From 94eeead3b212889231ef633c4a721bba6993d8af Mon Sep 17 00:00:00 2001 From: kstranacher Date: Mon, 13 Feb 2012 21:26:40 +0000 Subject: =?UTF-8?q?*=20Update=20ExternalURIVerifier=20*=20Neuer=20MOASPSSE?= =?UTF-8?q?ntityResolver=20(inkl.=20Backlist-Check)=20f=C3=BCr=20DataObjec?= =?UTF-8?q?tFactory?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1239 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../gv/egovernment/moa/util/MOAEntityResolver.java | 4 +- .../moa/spss/server/invoke/DataObjectFactory.java | 5 +- .../moa/spss/util/ExternalURIVerifier.java | 49 ++++--- .../moa/spss/util/MOASPSSEntityResolver.java | 142 +++++++++++++++++++++ .../properties/spss_messages_de.properties | 5 +- 5 files changed, 179 insertions(+), 26 deletions(-) create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java diff --git a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java index 0401108d5..8f3ffd4c6 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/MOAEntityResolver.java @@ -91,13 +91,11 @@ public class MOAEntityResolver implements EntityResolver { try { URI uri = new URI(systemId); systemId = uri.getPath(); - System.out.println("MOAEntityResover: " + uri); + if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) { return null; } - //ExternalURIVerifier.verify(uri.getHost(), uri.getPort()); - } catch (MalformedURIException e) { return null; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java index 1a8216a35..0d100676b 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/DataObjectFactory.java @@ -67,6 +67,7 @@ import at.gv.egovernment.moa.spss.server.iaik.xml.XMLDataObjectImpl; import at.gv.egovernment.moa.spss.server.iaik.xml.XMLNodeListDataObjectImpl; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.util.MOASPSSEntityResolver; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; @@ -150,12 +151,12 @@ public class DataObjectFactory { // build the EntityResolver for validating parsing if ((supplements == null) || supplements.isEmpty()) { - entityResolver = new MOAEntityResolver(); + entityResolver = new MOASPSSEntityResolver(); } else { EntityResolverChain chain = new EntityResolverChain(); chain.addEntityResolver(buildSupplementEntityResolver(supplements)); - chain.addEntityResolver(new MOAEntityResolver()); + chain.addEntityResolver(new MOASPSSEntityResolver()); entityResolver = chain; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index 9901212db..1f1282e66 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.spss.util; +import java.net.InetAddress; +import java.net.UnknownHostException; import java.util.Iterator; import java.util.List; @@ -10,50 +12,59 @@ import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; public class ExternalURIVerifier { public static void verify(String host, int port) throws MOAApplicationException { + + System.out.println("ExternalURIVerifier: " + host + ":" + port); + + if (host == null) + return; + if (host.equalsIgnoreCase("")) + return; + try { - ConfigurationProvider config = ConfigurationProvider.reload(); -// + ConfigurationProvider config = ConfigurationProvider.getInstance(); + boolean allowExternalUris = config.getAllowExternalUris(); List blacklist = config.getBlackListedUris(); - + InetAddress hostInetAddress = InetAddress.getByName(host); + String ip = hostInetAddress.getHostAddress(); + + if (allowExternalUris) { Iterator it = blacklist.iterator(); while (it.hasNext()) { String[] array = (String[])it.next(); String bhost = array[0]; String bport = array[1]; - if (bport == null) { + if (bport == null || port == -1) { // check only host - if (bhost.equalsIgnoreCase(host)) { - System.out.println("Blacklist check: " + host + " blacklisted"); - throw new MOAApplicationException("4002", new Object[]{host}); + if (ip.startsWith(bhost)) { + System.out.println("Blacklist check: " + host + " (" + ip + ") blacklisted"); + throw new MOAApplicationException("4002", new Object[]{host + "(" + ip + ")"}); } } else { // check host and port int iport = new Integer(bport).intValue(); - if (bhost.equalsIgnoreCase(host) && (iport == port)) { - System.out.println("Blacklist check: " + host + ":" + port + " blacklisted"); - throw new MOAApplicationException("4002", new Object[]{host + ":" + port}); + if (ip.startsWith(bhost) && (iport == port)) { + System.out.println("Blacklist check: " + host + ":" + port + " (" + ip + ":" + port + " blacklisted"); + throw new MOAApplicationException("4002", new Object[]{host + ":" + port + " (" + ip + ":" + port + ")"}); } } } } - else { - if (port == -1) { - System.out.println("No external URI allowed (" + host + ")"); - throw new MOAApplicationException("4001", new Object[]{host}); - } - else { - System.out.println("No external URI allowed (" + host + ":" + port + ")"); - throw new MOAApplicationException("4001", new Object[]{host + ":" + port}); - } + else { + System.out.println("No external URIs allowed (" + host + ")"); + throw new MOAApplicationException("4001", new Object[]{host}); } + + System.out.println("URI allowed: " + ip + ":" + port); } catch (ConfigurationException e) { throw new MOAApplicationException("config.10", null); + } catch (UnknownHostException e) { + throw new MOAApplicationException("4003", new Object[]{host}); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java new file mode 100644 index 000000000..1f12fb869 --- /dev/null +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/MOASPSSEntityResolver.java @@ -0,0 +1,142 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.gv.egovernment.moa.spss.util; + +import java.io.InputStream; + +import org.apache.xerces.util.URI; +import org.apache.xerces.util.URI.MalformedURIException; +import org.xml.sax.EntityResolver; +import org.xml.sax.InputSource; + +import at.gv.egovernment.moa.logging.LogMsg; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.util.Constants; + + +/** + * An EntityResolver that looks up entities stored as + * local resources. + * + *

The following DTDs are mapped to local resources: + *

+ *

+ *

For all other resources, an attempt is made to resolve them as resources, + * either absolute or relative to Constants.SCHEMA_ROOT. + * + * @author Patrick Peck + * @author Sven Aigner + */ +public class MOASPSSEntityResolver implements EntityResolver { + + /** + * Resolve an entity. + * + * The systemId parameter is used to perform the lookup of the + * entity as a resource, either by interpreting the systemId as + * an absolute resource path, or by appending the last path component of + * systemId to Constants.SCHEMA_ROOT. + * + * @param publicId The public ID of the resource. + * @param systemId The system ID of the resource. + * @return An InputSource from which the entity can be read, or + * null, if the entity could not be found. + * @see org.xml.sax.EntityResolver#resolveEntity(java.lang.String, java.lang.String) + */ + public InputSource resolveEntity(String publicId, String systemId) { + InputStream stream; + int slashPos; + + System.out.println("MOASPSSEntityResover: " + publicId + " - " + systemId); + + if (Logger.isDebugEnabled()) { + Logger.debug( + new LogMsg("resolveEntity: p=" + publicId + " s=" + systemId)); + } + + if (publicId != null) { + // check if we can resolve some standard dtd's + if (publicId.equalsIgnoreCase("-//W3C//DTD XMLSchema 200102//EN")) { + return new InputSource( + getClass().getResourceAsStream( + Constants.SCHEMA_ROOT + "XMLSchema.dtd")); + } else if (publicId.equalsIgnoreCase("datatypes")) { + return new InputSource( + getClass().getResourceAsStream( + Constants.SCHEMA_ROOT + "datatypes.dtd")); + } + } else if (systemId != null) { + // get the URI path + try { + URI uri = new URI(systemId); + systemId = uri.getPath(); + System.out.println("MOASPSSEntityResover: " + uri); + + if (!"file".equals(uri.getScheme()) || "".equals(systemId.trim())) { + return null; + } + + + ExternalURIVerifier.verify(uri.getHost(), uri.getPort()); + + } catch (MalformedURIException e) { + return null; + } + catch (MOAApplicationException e) { + e.printStackTrace(); + return null; + } + + // try to get the resource from the full path + stream = getClass().getResourceAsStream(systemId); + if (stream != null) { + InputSource source = new InputSource(stream); + + source.setSystemId(systemId); + return source; + } + + // try to get the resource from the last path component + slashPos = systemId.lastIndexOf('/'); + if (slashPos >= 0 && systemId.length() > slashPos) { + systemId = systemId.substring(slashPos + 1, systemId.length()); + stream = + getClass().getResourceAsStream(Constants.SCHEMA_ROOT + systemId); + if (stream != null) { + InputSource source = new InputSource(stream); + + source.setSystemId(systemId); + return source; + } + } + } + + return null; // nothing found - let the parser handle the entity + } + +} diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties index 61ad9444e..debb70b31 100644 --- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties @@ -88,8 +88,9 @@ 3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}") 3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}") -4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten) -4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden +4001=Externe URI {0} darf nicht geladen werden (externe URIs generell verboten) +4002=Externe URI {0} befindet sich auf der Blackliste und darf nicht geladen werden +4003=IP-Adresse für {0} konnte nicht ermitteln werden 9900=Nicht klassifizierter Fehler in Subsystem -- cgit v1.2.3