Package org.owasp.esapi.waf
Class ESAPIWebApplicationFirewallFilter
- java.lang.Object
-
- org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
public class ESAPIWebApplicationFirewallFilter extends java.lang.Object implements javax.servlet.Filter
This is the main class for the ESAPI Web Application Firewall (WAF). It is a standard J2EE servlet filter that, in different methods, invokes the reading of the configuration file and handles the runtime processing and enforcing of the developer-specified rules. Ideally the filter should be configured to catch all requests (/*) in web.xml. If there are URL segments that need to be extremely fast and don't require any protection, the pattern may be modified with extreme caution.- Author:
- Arshan Dabirsiaghi
-
-
Constructor Summary
Constructors Constructor Description ESAPIWebApplicationFirewallFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
destroy()
void
doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain)
This is the where the main interception and rule-checking logic of the WAF resides.AppGuardianConfiguration
getConfiguration()
void
init(javax.servlet.FilterConfig fc)
This function is invoked at application startup and when the configuration file polling period has elapsed and a change in the configuration file has been detected.void
setConfiguration(java.lang.String policyFilePath, java.lang.String webRootDir)
This function is used in testing to dynamically alter the configuration.
-
-
-
Method Detail
-
setConfiguration
public void setConfiguration(java.lang.String policyFilePath, java.lang.String webRootDir) throws java.io.FileNotFoundException
This function is used in testing to dynamically alter the configuration.- Parameters:
policyFilePath
- The path to the policy filewebRootDir
- The root directory of the web application.- Throws:
java.io.FileNotFoundException
- if the policy file cannot be located
-
getConfiguration
public AppGuardianConfiguration getConfiguration()
-
init
public void init(javax.servlet.FilterConfig fc) throws javax.servlet.ServletException
This function is invoked at application startup and when the configuration file polling period has elapsed and a change in the configuration file has been detected. It's main purpose is to read the configuration file and establish the configuration object model for use at runtime during thedoFilter()
method.- Specified by:
init
in interfacejavax.servlet.Filter
- Throws:
javax.servlet.ServletException
-
doFilter
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
This is the where the main interception and rule-checking logic of the WAF resides.- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
java.io.IOException
javax.servlet.ServletException
-
destroy
public void destroy()
- Specified by:
destroy
in interfacejavax.servlet.Filter
-
-