[jboss-cvs] JBossAS SVN: r112732 - branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security.

Wed Mar 7 10:09:43 EST 2012

Author: tfonteyn
Date: 2012-03-07 10:09:43 -0500 (Wed, 07 Mar 2012)
New Revision: 112732

Modified:
   branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java
Log:
[JBPAPP-8369] parameters are now named, j_password is skipped, audit configurable as per documentation instead of dumping all

Modified: branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java
===================================================================

--- branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java	2012-03-07 11:40:07 UTC (rev 112731)
+++ branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java	2012-03-07 15:09:43 UTC (rev 112732)
@@ -21,8 +21,8 @@
  */
 package org.jboss.web.tomcat.security;
 
+import java.util.Arrays;
 import java.util.Enumeration;
-
 import javax.servlet.http.HttpServletRequest;
 
 /**
@@ -30,9 +30,32 @@
  *  @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
  *  @version $Revision$
  *  @since  Aug 22, 2006
+ *
+ *  Code in here should be kept in sync with
+ *     jbosssx/src/main/java/org/jboss/security/authorization/resources/WebResource.java 
  */
 public class WebUtil
 {
+   /** System Property setting to configure the web audit 
+    *  off = turn it off
+    *  headers = audit the headers
+    *  cookies = audit the cookie
+    *  parameters = audit the parameters
+    *  attributes = audit the attributes
+    *  headers,cookies,parameters = audit the headers,cookie and parameters
+    *  headers,cookies = audit the headers and cookies
+    *  and so on 
+    *  
+    *  Note: If this flag is not set in the system property, then we get no
+    *  audit data for the web request
+    * */
+   public static final String WEB_AUDIT_FLAG = "org.jboss.security.web.audit";
+   private static String auditFlag = " ";
+   static
+   {
+      auditFlag =  System.getProperty(WEB_AUDIT_FLAG, " ").toLowerCase();
+   }
+
    /**
     * Obtain debug information from the servlet request object
     * @param httpRequest
@@ -42,38 +65,60 @@
    {
       StringBuilder sb = new StringBuilder();
       sb.append("[").append(httpRequest.getContextPath());
-      sb.append(":cookies=").append(httpRequest.getCookies()).append(":headers=");
+       //Append cookies
+       if(auditFlag.contains("cookies"))
+       {
+           sb.append(":cookies=").append(Arrays.toString(httpRequest.getCookies()));
+       }
       //Append Header information
-      Enumeration<?> en = httpRequest.getHeaderNames();
-      for(;en.hasMoreElements();)
+      if(auditFlag.contains("headers"))
       {
-         String headerName = (String)en.nextElement();
-         sb.append(headerName).append("=");
-          //Ensure HTTP Basic Password is not logged
-         if(headerName.contains("authorization") == false)
-            sb.append(httpRequest.getHeader(headerName)).append(","); 
+         sb.append(":headers=");
+         Enumeration<?> en = httpRequest.getHeaderNames();
+         for(;en.hasMoreElements();)
+         {
+            String headerName = (String)en.nextElement();
+            sb.append(headerName).append("=");
+            //Ensure HTTP Basic Password is not logged
+            if(headerName.contains("authorization") == false)
+               sb.append(httpRequest.getHeader(headerName)).append(",");
+         }
+         sb.append("]");
       }
-      sb.append("]");
       //Append Request parameter information
-      sb.append("[parameters=");
-      Enumeration<?> enparam = httpRequest.getParameterNames();
-      for(;enparam.hasMoreElements();)
+     if(auditFlag.contains("parameters"))
       {
-         String paramName = (String)enparam.nextElement();
-         String[] paramValues = httpRequest.getParameterValues(paramName);
-         int len = paramValues != null ? paramValues.length : 0;
-         for(int i = 0 ; i < len ; i++)
-            sb.append(paramValues[i]).append("::"); 
-         sb.append(",");
-      } 
-      sb.append("][attributes=");
-      //Append Request attribute information
-      Enumeration<?> enu = httpRequest.getAttributeNames();
-      for(;enu.hasMoreElements();)
+         sb.append("[parameters=");
+         Enumeration<?> enparam = httpRequest.getParameterNames();
+         for(;enparam.hasMoreElements();)
+         {
+            String paramName = (String)enparam.nextElement();
+            sb.append(paramName).append("=");
+            if (paramName.equalsIgnoreCase("j_password"))
+            {
+               sb.append("***");
+            }
+            else
+            {
+               String[] paramValues = httpRequest.getParameterValues(paramName);
+               int len = paramValues != null ? paramValues.length : 0;
+               for(int i = 0 ; i < len ; i++)
+                  sb.append(paramValues[i]).append("::");
+            }
+            sb.append(",");
+         }
+      }
+      //Append Request attribute information      
+      if(auditFlag.contains("attributes"))
       {
-         String attrName = (String)enu.nextElement();
-         sb.append(attrName).append("=");
-         sb.append(httpRequest.getAttribute(attrName)).append(",");
+         sb.append("][attributes=");
+         Enumeration<?> enu = httpRequest.getAttributeNames();
+         for(;enu.hasMoreElements();)
+         {
+            String attrName = (String)enu.nextElement();
+            sb.append(attrName).append("=");
+            sb.append(httpRequest.getAttribute(attrName)).append(",");
+         }
       }
       sb.append("]");
       return sb.toString();

