Changeset 2483

Timestamp:

10/01/08 09:31:49 (3 months ago)

Author:

dsanders

Message:

Modified so that when logging request body we do not log usernames and passwords for authentication requests - or other authentication material values.

Files:

• trunk/otis/src/org/bandit/otis/server/OtisServlet.java (modified) (9 diffs)

trunk/otis/src/org/bandit/otis/server/OtisServlet.java

@@ -55 +55 @@
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
 
 import org.eclipse.higgins.idas.registry.IdASRegistry;
@@ -60 +63 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
+import javax.xml.transform.dom.DOMSource;
+import java.io.StringWriter;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.OutputKeys;
 
 import java.io.ByteArrayOutputStream;
@@ -133 +143 @@
         private Map                                                             m_acceptMediaMap = null;
         private boolean                                         m_bAllowInsecureChannel = false;
-        protected static boolean                                m_bSanitizeStrings = false;
+        protected static boolean                        m_bSanitizeStrings = false;
         public static Map                                               m_attrs = new HashMap();
         public static List                                      m_readByDefaultAttrList = null;
+        private Transformer                                     m_serializer = null;
 
         public OtisServlet()
@@ -155 +166 @@
                 {
                 }
+                try
+                {
+                        m_serializer = TransformerFactory.newInstance().newTransformer();
+                        m_serializer.setOutputProperty( OutputKeys.ENCODING, "ISO-8859-1");
+                        m_serializer.setOutputProperty( OutputKeys.METHOD, "xml");
+                        m_serializer.setOutputProperty( OutputKeys.INDENT, "yes");
+                        m_serializer.setOutputProperty( OutputKeys.OMIT_XML_DECLARATION, "yes");
+                }
+                catch (Exception e)
+                {
+                        m_log.debug( "Exception " + e.getClass().getName() + " initializing XML serializer: " + e.getMessage());
+                }
         }
         
@@ -170 +193 @@
                         responseMap.put( Constants.TEMPLATE_HTTP_RESPONSE_CODE,  Integer.valueOf( iHttpResponseCode)); 
                         responseMap.put( Constants.TEMPLATE_HTTP_RESPONSE_STATUS, errMsg);
-                }
-                if (e != null)
-                {
-                        responseMap.put( Constants.TEMPLATE_EXCEPTION, e);
-                        otisException.setStackTrace(e.getStackTrace());
+                        if (e != null)
+                        {
+                                responseMap.put( Constants.TEMPLATE_EXCEPTION, e);
+                        }
                 }
                 return( otisException);
@@ -186 +208 @@
                 Map                     responseMap) throws OtisException
         {
-                ByteArrayOutputStream bs = new ByteArrayOutputStream();
-                PrintStream ps = new PrintStream(bs);
-                e.printStackTrace(ps);
-                log.debug("Originating exception's stack:\n" + bs.toString());
+                if (e != null)
+                {
+                        ByteArrayOutputStream bs = new ByteArrayOutputStream();
+                        PrintStream ps = new PrintStream(bs);
+                        e.printStackTrace(ps);
+                        log.debug("Originating exception's stack:\n" + bs.toString());
+                }
                 throw OtisServlet.getOtisException( log, errMsg, e, iHttpResponseCode, responseMap);
         }
@@ -1189 +1214 @@
         }
         
+        private String xmlToString(
+                Element domElement) throws OtisException
+        {
+                try
+                {
+                        if (m_serializer != null)
+                        {
+                                StringWriter    strOut = new StringWriter( 1024);
+                                m_serializer.transform( new DOMSource( domElement), new StreamResult( strOut));
+                                return( strOut.toString());
+                        }
+                }
+                catch (Throwable e)
+                {
+                }
+                return( null);
+        }       
+                
+        private void logSanitizedRequestDoc(
+                Document                requestDoc)
+        {
+                if (m_log.isDebugEnabled())
+                {
+                        try
+                        {
+                                DocumentBuilderFactory  documentBuilderFactory = DocumentBuilderFactory.newInstance();
+                                documentBuilderFactory.setNamespaceAware( true);
+                                DocumentBuilder                 documentBuilder = documentBuilderFactory.newDocumentBuilder();
+                                Document                                                newDoc = documentBuilder.newDocument();
+                                Node                                                    newNode = newDoc.importNode( requestDoc.getDocumentElement(), true);
+                                
+                                newDoc.appendChild( newNode);
+                                
+                                // Find all AuthMaterialValue elements.
+                                
+                                NodeList        nodes = newDoc.getElementsByTagNameNS( Constants.OTIS_NAMESPACE, Constants.OTIS_AUTH_MATERIAL_VALUE_ELEMENT);
+                                
+                                if (nodes != null && nodes.getLength() > 0)
+                                {
+                                        for (int iLoop = 0; iLoop < nodes.getLength(); iLoop++)
+                                        {
+                                                Node    nd = nodes.item( iLoop);
+                                                Node    childNode = nd.getFirstChild();
+                                                
+                                                // Remove all child elements
+                                                
+                                                while (childNode != null)
+                                                {
+                                                        nd.removeChild( childNode);
+                                                        childNode = nd.getFirstChild();
+                                                }
+                                                
+                                                // Add a text element that blanks out the value
+                                                
+                                                nd.appendChild( newDoc.createTextNode( "*****"));
+                                        }
+                                }
+                                
+                                // Serialize the document and log it.
+                                
+                                String  strNewContent = xmlToString( newDoc.getDocumentElement());
+                                
+                                if (strNewContent != null)
+                                {
+                                        m_log.debug( "REQUEST BODY:");
+                                        m_log.debug( strNewContent);
+                                }
+                        }
+                        catch (Throwable e)
+                        {
+                        }
+                }
+        }
+        
         public void doRequest(
                 HttpServletRequest      request,
@@ -1215 +1314 @@
                 m_log.debug( strHttpOperation);
         
-                m_log.trace("BEGIN REQUEST");
-                m_log.trace( request.getMethod() + " " + strRequestURI);
-                while (enumHeaderNames.hasMoreElements())
-                {
-                        String  szHeaderName = (String)enumHeaderNames.nextElement();
-                        String  szHeader = (String)request.getHeader( szHeaderName);
-                        m_log.trace( szHeaderName + ": " + szHeader);
-                }
-                m_log.trace("END REQUEST");
+                if (m_log.isTraceEnabled())
+                {
+                        m_log.trace("BEGIN REQUEST");
+                        m_log.trace( request.getMethod() + " " + strRequestURI);
+                        while (enumHeaderNames.hasMoreElements())
+                        {
+                                String  szHeaderName = (String)enumHeaderNames.nextElement();
+                                String  szHeader = (String)request.getHeader( szHeaderName);
+                                m_log.trace( szHeaderName + ": " + szHeader);
+                        }
+                        m_log.trace("END REQUEST");
+                }
 
                 // Validate accept header
@@ -1293 +1395 @@
                                         if (buf2 != null)
                                         {
-                                                m_log.debug( "REQUEST BODY: " + (new String( buf2)));
                                                 bufStream = new ByteArrayInputStream( buf2); 
                                                 requestDoc = documentBuilder.parse( bufStream);
+                                                logSanitizedRequestDoc( requestDoc);
                                         }
                                 }