* Update ExternalURIVerifier

* Neuer MOASPSSEntityResolver (inkl. Backlist-Check) für DataObjectFactory git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1239 d688527b-c9ab-4aba-bd8d-4036d912da1d
author: kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2012-02-13 21:26:40 +0000
committer: kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2012-02-13 21:26:40 +0000
commit: 94eeead3b212889231ef633c4a721bba6993d8af (patch)
tree: 16ceb673f8bb9a7f94e0c1280fa241e3420dd9f1
parent: 583d95af8f722f60cf848e603f12f6c0be0e9a59 (diff)
download: moa-id-spss-94eeead3b212889231ef633c4a721bba6993d8af.tar.gz
moa-id-spss-94eeead3b212889231ef633c4a721bba6993d8af.tar.bz2
moa-id-spss-94eeead3b212889231ef633c4a721bba6993d8af.zip
5 files changed, 179 insertions, 26 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
index 0401108d5..8f3ffd4c6 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
@@ -91,13 +91,11 @@ public class MOAEntityResolver implements EntityResolver {
       try {
         URI uri = new URI(systemId);
         systemId = uri.getPath();
-        System.out.println("MOAEntityResover: " + uri);
+       
         if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) {
           return null;
         }
         
-        //ExternalURIVerifier.verify(uri.getHost(), uri.getPort());
-        
       } catch (MalformedURIException e) {
         return null;
       }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java
index 1a8216a35..0d100676b 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java
@@ -67,6 +67,7 @@ import at.gv.egovernment.moa.spss.server.iaik.xml.XMLDataObjectImpl;
 import at.gv.egovernment.moa.spss.server.iaik.xml.XMLNodeListDataObjectImpl;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
+import at.gv.egovernment.moa.spss.util.MOASPSSEntityResolver;
 import at.gv.egovernment.moa.spss.util.MessageProvider;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.DOMUtils;
@@ -150,12 +151,12 @@ public class DataObjectFactory {
 
     // build the EntityResolver for validating parsing
     if ((supplements == null) || supplements.isEmpty()) {
-      entityResolver = new MOAEntityResolver();
+      entityResolver = new MOASPSSEntityResolver();
     } else {
       EntityResolverChain chain = new EntityResolverChain();
 
       chain.addEntityResolver(buildSupplementEntityResolver(supplements));
-      chain.addEntityResolver(new MOAEntityResolver());
+      chain.addEntityResolver(new MOASPSSEntityResolver());
       entityResolver = chain;
     }
 
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
index 9901212db..1f1282e66 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
@@ -1,5 +1,7 @@
 package at.gv.egovernment.moa.spss.util;
 
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 import java.util.Iterator;
 import java.util.List;
 
@@ -10,50 +12,59 @@ import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
 public class ExternalURIVerifier {
 	
 	public static void verify(String host, int port) throws MOAApplicationException {
+		
+		System.out.println("ExternalURIVerifier: " + host + ":" + port);
+		
+		if (host == null)
+			return;
+		if (host.equalsIgnoreCase(""))
+			return;
+		
 			try {
-				ConfigurationProvider config = ConfigurationProvider.reload();
-//				
+				ConfigurationProvider config = ConfigurationProvider.getInstance();
+				
 				boolean allowExternalUris = config.getAllowExternalUris();
 				List blacklist = config.getBlackListedUris();
 				
-			  	  
+				InetAddress hostInetAddress = InetAddress.getByName(host);
+				String ip = hostInetAddress.getHostAddress();
+				
+				
 				if (allowExternalUris) {
 					Iterator it = blacklist.iterator();
 					while (it.hasNext()) {
 						String[] array = (String[])it.next();
 						String bhost = array[0];
 						String bport = array[1];
-						if (bport == null) {
+						if (bport == null || port == -1) {
 							// check only host
-							if (bhost.equalsIgnoreCase(host)) {
-								System.out.println("Blacklist check: " + host + " blacklisted");
-								throw new MOAApplicationException("4002", new Object[]{host});
+							if (ip.startsWith(bhost)) {
+								System.out.println("Blacklist check: " + host + " (" + ip + ") blacklisted");
+								throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"});
 							}
 						}
 						else {
 							// check host and port
 							int iport = new Integer(bport).intValue();
-							if (bhost.equalsIgnoreCase(host) && (iport == port)) {
-								System.out.println("Blacklist check: " + host + ":" + port + " blacklisted");
-								throw new MOAApplicationException("4002", new Object[]{host + ":" + port});							
+							if (ip.startsWith(bhost) && (iport == port)) {								
+								System.out.println("Blacklist check: " + host + ":" + port + " (" + ip + ":" + port + " blacklisted");
+								throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});							
 							}
 								
 						}
 					}
 				}
-				else {
-					if (port == -1) {
-						System.out.println("No external URI allowed (" + host + ")");
-						throw new MOAApplicationException("4001", new Object[]{host});
-					}
-					else {
-						System.out.println("No external URI allowed (" + host + ":" + port +  ")");
-						throw new MOAApplicationException("4001", new Object[]{host + ":" + port});
-					}
+				else {					
+					System.out.println("No external URIs allowed (" + host + ")");
+					throw new MOAApplicationException("4001", new Object[]{host});					
 				}
+				
+				System.out.println("URI allowed: " + ip + ":" + port);
 			  	  
 			} catch (ConfigurationException e) {
 				throw new MOAApplicationException("config.10", null);
+			} catch (UnknownHostException e) {
+				throw new MOAApplicationException("4003", new Object[]{host});
 			}
 			
 			
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java
new file mode 100644
index 000000000..1f12fb869
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.gv.egovernment.moa.spss.util;
+
+import java.io.InputStream;
+
+import org.apache.xerces.util.URI;
+import org.apache.xerces.util.URI.MalformedURIException;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+
+import at.gv.egovernment.moa.logging.LogMsg;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.util.Constants;
+
+
+/**
+ * An <code>EntityResolver</code> that looks up entities stored as
+ * local resources.
+ * 
+ * <p>The following DTDs are mapped to local resources: 
+ * <ul>
+ * <li>The XMLSchema.dtd</li>
+ * <li>The datatypes.dtd</li>
+ * </ul>
+ * </p>
+ * <p>For all other resources, an attempt is made to resolve them as resources,
+ * either absolute or relative to <code>Constants.SCHEMA_ROOT</code>.
+ * 
+ * @author Patrick Peck
+ * @author Sven Aigner
+ */
+public class MOASPSSEntityResolver implements EntityResolver {
+
+  /**
+   * Resolve an entity.
+   * 
+   * The <code>systemId</code> parameter is used to perform the lookup of the
+   * entity as a resource, either by interpreting the <code>systemId</code> as
+   * an absolute resource path, or by appending the last path component of
+   * <code>systemId</code> to <code>Constants.SCHEMA_ROOT</code>.
+   * 
+   * @param publicId The public ID of the resource.
+   * @param systemId The system ID of the resource.
+   * @return An <code>InputSource</code> from which the entity can be read, or
+   * <code>null</code>, if the entity could not be found.
+   * @see org.xml.sax.EntityResolver#resolveEntity(java.lang.String, java.lang.String)
+   */
+  public InputSource resolveEntity(String publicId, String systemId) {
+    InputStream stream;
+    int slashPos;
+    
+    System.out.println("MOASPSSEntityResover: " + publicId + " - " + systemId);
+
+    if (Logger.isDebugEnabled()) {
+      Logger.debug(
+        new LogMsg("resolveEntity: p=" + publicId + " s=" + systemId));
+    }
+
+    if (publicId != null) {
+      // check if we can resolve some standard dtd's
+      if (publicId.equalsIgnoreCase("-//W3C//DTD XMLSchema 200102//EN")) {
+        return new InputSource(
+          getClass().getResourceAsStream(
+            Constants.SCHEMA_ROOT + "XMLSchema.dtd"));
+      } else if (publicId.equalsIgnoreCase("datatypes")) {
+        return new InputSource(
+          getClass().getResourceAsStream(
+            Constants.SCHEMA_ROOT + "datatypes.dtd"));
+      }
+    } else if (systemId != null) {
+      // get the URI path
+      try {
+        URI uri = new URI(systemId);
+        systemId = uri.getPath();
+        System.out.println("MOASPSSEntityResover: " + uri);
+        
+        if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) {
+          return null;
+        }
+        	
+        
+        ExternalURIVerifier.verify(uri.getHost(), uri.getPort());
+        
+      } catch (MalformedURIException e) {
+        return null;
+      } 
+      catch (MOAApplicationException e) {
+    	  e.printStackTrace();
+    	  return null;
+      }
+      
+      // try to get the resource from the full path
+      stream = getClass().getResourceAsStream(systemId);
+      if (stream != null) {
+        InputSource source = new InputSource(stream);
+
+        source.setSystemId(systemId);
+        return source;
+      }
+
+      // try to get the resource from the last path component
+      slashPos = systemId.lastIndexOf('/');
+      if (slashPos >= 0 && systemId.length() > slashPos) {
+        systemId = systemId.substring(slashPos + 1, systemId.length());
+        stream =
+          getClass().getResourceAsStream(Constants.SCHEMA_ROOT + systemId);
+        if (stream != null) {
+          InputSource source = new InputSource(stream);
+
+          source.setSystemId(systemId);
+          return source;
+        }
+      }
+    }
+
+    return null; // nothing found - let the parser handle the entity
+  }
+
+}
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index 61ad9444e..debb70b31 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -88,8 +88,9 @@
 3202=Supplement f�r Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
 3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
 
-4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten)
-4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden
+4001=Externe URI {0} darf nicht geladen werden (externe URIs generell verboten)
+4002=Externe URI {0} befindet sich auf der Blackliste und darf nicht geladen werden
+4003=IP-Adresse f�r {0} konnte nicht ermitteln werden 
  
 
 9900=Nicht klassifizierter Fehler in Subsystem
author	kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2012-02-13 21:26:40 +0000
committer	kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2012-02-13 21:26:40 +0000
commit	94eeead3b212889231ef633c4a721bba6993d8af (patch)
tree	16ceb673f8bb9a7f94e0c1280fa241e3420dd9f1
parent	583d95af8f722f60cf848e603f12f6c0be0e9a59 (diff)
download	moa-id-spss-94eeead3b212889231ef633c4a721bba6993d8af.tar.gz moa-id-spss-94eeead3b212889231ef633c4a721bba6993d8af.tar.bz2 moa-id-spss-94eeead3b212889231ef633c4a721bba6993d8af.zip