[jboss-cvs] JBossAS SVN: r112732 - branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Mar 7 10:09:43 EST 2012
Author: tfonteyn
Date: 2012-03-07 10:09:43 -0500 (Wed, 07 Mar 2012)
New Revision: 112732
Modified:
branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java
Log:
[JBPAPP-8369] parameters are now named, j_password is skipped, audit configurable as per documentation instead of dumping all
Modified: branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java
===================================================================
--- branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java 2012-03-07 11:40:07 UTC (rev 112731)
+++ branches/JBPAPP_5_1/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java 2012-03-07 15:09:43 UTC (rev 112732)
@@ -21,8 +21,8 @@
*/
package org.jboss.web.tomcat.security;
+import java.util.Arrays;
import java.util.Enumeration;
-
import javax.servlet.http.HttpServletRequest;
/**
@@ -30,9 +30,32 @@
* @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
* @version $Revision$
* @since Aug 22, 2006
+ *
+ * Code in here should be kept in sync with
+ * jbosssx/src/main/java/org/jboss/security/authorization/resources/WebResource.java
*/
public class WebUtil
{
+ /** System Property setting to configure the web audit
+ * off = turn it off
+ * headers = audit the headers
+ * cookies = audit the cookie
+ * parameters = audit the parameters
+ * attributes = audit the attributes
+ * headers,cookies,parameters = audit the headers,cookie and parameters
+ * headers,cookies = audit the headers and cookies
+ * and so on
+ *
+ * Note: If this flag is not set in the system property, then we get no
+ * audit data for the web request
+ * */
+ public static final String WEB_AUDIT_FLAG = "org.jboss.security.web.audit";
+ private static String auditFlag = " ";
+ static
+ {
+ auditFlag = System.getProperty(WEB_AUDIT_FLAG, " ").toLowerCase();
+ }
+
/**
* Obtain debug information from the servlet request object
* @param httpRequest
@@ -42,38 +65,60 @@
{
StringBuilder sb = new StringBuilder();
sb.append("[").append(httpRequest.getContextPath());
- sb.append(":cookies=").append(httpRequest.getCookies()).append(":headers=");
+ //Append cookies
+ if(auditFlag.contains("cookies"))
+ {
+ sb.append(":cookies=").append(Arrays.toString(httpRequest.getCookies()));
+ }
//Append Header information
- Enumeration<?> en = httpRequest.getHeaderNames();
- for(;en.hasMoreElements();)
+ if(auditFlag.contains("headers"))
{
- String headerName = (String)en.nextElement();
- sb.append(headerName).append("=");
- //Ensure HTTP Basic Password is not logged
- if(headerName.contains("authorization") == false)
- sb.append(httpRequest.getHeader(headerName)).append(",");
+ sb.append(":headers=");
+ Enumeration<?> en = httpRequest.getHeaderNames();
+ for(;en.hasMoreElements();)
+ {
+ String headerName = (String)en.nextElement();
+ sb.append(headerName).append("=");
+ //Ensure HTTP Basic Password is not logged
+ if(headerName.contains("authorization") == false)
+ sb.append(httpRequest.getHeader(headerName)).append(",");
+ }
+ sb.append("]");
}
- sb.append("]");
//Append Request parameter information
- sb.append("[parameters=");
- Enumeration<?> enparam = httpRequest.getParameterNames();
- for(;enparam.hasMoreElements();)
+ if(auditFlag.contains("parameters"))
{
- String paramName = (String)enparam.nextElement();
- String[] paramValues = httpRequest.getParameterValues(paramName);
- int len = paramValues != null ? paramValues.length : 0;
- for(int i = 0 ; i < len ; i++)
- sb.append(paramValues[i]).append("::");
- sb.append(",");
- }
- sb.append("][attributes=");
- //Append Request attribute information
- Enumeration<?> enu = httpRequest.getAttributeNames();
- for(;enu.hasMoreElements();)
+ sb.append("[parameters=");
+ Enumeration<?> enparam = httpRequest.getParameterNames();
+ for(;enparam.hasMoreElements();)
+ {
+ String paramName = (String)enparam.nextElement();
+ sb.append(paramName).append("=");
+ if (paramName.equalsIgnoreCase("j_password"))
+ {
+ sb.append("***");
+ }
+ else
+ {
+ String[] paramValues = httpRequest.getParameterValues(paramName);
+ int len = paramValues != null ? paramValues.length : 0;
+ for(int i = 0 ; i < len ; i++)
+ sb.append(paramValues[i]).append("::");
+ }
+ sb.append(",");
+ }
+ }
+ //Append Request attribute information
+ if(auditFlag.contains("attributes"))
{
- String attrName = (String)enu.nextElement();
- sb.append(attrName).append("=");
- sb.append(httpRequest.getAttribute(attrName)).append(",");
+ sb.append("][attributes=");
+ Enumeration<?> enu = httpRequest.getAttributeNames();
+ for(;enu.hasMoreElements();)
+ {
+ String attrName = (String)enu.nextElement();
+ sb.append(attrName).append("=");
+ sb.append(httpRequest.getAttribute(attrName)).append(",");
+ }
}
sb.append("]");
return sb.toString();
More information about the jboss-cvs-commits
mailing list