eg com.jalios.jcms.Content)
• PROPERTYNAME_REGEX for JCMS property key (eg channel.data-write.enabled)
• TEMPLATEUSAGE_REGEX for JCMS template usage name (eg box, full, front, query)

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

regex - the regular expression strings are expected to match, must not be null

Returns:

an array of String values, null if parameter was missing, empty or partial array when all or some values were invalid (did not match regex)

validateStringValues

public static String[] validateStringValues(String[] values,
                                            String regex)

Validate each value in the specified array of String values against specified regular expression.

You are encouraged to use predefined constants for regular expression :

• ALPHANUM_REGEX for alpha numeric characters (eg FooBar_42)
• CLASSNAME_REGEX for Java class names (eg com.jalios.jcms.Content)
• PROPERTYNAME_REGEX for JCMS property key (eg channel.data-write.enabled)
• TEMPLATEUSAGE_REGEX for JCMS template usage name (eg box, full, front, query)

Parameters:

values - the values to validate

regex - the regular expression strings are expected to match, must not be null

Returns:

an array of String values, null if specified values array was null. Returns an empty or partial array when all or some values were invalid (did not match regex)

getUntrustedStringParameter

public static String getUntrustedStringParameter(javax.servlet.http.HttpServletRequest request,
                                                 String parameterName,
                                                 String defaultValue)

Retrieve any String value from the specified HTTP request parameter.

This method should be AVOIDED AT ALL COST, and used only on last restort, make sure you PROPERLY ENCODE the returned value in the output..

Parameters:

request - HttpServletRequest from which parameter must be read, must not be null

parameterName - name of the HTTP parameter from which value will be read, must not be null

defaultValue - the default value to use if parameter is missing

Returns:

a String value, or the default value if parameter was missing or an empty string

addCookie

public static void addCookie(javax.servlet.http.HttpServletResponse response,
                             javax.servlet.http.Cookie cookie)

Add a cookie to the response.

If the JCMS property channel.security.check-cookie.enabled is set to false, this method will simply use the underlying JavaEE implementation of HttpServletResponse.addCookie(Cookie).

If property is set to true (which is the default behavior), this method will provide additionnal security check :

• Ensure that there are no encoded or illegal characters in the cookie's name and value.
  Authorized character can be configured in ESAPI.properties file using following properties :

   Validator.HTTPCookieName=
   Validator.HTTPCookieValue=
   

• Sets the secure and HttpOnly flags on the cookie according to ESAPI.properties configuration.
  This implementation uses a custom "set-cookie" header rather than Java's cookie interface which doesn't allow the use of HttpOnly. HttpOnly and Secure behavior can be configured in ESAPI.properties file.

   HttpUtilities.ForceHttpOnlyCookies=true
   HttpUtilities.ForceSecureCookies=true
   

Parameters:

response - the HttpServletResponse in which to send the cookie

cookie - the cookie to send in the response

isCSRFEnabled

public static boolean isCSRFEnabled()

Check if CSRF attack prevention is enabled for site.

Returns:

true if CSRF prevention is enabled, false otherwise

getCSRFToken

public static String getCSRFToken(javax.servlet.http.HttpServletRequest request)

Retrieve the value of CSRF token (both session & member) for the current request.

Parameters:

request - the curren HttpServletRequest

Returns:

the token value or an empty string, never return null

Since:

jcms-7.0.4 jcms-7.1.1

initializeCSRFToken

public static void initializeCSRFToken(javax.servlet.http.HttpSession session)

Initialize a new CSRF Token for the current session (if any)

Parameters:

session - the HttpSession in which CSRF token is added

getCurrentCSRFToken

public static String getCurrentCSRFToken(javax.servlet.http.HttpSession session)

Retrieve the current valid CSRF Token expected on critical requests of the current session.

Parameters:

session - the current HttpSession

Returns:

the expected CSRF token value

getCurrentCSRFToken

public static String getCurrentCSRFToken(javax.servlet.http.HttpServletRequest request)

Retrieve the current valid CSRF Token expected on critical requests of the current session.

Parameters:

request - the curren HttpServletRequest

Returns:

the expected CSRF token value

isCSRFMemberTokenAllowed

public static boolean isCSRFMemberTokenAllowed()

Check if CSRF token should be allowed through different session in order to allow a submition after session expiration.

Initialized from property channel.security.csrf.allow-token-through-session

If enabled, security is decreased as it allows more time for an attacker to retrieve the token, but usability increase as the end user is allowed to submit a form after session expiration.

Returns:

true if CSRF prevention is enabled, false otherwise

getCSRFMemberTokenMaxAge

public static long getCSRFMemberTokenMaxAge()

Retrieve the duration in milliseconds above which a member token is considered invalid.

Initialized from property channel.security.csrf.member-token-max-age

Returns:

a duration in milliseconds

initializeMemberCSRFToken

public static void initializeMemberCSRFToken(Member member,
                                             javax.servlet.http.HttpServletRequest request)

Initialize the CSRF Token for the specified member from the current CSRF token of the request (if any)

Parameters:

member - the logged Member

request - the current HttpServletRequest

clearMemberCSRFToken

public static void clearMemberCSRFToken(Member member)

Remove CSRF token of the specified member

Parameters:

member - the member for which CSRF token should be removed

getCurrentMemberCSRFToken

public static String getCurrentMemberCSRFToken(Member member)

Retrieve the current valid CSRF Token expected on critical requests of the specified member.

This method must be used only if "token through session" option has been enabled.

Parameters:

member - the current Member

Returns:

the expected CSRF token value, or null if none could be found

checkCSRF

public static boolean checkCSRF(javax.servlet.http.HttpServletRequest request)

Check if the specified request is valid against CSRF attack.

Parameters:

request - the HttpServletRequest to validate

Returns:

true if the request is safe (or null), false if the request cannot be guaranteed for safety

getUrlWithCSRFToken

public static String getUrlWithCSRFToken(String url,
                                         javax.servlet.http.HttpServletRequest request,
                                         boolean escapeAmpersand)

Adds the current CSRF token to the specified URL and returns it.

If CSRF is disable, URL is returned as is.

Parameters:

url - the URL to complete

request - the current request used to find the current CSRF token

escapeAmpersand - will use "&" if true, "&" if false

Returns:

a modified URL with the added CSRF token, or the unchanged specified URL if CSRF is disabled