Version 4.10.0
Class ApplicationFirewallImpl

  extended by
All Implemented Interfaces:

public class ApplicationFirewallImpl
extends Object
implements ApplicationFirewall

Default implementation of ApplicationFirewall.

Upon startup, this class will inspect all Actions in the application. All public static final RequestParameter fields accessible to each Action will be collected, and treated here as the set of acceptable RequestParameters for each Action class. Thus, when this class is used to implement ApplicationFirewall, each Action must declare all expected request parameters as a public static final RequestParameter field, in order to pass hard validation.

File Upload Forms

If a POSTed request includes one or more file upload controls, then the underlying HTTP request has a completely different structure from a regular request having no file upload controls. Unfortunately, the Servlet API has very poor support for forms that include a file upload control: only the raw underlying request is available, in an unparsed form. For such forms, POSTed data is not available in the usual way, and by default request.getParameter(String) will return null - not only for the file upload control, but for all controls in the form.

An elegant way around this problem involves wrapping the request, using HttpServletRequestWrapper, such that POSTed data is parsed and made available through the usual request methods. If such a wrapper is used, then file upload forms can be handled in much the same way as any other form.

To indicate to this class if such a wrapper is being used for file upload requests, use the FullyValidateFileUploads setting in web.xml.

Settings in web.xml affecting this class :

The above settings control the validations performed by this class :

Check Regular File Upload (Wrapped) File Upload
Overall request size <= MaxHttpRequestSize Y N N
Overall request size <= MaxFileUploadRequestSize N Y Y
Every param name is among the RequestParameters for that Action Y Y* N
Every param value satifies RequestParameter.isValidParamValue(String) Y Y** N
If created with RequestParameter.withLengthCheck(String), then param value size <= MaxRequestParamValueSize Y Y** N
If SpamDetectionInFirewall is on, then each param value is checked using the configured SpamDetector Y Y** N
If a request param named Operation exists and it returns true for Operation.hasSideEffects(), then the underlying request must be a POST Y Y N
CSRF Defenses Y Y N
* For file upload controls, the param name is checked only if the return value of getParameterNames() (for the wrapper) includes it.
**Except for file upload controls. For file upload controls, no checks on the param value are made by this class.

Defending Against CSRF Attacks

If the usual WEB4J defenses against CSRF attacks are active (see package-level comments), then for every POST request executed within a session the following will also be performed as a defense against CSRF attacks : See CsrfFilter for more information.

Constructor Summary
Method Summary
 void doHardValidation(Action aAction, RequestParser aRequestParser)
          Perform checks on the incoming request.
static void init()
          Map actions to expected params.
Methods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail


public ApplicationFirewallImpl()
Method Detail


public static void init()
Map actions to expected params.


public void doHardValidation(Action aAction,
                             RequestParser aRequestParser)
                      throws BadRequestException
Perform checks on the incoming request.

See class description for more information.

Subclasses may extend this implementation, following the form :

  public void doHardValidation(Action aAction, RequestParser aRequestParser) throws BadRequestException {
    super(aAction, aRequestParser);
    //place additional validations here
    //for example, one might check that a Content-Length header is present,
    //or that all header values are within some size range

Specified by:
doHardValidation in interface ApplicationFirewall
aAction - corresponding to this request. If the underlying request is unknown to RequestParser.getWebAction(), then that method will throw a BadRequestException, and this method will not be called.
aRequestParser - provides the raw underlying request, through RequestParser.getRequest();

Version 4.10.0

Copyright Hirondelle Systems. Published October 19, 2013 - User Guide - All Docs.