001 /** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 package org.apache.activemq.web.handler; 018 019 import java.util.Arrays; 020 import java.util.UUID; 021 022 import javax.servlet.http.HttpServletRequest; 023 024 import org.apache.activemq.web.DestinationFacade; 025 import org.apache.commons.logging.Log; 026 import org.apache.commons.logging.LogFactory; 027 import org.springframework.web.bind.ServletRequestDataBinder; 028 import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping; 029 import org.springframework.web.servlet.HandlerExecutionChain; 030 031 /** 032 * @version $Revision: 915387 $ 033 */ 034 public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping { 035 private static final transient Log LOG = LogFactory.getLog(BindingBeanNameUrlHandlerMapping.class); 036 037 protected Object getHandlerInternal(HttpServletRequest request) throws Exception { 038 Object object = super.getHandlerInternal(request); 039 040 if (object instanceof String) { 041 String handlerName = (String) object; 042 object = getApplicationContext().getBean(handlerName); 043 } 044 if (object instanceof HandlerExecutionChain) { 045 HandlerExecutionChain handlerExecutionChain = (HandlerExecutionChain) object; 046 object = handlerExecutionChain.getHandler(); 047 } 048 049 if (object != null) { 050 // prevent CSRF attacks 051 if (object instanceof DestinationFacade) { 052 // check supported methods 053 if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod())) { 054 throw new UnsupportedOperationException("Unsupported method " + request.getMethod() + " for path " + request.getRequestURI()); 055 } 056 // check the 'secret' 057 if (!request.getSession().getAttribute("secret").equals(request.getParameter("secret"))) { 058 throw new UnsupportedOperationException("Possible CSRF attack"); 059 } 060 } 061 062 063 ServletRequestDataBinder binder = new ServletRequestDataBinder(object, "request"); 064 try { 065 binder.bind(request); 066 binder.setIgnoreUnknownFields(true); 067 if (LOG.isDebugEnabled()) { 068 LOG.debug("Bound POJO is now: " + object); 069 } 070 } 071 catch (Exception e) { 072 LOG.warn("Caught: " + e, e); 073 throw e; 074 } 075 } 076 077 return object; 078 } 079 }