From 94eeead3b212889231ef633c4a721bba6993d8af Mon Sep 17 00:00:00 2001
From: kstranacher
Date: Mon, 13 Feb 2012 21:26:40 +0000
Subject: =?UTF-8?q?*=20Update=20ExternalURIVerifier=20*=20Neuer=20MOASPSSE?=
=?UTF-8?q?ntityResolver=20(inkl.=20Backlist-Check)=20f=C3=BCr=20DataObjec?=
=?UTF-8?q?tFactory?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1239 d688527b-c9ab-4aba-bd8d-4036d912da1d
---
.../gv/egovernment/moa/util/MOAEntityResolver.java | 4 +-
.../moa/spss/server/invoke/DataObjectFactory.java | 5 +-
.../moa/spss/util/ExternalURIVerifier.java | 49 ++++---
.../moa/spss/util/MOASPSSEntityResolver.java | 142 +++++++++++++++++++++
.../properties/spss_messages_de.properties | 5 +-
5 files changed, 179 insertions(+), 26 deletions(-)
create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
index 0401108d5..8f3ffd4c6 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java
@@ -91,13 +91,11 @@ public class MOAEntityResolver implements EntityResolver {
try {
URI uri = new URI(systemId);
systemId = uri.getPath();
- System.out.println("MOAEntityResover: " + uri);
+
if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) {
return null;
}
- //ExternalURIVerifier.verify(uri.getHost(), uri.getPort());
-
} catch (MalformedURIException e) {
return null;
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java
index 1a8216a35..0d100676b 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java
@@ -67,6 +67,7 @@ import at.gv.egovernment.moa.spss.server.iaik.xml.XMLDataObjectImpl;
import at.gv.egovernment.moa.spss.server.iaik.xml.XMLNodeListDataObjectImpl;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
+import at.gv.egovernment.moa.spss.util.MOASPSSEntityResolver;
import at.gv.egovernment.moa.spss.util.MessageProvider;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -150,12 +151,12 @@ public class DataObjectFactory {
// build the EntityResolver for validating parsing
if ((supplements == null) || supplements.isEmpty()) {
- entityResolver = new MOAEntityResolver();
+ entityResolver = new MOASPSSEntityResolver();
} else {
EntityResolverChain chain = new EntityResolverChain();
chain.addEntityResolver(buildSupplementEntityResolver(supplements));
- chain.addEntityResolver(new MOAEntityResolver());
+ chain.addEntityResolver(new MOASPSSEntityResolver());
entityResolver = chain;
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
index 9901212db..1f1282e66 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
@@ -1,5 +1,7 @@
package at.gv.egovernment.moa.spss.util;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
import java.util.Iterator;
import java.util.List;
@@ -10,50 +12,59 @@ import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
public class ExternalURIVerifier {
public static void verify(String host, int port) throws MOAApplicationException {
+
+ System.out.println("ExternalURIVerifier: " + host + ":" + port);
+
+ if (host == null)
+ return;
+ if (host.equalsIgnoreCase(""))
+ return;
+
try {
- ConfigurationProvider config = ConfigurationProvider.reload();
-//
+ ConfigurationProvider config = ConfigurationProvider.getInstance();
+
boolean allowExternalUris = config.getAllowExternalUris();
List blacklist = config.getBlackListedUris();
-
+ InetAddress hostInetAddress = InetAddress.getByName(host);
+ String ip = hostInetAddress.getHostAddress();
+
+
if (allowExternalUris) {
Iterator it = blacklist.iterator();
while (it.hasNext()) {
String[] array = (String[])it.next();
String bhost = array[0];
String bport = array[1];
- if (bport == null) {
+ if (bport == null || port == -1) {
// check only host
- if (bhost.equalsIgnoreCase(host)) {
- System.out.println("Blacklist check: " + host + " blacklisted");
- throw new MOAApplicationException("4002", new Object[]{host});
+ if (ip.startsWith(bhost)) {
+ System.out.println("Blacklist check: " + host + " (" + ip + ") blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"});
}
}
else {
// check host and port
int iport = new Integer(bport).intValue();
- if (bhost.equalsIgnoreCase(host) && (iport == port)) {
- System.out.println("Blacklist check: " + host + ":" + port + " blacklisted");
- throw new MOAApplicationException("4002", new Object[]{host + ":" + port});
+ if (ip.startsWith(bhost) && (iport == port)) {
+ System.out.println("Blacklist check: " + host + ":" + port + " (" + ip + ":" + port + " blacklisted");
+ throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"});
}
}
}
}
- else {
- if (port == -1) {
- System.out.println("No external URI allowed (" + host + ")");
- throw new MOAApplicationException("4001", new Object[]{host});
- }
- else {
- System.out.println("No external URI allowed (" + host + ":" + port + ")");
- throw new MOAApplicationException("4001", new Object[]{host + ":" + port});
- }
+ else {
+ System.out.println("No external URIs allowed (" + host + ")");
+ throw new MOAApplicationException("4001", new Object[]{host});
}
+
+ System.out.println("URI allowed: " + ip + ":" + port);
} catch (ConfigurationException e) {
throw new MOAApplicationException("config.10", null);
+ } catch (UnknownHostException e) {
+ throw new MOAApplicationException("4003", new Object[]{host});
}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java
new file mode 100644
index 000000000..1f12fb869
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.gv.egovernment.moa.spss.util;
+
+import java.io.InputStream;
+
+import org.apache.xerces.util.URI;
+import org.apache.xerces.util.URI.MalformedURIException;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+
+import at.gv.egovernment.moa.logging.LogMsg;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.util.Constants;
+
+
+/**
+ * An EntityResolver
that looks up entities stored as
+ * local resources.
+ *
+ * The following DTDs are mapped to local resources:
+ *
+ * - The XMLSchema.dtd
+ * - The datatypes.dtd
+ *
+ *
+ * For all other resources, an attempt is made to resolve them as resources,
+ * either absolute or relative to Constants.SCHEMA_ROOT
.
+ *
+ * @author Patrick Peck
+ * @author Sven Aigner
+ */
+public class MOASPSSEntityResolver implements EntityResolver {
+
+ /**
+ * Resolve an entity.
+ *
+ * The systemId
parameter is used to perform the lookup of the
+ * entity as a resource, either by interpreting the systemId
as
+ * an absolute resource path, or by appending the last path component of
+ * systemId
to Constants.SCHEMA_ROOT
.
+ *
+ * @param publicId The public ID of the resource.
+ * @param systemId The system ID of the resource.
+ * @return An InputSource
from which the entity can be read, or
+ * null
, if the entity could not be found.
+ * @see org.xml.sax.EntityResolver#resolveEntity(java.lang.String, java.lang.String)
+ */
+ public InputSource resolveEntity(String publicId, String systemId) {
+ InputStream stream;
+ int slashPos;
+
+ System.out.println("MOASPSSEntityResover: " + publicId + " - " + systemId);
+
+ if (Logger.isDebugEnabled()) {
+ Logger.debug(
+ new LogMsg("resolveEntity: p=" + publicId + " s=" + systemId));
+ }
+
+ if (publicId != null) {
+ // check if we can resolve some standard dtd's
+ if (publicId.equalsIgnoreCase("-//W3C//DTD XMLSchema 200102//EN")) {
+ return new InputSource(
+ getClass().getResourceAsStream(
+ Constants.SCHEMA_ROOT + "XMLSchema.dtd"));
+ } else if (publicId.equalsIgnoreCase("datatypes")) {
+ return new InputSource(
+ getClass().getResourceAsStream(
+ Constants.SCHEMA_ROOT + "datatypes.dtd"));
+ }
+ } else if (systemId != null) {
+ // get the URI path
+ try {
+ URI uri = new URI(systemId);
+ systemId = uri.getPath();
+ System.out.println("MOASPSSEntityResover: " + uri);
+
+ if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) {
+ return null;
+ }
+
+
+ ExternalURIVerifier.verify(uri.getHost(), uri.getPort());
+
+ } catch (MalformedURIException e) {
+ return null;
+ }
+ catch (MOAApplicationException e) {
+ e.printStackTrace();
+ return null;
+ }
+
+ // try to get the resource from the full path
+ stream = getClass().getResourceAsStream(systemId);
+ if (stream != null) {
+ InputSource source = new InputSource(stream);
+
+ source.setSystemId(systemId);
+ return source;
+ }
+
+ // try to get the resource from the last path component
+ slashPos = systemId.lastIndexOf('/');
+ if (slashPos >= 0 && systemId.length() > slashPos) {
+ systemId = systemId.substring(slashPos + 1, systemId.length());
+ stream =
+ getClass().getResourceAsStream(Constants.SCHEMA_ROOT + systemId);
+ if (stream != null) {
+ InputSource source = new InputSource(stream);
+
+ source.setSystemId(systemId);
+ return source;
+ }
+ }
+ }
+
+ return null; // nothing found - let the parser handle the entity
+ }
+
+}
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index 61ad9444e..debb70b31 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -88,8 +88,9 @@
3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
-4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten)
-4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden
+4001=Externe URI {0} darf nicht geladen werden (externe URIs generell verboten)
+4002=Externe URI {0} befindet sich auf der Blackliste und darf nicht geladen werden
+4003=IP-Adresse für {0} konnte nicht ermitteln werden
9900=Nicht klassifizierter Fehler in Subsystem
--
cgit v1.2.3