diff options
Diffstat (limited to 'spss/server')
4 files changed, 178 insertions, 23 deletions
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java index 1a8216a35..0d100676b 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java @@ -67,6 +67,7 @@ import at.gv.egovernment.moa.spss.server.iaik.xml.XMLDataObjectImpl; import at.gv.egovernment.moa.spss.server.iaik.xml.XMLNodeListDataObjectImpl; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.util.MOASPSSEntityResolver; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; @@ -150,12 +151,12 @@ public class DataObjectFactory { // build the EntityResolver for validating parsing if ((supplements == null) || supplements.isEmpty()) { - entityResolver = new MOAEntityResolver(); + entityResolver = new MOASPSSEntityResolver(); } else { EntityResolverChain chain = new EntityResolverChain(); chain.addEntityResolver(buildSupplementEntityResolver(supplements)); - chain.addEntityResolver(new MOAEntityResolver()); + chain.addEntityResolver(new MOASPSSEntityResolver()); entityResolver = chain; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index 9901212db..1f1282e66 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.spss.util;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
import java.util.Iterator;
import java.util.List;
@@ -10,50 +12,59 @@ import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; public class ExternalURIVerifier {
public static void verify(String host, int port) throws MOAApplicationException {
+
+ System.out.println("ExternalURIVerifier: " + host + ":" + port);
+
+ if (host == null)
+ return;
+ if (host.equalsIgnoreCase(""))
+ return;
+
try {
- ConfigurationProvider config = ConfigurationProvider.reload();
-//
+ ConfigurationProvider config = ConfigurationProvider.getInstance();
+
boolean allowExternalUris = config.getAllowExternalUris();
List blacklist = config.getBlackListedUris();
-
+ InetAddress hostInetAddress = InetAddress.getByName(host);
+ String ip = hostInetAddress.getHostAddress();
+
+
if (allowExternalUris) {
Iterator it = blacklist.iterator();
while (it.hasNext()) {
String[] array = (String[])it.next();
String bhost = array[0];
String bport = array[1];
- if (bport == null) {
+ if (bport == null || port == -1) {
// check only host
- if (bhost.equalsIgnoreCase(host)) {
- System.out.println("Blacklist check: " + host + " blacklisted");
- throw new MOAApplicationException("4002", new Object[]{host});
+ if (ip.startsWith(bhost)) {
+ System.out.println("Blacklist check: " + host + " (" + ip + ") blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"});
}
}
else {
// check host and port
int iport = new Integer(bport).intValue();
- if (bhost.equalsIgnoreCase(host) && (iport == port)) {
- System.out.println("Blacklist check: " + host + ":" + port + " blacklisted");
- throw new MOAApplicationException("4002", new Object[]{host + ":" + port});
+ if (ip.startsWith(bhost) && (iport == port)) {
+ System.out.println("Blacklist check: " + host + ":" + port + " (" + ip + ":" + port + " blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
}
}
}
}
- else {
- if (port == -1) {
- System.out.println("No external URI allowed (" + host + ")");
- throw new MOAApplicationException("4001", new Object[]{host});
- }
- else {
- System.out.println("No external URI allowed (" + host + ":" + port + ")");
- throw new MOAApplicationException("4001", new Object[]{host + ":" + port});
- }
+ else {
+ System.out.println("No external URIs allowed (" + host + ")");
+ throw new MOAApplicationException("4001", new Object[]{host});
}
+
+ System.out.println("URI allowed: " + ip + ":" + port);
} catch (ConfigurationException e) {
throw new MOAApplicationException("config.10", null);
+ } catch (UnknownHostException e) {
+ throw new MOAApplicationException("4003", new Object[]{host});
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java new file mode 100644 index 000000000..1f12fb869 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java @@ -0,0 +1,142 @@ +/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.gv.egovernment.moa.spss.util;
+
+import java.io.InputStream;
+
+import org.apache.xerces.util.URI;
+import org.apache.xerces.util.URI.MalformedURIException;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+
+import at.gv.egovernment.moa.logging.LogMsg;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.util.Constants;
+
+
+/**
+ * An <code>EntityResolver</code> that looks up entities stored as
+ * local resources.
+ *
+ * <p>The following DTDs are mapped to local resources:
+ * <ul>
+ * <li>The XMLSchema.dtd</li>
+ * <li>The datatypes.dtd</li>
+ * </ul>
+ * </p>
+ * <p>For all other resources, an attempt is made to resolve them as resources,
+ * either absolute or relative to <code>Constants.SCHEMA_ROOT</code>.
+ *
+ * @author Patrick Peck
+ * @author Sven Aigner
+ */
+public class MOASPSSEntityResolver implements EntityResolver {
+
+ /**
+ * Resolve an entity.
+ *
+ * The <code>systemId</code> parameter is used to perform the lookup of the
+ * entity as a resource, either by interpreting the <code>systemId</code> as
+ * an absolute resource path, or by appending the last path component of
+ * <code>systemId</code> to <code>Constants.SCHEMA_ROOT</code>.
+ *
+ * @param publicId The public ID of the resource.
+ * @param systemId The system ID of the resource.
+ * @return An <code>InputSource</code> from which the entity can be read, or
+ * <code>null</code>, if the entity could not be found.
+ * @see org.xml.sax.EntityResolver#resolveEntity(java.lang.String, java.lang.String)
+ */
+ public InputSource resolveEntity(String publicId, String systemId) {
+ InputStream stream;
+ int slashPos;
+
+ System.out.println("MOASPSSEntityResover: " + publicId + " - " + systemId);
+
+ if (Logger.isDebugEnabled()) {
+ Logger.debug(
+ new LogMsg("resolveEntity: p=" + publicId + " s=" + systemId));
+ }
+
+ if (publicId != null) {
+ // check if we can resolve some standard dtd's
+ if (publicId.equalsIgnoreCase("-//W3C//DTD XMLSchema 200102//EN")) {
+ return new InputSource(
+ getClass().getResourceAsStream(
+ Constants.SCHEMA_ROOT + "XMLSchema.dtd"));
+ } else if (publicId.equalsIgnoreCase("datatypes")) {
+ return new InputSource(
+ getClass().getResourceAsStream(
+ Constants.SCHEMA_ROOT + "datatypes.dtd"));
+ }
+ } else if (systemId != null) {
+ // get the URI path
+ try {
+ URI uri = new URI(systemId);
+ systemId = uri.getPath();
+ System.out.println("MOASPSSEntityResover: " + uri);
+
+ if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) {
+ return null;
+ }
+
+
+ ExternalURIVerifier.verify(uri.getHost(), uri.getPort());
+
+ } catch (MalformedURIException e) {
+ return null;
+ }
+ catch (MOAApplicationException e) {
+ e.printStackTrace();
+ return null;
+ }
+
+ // try to get the resource from the full path
+ stream = getClass().getResourceAsStream(systemId);
+ if (stream != null) {
+ InputSource source = new InputSource(stream);
+
+ source.setSystemId(systemId);
+ return source;
+ }
+
+ // try to get the resource from the last path component
+ slashPos = systemId.lastIndexOf('/');
+ if (slashPos >= 0 && systemId.length() > slashPos) {
+ systemId = systemId.substring(slashPos + 1, systemId.length());
+ stream =
+ getClass().getResourceAsStream(Constants.SCHEMA_ROOT + systemId);
+ if (stream != null) {
+ InputSource source = new InputSource(stream);
+
+ source.setSystemId(systemId);
+ return source;
+ }
+ }
+ }
+
+ return null; // nothing found - let the parser handle the entity
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties index 61ad9444e..debb70b31 100644 --- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties @@ -88,8 +88,9 @@ 3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
-4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten)
-4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden
+4001=Externe URI {0} darf nicht geladen werden (externe URIs generell verboten)
+4002=Externe URI {0} befindet sich auf der Blackliste und darf nicht geladen werden
+4003=IP-Adresse für {0} konnte nicht ermitteln werden
9900=Nicht klassifizierter Fehler in Subsystem
|