Source code

001/**
002 * Copyright 2005-2016 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.kuali.rice.krad.web.filter;
017
018import java.io.IOException;
019import java.util.regex.Pattern;
020
021import javax.servlet.Filter;
022import javax.servlet.FilterChain;
023import javax.servlet.FilterConfig;
024import javax.servlet.ServletException;
025import javax.servlet.ServletRequest;
026import javax.servlet.ServletResponse;
027import javax.servlet.http.HttpServletRequest;
028import javax.servlet.http.HttpServletResponse;
029
030/**
031 * A simple filter that 404s any urls to embedded module WEB-INF directories.
032 * Another solution would be for the container to disable directory browsing, however
033 * files may still be accessed directly.  This filter will pre-emptively catch the URL
034 * which means that application code cannot actually handle those URLs (for instance,
035 * to do its own error handling).
036 *
037 * There is probably a better way to do this, e.g. a filter to bean proxy in some spring context,
038 * but the sample app doesn't really have a web context of its own to put this in.
039 *
040 * @author Kuali Rice Team (rice.collab@kuali.org)
041 *
042 */
043public class HideWebInfFilter implements Filter {
044
045        private static final Pattern WEB_INF_PATTERN = Pattern.compile(".*WEB-INF.*");
046        
047    /**
048     * @see javax.servlet.Filter#destroy()
049     */
050    public void destroy() {
051        // nothing
052    }
053
054    /**
055     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
056     */
057    public void doFilter(ServletRequest req, ServletResponse res, FilterChain fc) throws IOException, ServletException {
058        if ((req instanceof HttpServletRequest)) { 
059
060            HttpServletRequest hsr = (HttpServletRequest) req;
061    
062            if (WEB_INF_PATTERN.matcher(hsr.getRequestURI()).matches()) {
063                HttpServletResponse hsresp = (HttpServletResponse) res;
064                hsresp.sendError(HttpServletResponse.SC_NOT_FOUND);
065                return;
066            }
067        }
068
069        fc.doFilter(req, res);
070    }
071
072    /**
073     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
074     */
075    public void init(FilterConfig arg0) throws ServletException {
076        // nada
077    }
078}