QPID-6217 : [Java Broker] disable HTTP TRACE requests, also hide server implementation details and stack traces from output

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1637246 13f79535-47bb-0310-9956-ffa450edef68
author: Robert Godfrey <rgodfrey@apache.org> 2014-11-06 22:23:39 +0000
committer: Robert Godfrey <rgodfrey@apache.org> 2014-11-06 22:23:39 +0000
commit: 4996cabc614b2c8d63fb024c923823ebb6da1ca4 (patch)
tree: ce6c33b731dc683226968286dda967cec97fda2e /qpid/java/broker-plugins
parent: 01092981d8c8acb2c67b5379b8626777577bc383 (diff)
download: qpid-python-4996cabc614b2c8d63fb024c923823ebb6da1ca4.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
index c0152d9ca4..7b3e06f7fe 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
+++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
@@ -20,6 +20,8 @@
  */
 package org.apache.qpid.server.management.plugin;
 
+import java.io.IOException;
+import java.io.Writer;
 import java.net.SocketAddress;
 import java.security.GeneralSecurityException;
 import java.util.ArrayList;
@@ -35,11 +37,13 @@ import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 import javax.servlet.DispatcherType;
 import javax.servlet.MultipartConfigElement;
+import javax.servlet.http.HttpServletRequest;
 
 import org.apache.log4j.Logger;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.SessionManager;
+import org.eclipse.jetty.server.handler.ErrorHandler;
 import org.eclipse.jetty.server.nio.SelectChannelConnector;
 import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
 import org.eclipse.jetty.server.ssl.SslSocketConnector;
@@ -53,6 +57,7 @@ import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.logging.messages.ManagementConsoleMessages;
 import org.apache.qpid.server.management.plugin.connector.TcpAndSslSelectChannelConnector;
 import org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter;
+import org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter;
 import org.apache.qpid.server.management.plugin.filter.RedirectingAuthorisationFilter;
 import org.apache.qpid.server.management.plugin.servlet.DefinedFileServlet;
 import org.apache.qpid.server.management.plugin.servlet.FileServlet;
@@ -242,11 +247,28 @@ public class HttpManagement extends AbstractPluginAdapter<HttpManagement> implem
         ServletContextHandler root = new ServletContextHandler(ServletContextHandler.SESSIONS);
         root.setContextPath("/");
         server.setHandler(root);
+        server.setSendServerVersion(false);
+        final ErrorHandler errorHandler = new ErrorHandler()
+        {
+            @Override
+            protected void writeErrorPageBody(HttpServletRequest request, Writer writer, int code, String message, boolean showStacks)
+                    throws IOException
+            {
+                String uri= request.getRequestURI();
+
+                writeErrorPageMessage(request,writer,code,message,uri);
+
+                for (int i= 0; i < 20; i++)
+                    writer.write("<br/>                                                \n");
+            }
+        };
+        root.setErrorHandler(errorHandler);
 
         // set servlet context attributes for broker and configuration
         root.getServletContext().setAttribute(HttpManagementUtil.ATTR_BROKER, getBroker());
         root.getServletContext().setAttribute(HttpManagementUtil.ATTR_MANAGEMENT_CONFIGURATION, this);
 
+        root.addFilter(new FilterHolder(new ForbiddingTraceFilter()), "/*", EnumSet.of(DispatcherType.REQUEST));
         FilterHolder restAuthorizationFilter = new FilterHolder(new ForbiddingAuthorisationFilter());
         restAuthorizationFilter.setInitParameter(ForbiddingAuthorisationFilter.INIT_PARAM_ALLOWED, "/service/sasl");
         root.addFilter(restAuthorizationFilter, "/api/*", EnumSet.of(DispatcherType.REQUEST));
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingTraceFilter.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingTraceFilter.java
new file mode 100644
index 0000000000..c35b0df1a3
--- /dev/null
+++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingTraceFilter.java
@@ -0,0 +1,68 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.management.plugin.filter;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * 
+ * This {@link Filter} blocks HTTP TRACE commands from being
+ * processed. All TRACE requests are sent a 403 error.
+ * 
+ */
+public class ForbiddingTraceFilter implements Filter
+{
+    private static final String METHOD_TRACE = "TRACE";
+
+    @Override
+    public void destroy()
+    {
+    }
+
+    @Override
+    public void init(FilterConfig config) throws ServletException
+    {
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+            ServletException
+    {
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        if (httpRequest.getMethod().equals(METHOD_TRACE))
+        {
+                httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+                return;
+        }
+        chain.doFilter(request, response);
+    }
+
+}
author	Robert Godfrey <rgodfrey@apache.org>	2014-11-06 22:23:39 +0000
committer	Robert Godfrey <rgodfrey@apache.org>	2014-11-06 22:23:39 +0000
commit	4996cabc614b2c8d63fb024c923823ebb6da1ca4 (patch)
tree	ce6c33b731dc683226968286dda967cec97fda2e /qpid/java/broker-plugins
parent	01092981d8c8acb2c67b5379b8626777577bc383 (diff)
download	qpid-python-4996cabc614b2c8d63fb024c923823ebb6da1ca4.tar.gz