List of usage examples for org.apache.commons.httpclient URI getPath
public String getPath() throws URIException
From source file:org.apache.servicemix.http.processors.ProviderProcessor.java
private String getRelUri(String locationUri) { java.net.URI uri = java.net.URI.create(locationUri); String relUri = uri.getPath(); if (!relUri.startsWith("/")) { relUri = "/" + relUri; }/* w w w . j av a 2 s . co m*/ if (uri.getQuery() != null) { relUri += "?" + uri.getQuery(); } if (uri.getFragment() != null) { relUri += "#" + uri.getFragment(); } return relUri; }
From source file:org.glite.slcs.shibclient.ShibbolethClient.java
/** * Parses and processes Pubcookie or CAS login form. * /* ww w. java 2 s .c o m*/ * @param idp * @param htmlForm * @throws IOException * @throws RemoteException * @throws ServiceException * @throws AuthException */ private URI processIdPLoginForm(IdentityProvider idp, URI ssoLoginURI, String ssoQuery, InputStream htmlForm) throws IOException, RemoteException, ServiceException, AuthException { LOG.info("Parse and process " + idp.getAuthTypeName() + " login form: " + ssoLoginURI); boolean formFound = false; URI idpLoginFormResponseURI = null; // Parse the FORM with Jericho HTML Parser Source source = new Source(htmlForm); List<Element> forms = source.findAllElements(Tag.FORM); for (Element form : forms) { String formName = form.getAttributeValue("NAME"); // BUG FIX: UniL use a CAS login form with NO NAME defined. // first try with the form ID as NAME, otherwise use an empty name. // the metadata should also define an empty name for this particular // form. LOG.debug("form name= " + formName); if (formName == null) { LOG.warn("form have no NAME, try form ID..."); String formId = form.getAttributeValue("ID"); if (formId == null) { LOG.warn("form have no NAME and no ID, using empty name..."); formName = ""; } else { formName = formId; } } if (formName.equals(idp.getAuthFormName())) { formFound = true; String formAction = form.getAttributeValue("ACTION"); LOG.debug("form action=" + formAction); if (formAction == null || formAction.equals("")) { // no form action to POST, use default from metadata formAction = ssoLoginURI.getEscapedURI(); LOG.info("default form action=" + formAction); } else { URI formActionURI = new URI(formAction, false); if (formActionURI.isRelativeURI()) { // action URL is not absolute like: // http://localhost/cas/login?... formActionURI = new URI(ssoLoginURI, formActionURI.getPathQuery(), true); } formAction = formActionURI.getEscapedURI(); LOG.info("corrected form action=" + formAction); } String formMethod = form.getAttributeValue("METHOD"); LOG.debug("form name=" + formName + " action=" + formAction + " method=" + formMethod); if (!formAction.equals("") && formMethod.equalsIgnoreCase("POST")) { PostMethod postLoginFormMethod = new PostMethod(formAction); // add all HIDDEN fields to POST List<FormControl> formControls = form.findFormControls(); for (FormControl control : formControls) { FormControlType type = control.getFormControlType(); if (type.equals(FormControlType.HIDDEN)) { String name = control.getName(); Collection<String> values = control.getValues(); for (String value : values) { LOG.debug("add hidden: " + name + "=" + value); // add all hidden fields postLoginFormMethod.addParameter(name, value); } } } // add username field postLoginFormMethod.addParameter(idp.getAuthFormUsername(), this.credentials_.getUserName()); // add the PASSWORD field postLoginFormMethod.addParameter(idp.getAuthFormPassword(), this.credentials_.getPassword()); // execute the login POST LOG.info("POST LoginFormMethod: " + postLoginFormMethod.getURI()); int formLoginResponseStatus = executeMethod(postLoginFormMethod); LOG.debug(postLoginFormMethod.getStatusLine()); // XXX dumpHttpClientCookies(); // CAS, or FORM can, send a 302 + Location header back if (formLoginResponseStatus == 302 && (idp.getAuthType() == IdentityProvider.SSO_AUTHTYPE_CAS || idp.getAuthType() == IdentityProvider.SSO_AUTHTYPE_FORM)) { LOG.debug("Process " + idp.getAuthTypeName() + " redirect response (302 + Location header)..."); Header location = postLoginFormMethod.getResponseHeader("Location"); if (location != null) { String locationURL = location.getValue(); LOG.debug("302 Location: " + locationURL); // CAS: if location path (/cas/login) is not the IdP // 1.3 // SSO path (/shibboleth-idp/SSO) or the IdP 2.X // /Authn/RemoteUser // handler, then it's a wrong login URI locationURI = new URI(locationURL, false); String locationPath = locationURI.getPath(); String idpSSOURL = idp.getUrl(); URI idpSSOURI = new URI(idpSSOURL, false); String idpSSOPath = idpSSOURI.getPath(); if (LOG.isDebugEnabled()) { LOG.debug("location path: " + locationPath); LOG.debug("location is the /Authn/RemoteUser hanlder? " + locationPath.endsWith("/Authn/RemoteUser")); LOG.debug("IdP SSO path: " + idpSSOPath); } if (!locationPath.equals(idpSSOPath) && !locationPath.endsWith("/Authn/RemoteUser")) { LOG.error("Redirect response is not the SSO (" + idpSSOURL + ") or the /Authn/RemoteUser handler: " + locationURL); throw new AuthException( idp.getAuthTypeName() + " Authentication failed: " + this.credentials_); } idpLoginFormResponseURI = new URI(locationURL, false); LOG.debug("(" + idp.getAuthTypeName() + ": 302 + Location) idpLoginFormReponseURI= " + idpLoginFormResponseURI); } else { LOG.error(idp.getAuthTypeName() + ": Status 302 but no redirect Location header"); throw new AuthException( idp.getAuthTypeName() + " Authentication failed: " + this.credentials_); } } // IdP 2.1 FORM authN send 200 and directly the SAMLResponse // form else if (formLoginResponseStatus == 200 && idp.getAuthType() == IdentityProvider.SSO_AUTHTYPE_FORM) { // BUG FIX: check for Browser/POST hidden form element // SAMLResponse for valid authentication LOG.debug("check for SAMLResponse hidden element"); boolean samlResponseFound = false; InputStream authnLoginResponse = postLoginFormMethod.getResponseBodyAsStream(); Source authnSource = new Source(authnLoginResponse); List<Element> browserPOSTForms = authnSource.findAllElements(Tag.FORM); for (Element browserPOSTForm : browserPOSTForms) { List<FormControl> browserPOSTFormControls = browserPOSTForm.findFormControls(); for (FormControl control : browserPOSTFormControls) { FormControlType type = control.getFormControlType(); if (type.equals(FormControlType.HIDDEN)) { String name = control.getName(); if (name.equals("SAMLResponse")) { LOG.debug("Hidden element found: " + control.getName()); samlResponseFound = true; } } } } if (!samlResponseFound) { LOG.error( idp.getAuthTypeName() + ": no Browser/POST SAMLResponse hidden element found"); throw new AuthException( idp.getAuthTypeName() + " Authentication failed: " + this.credentials_); } LOG.debug("Process FORM (200 + full Browser/POST profile) response..."); idpLoginFormResponseURI = new URI(idp.getUrl(), false); // re-set the original SSO query params idpLoginFormResponseURI.setQuery(ssoQuery); LOG.debug("(FORM: 200 + Browser/POST) idpLoginFormReponseURI= " + idpLoginFormResponseURI); } // Pubcookie send 200 + fucking HTML form relay with hidden // fields!!! // <form method=post // action="https://aai-login.ethz.ch/PubCookie.reply" // name=relay> // then reply a redirect 302 + Location header else if (formLoginResponseStatus == 200 && idp.getAuthType() == IdentityProvider.SSO_AUTHTYPE_PUBCOOKIE) { LOG.debug("Process Pubcookie (200 + relay FORM) response..."); InputStream pubcookieLoginResponse = postLoginFormMethod.getResponseBodyAsStream(); Source pubcookieSource = new Source(pubcookieLoginResponse); PostMethod postPubcookieRelayMethod = null; List<Element> relayForms = pubcookieSource.findAllElements(Tag.FORM); for (Element relayForm : relayForms) { String relayFormAction = relayForm.getAttributeValue("ACTION"); LOG.debug("Pubcookie relay form action= " + relayFormAction); if (relayFormAction == null) { LOG.error("Pubcookie relay form action not found."); throw new RemoteException("Pubcookie relay form action not found"); } // create PubCookie relay POST postPubcookieRelayMethod = new PostMethod(relayFormAction); // add all HIDDEN fields to POST List<FormControl> relayFormControls = relayForm.findFormControls(); for (FormControl control : relayFormControls) { FormControlType type = control.getFormControlType(); if (type.equals(FormControlType.HIDDEN)) { String name = control.getName(); Collection<String> values = control.getValues(); for (String value : values) { LOG.debug("add hidden: " + name + "=" + value); // add all hidden fields postPubcookieRelayMethod.addParameter(name, value); } } } // add hidden fields } // for all relay forms if (postPubcookieRelayMethod != null) { LOG.debug("POST postPubcookieRelayMethod: " + postPubcookieRelayMethod.getURI()); int pubcookieRelayStatus = executeMethod(postPubcookieRelayMethod); LOG.debug(postPubcookieRelayMethod.getStatusLine()); Header location = postPubcookieRelayMethod.getResponseHeader("Location"); LOG.debug("postPubcookieRelayMethod.releaseConnection()"); postPubcookieRelayMethod.releaseConnection(); if (location != null) { String locationURL = location.getValue(); LOG.debug("302 Location: " + locationURL); // parse Location idpLoginFormResponseURI = new URI(locationURL, false); LOG.debug("(PubCookie: 302 + Location header) idpLoginFormReponseURI= " + idpLoginFormResponseURI); } else { LOG.error("Pubcookie relay response 302 + Location header not found"); throw new AuthException( idp.getAuthTypeName() + " Authentication failed: " + this.credentials_); } } else { LOG.error("Pubcookie relay form not found"); throw new AuthException( idp.getAuthTypeName() + " Authentication failed: " + this.credentials_); } // XXX dumpHttpClientCookies(); } else { LOG.error("Unexpected response status: " + formLoginResponseStatus + " AuthType:" + idp.getAuthTypeName()); throw new AuthException( idp.getAuthTypeName() + " Authentication failed: " + this.credentials_); } LOG.debug("POSTLoginFormMethod.releaseConnection()"); postLoginFormMethod.releaseConnection(); } // end if form action is set and method is POST } // end if form name match metadata } // end for all forms if (!formFound) { LOG.error("FORM name=" + idp.getAuthFormName() + " not found"); throw new ServiceException("FORM name=" + idp.getAuthFormName() + " not found"); } return idpLoginFormResponseURI; }
From source file:org.opens.tanaguru.ruleimplementation.link.AbstractDownloadableLinkRuleImplementation.java
/** * /* w w w. ja va 2 s . c om*/ * @param uri * @return whether the current link has a proper extension (link.html) * @throws URIException */ private boolean isLinkWithProperExtension(URI uri) throws URIException { if (uri.hasQuery()) { return false; } String path = uri.getPath(); if (StringUtils.isBlank(path) || StringUtils.equals(path, SLASH_CHAR)) { return false; } int lastSlash = StringUtils.lastIndexOf(path, SLASH_CHAR); if (StringUtils.substring(path, lastSlash).contains(POINT_CHAR)) { return true; } return false; }
From source file:org.parosproxy.paros.core.scanner.Analyser.java
/** * Get a random path relative to the current entity. Whenever possible, use * a suffix exist in the children according to a priority of * staticSuffixList.// w w w.j a va 2 s . co m * * @param entity The current entity. * @param uri The uri of the current entity. * @return A random path (eg /folder1/folder2/1234567.chm) relative the * entity. * @throws URIException */ private String getRandomPathSuffix(StructuralNode node, URI uri) throws URIException { String resultSuffix = getChildSuffix(node, true); String path = ""; path = (uri.getPath() == null) ? "" : uri.getPath(); path = path + (path.endsWith("/") ? "" : "/") + Long.toString(Math.abs(staticRandomGenerator.nextLong())); path = path + resultSuffix; return path; }
From source file:org.parosproxy.paros.core.scanner.Analyser.java
public boolean isFileExist(HttpMessage msg) { if (msg.getResponseHeader().isEmpty()) { return false; }/*from ww w .j a v a 2 s .c o m*/ // RFC if (msg.getResponseHeader().getStatusCode() == HttpStatusCode.NOT_FOUND) { return false; } // ZAP: catch CloneNotSupportedException as introduced with version 3.1 of HttpClient URI uri = null; String sUri = null; try { uri = (URI) msg.getRequestHeader().getURI().clone(); // strip off last part of path - use folder only uri.setQuery(null); String path = uri.getPath(); path = path.replaceAll("/[^/]*$", ""); uri.setPath(path); } catch (Exception e) { } finally { if (uri != null) { sUri = uri.toString(); } } // get sample with same relative path position when possible. // if not exist, use the host only // ZAP: Removed unnecessary cast. SampleResponse sample = mapVisited.get(sUri); if (sample == null) { try { uri.setPath(null); } catch (URIException e2) { } String sHostOnly = uri.toString(); // ZAP: Removed unnecessary cast. sample = mapVisited.get(sHostOnly); } // check if any analysed result. if (sample == null) { if (msg.getResponseHeader().getStatusCode() == HttpStatusCode.OK) { // no anlaysed result to confirm, assume file exist and return return true; } else { return false; } } // check for redirect response. If redirect to same location, then file does not exist if (HttpStatusCode.isRedirection(msg.getResponseHeader().getStatusCode())) { try { if (sample.getMessage().getResponseHeader().getStatusCode() == msg.getResponseHeader() .getStatusCode()) { String location = msg.getResponseHeader().getHeader(HttpHeader.LOCATION); if (location != null && location .equals(sample.getMessage().getResponseHeader().getHeader(HttpHeader.LOCATION))) { return false; } } } catch (Exception e) { logger.error(e.getMessage(), e); } return true; } // Not success code if (msg.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { return false; } // remain only OK response here // nothing more to determine. Check for possible not found page pattern. Matcher matcher = patternNotFound.matcher(msg.getResponseBody().toString()); if (matcher.find()) { return false; } // static response String body = msg.getResponseBody().toString().replaceAll(p_REMOVE_HEADER, ""); if (sample.getErrorPageType() == SampleResponse.ERROR_PAGE_STATIC) { try { if (sample.getMessage().getResponseBody().toString().equals(body)) { return false; } } catch (HttpMalformedHeaderException | DatabaseException e) { logger.error("Failed to read the message: " + e.getMessage(), e); } return true; } uri = msg.getRequestHeader().getURI(); try { if (sample.getErrorPageType() == SampleResponse.ERROR_PAGE_DYNAMIC_BUT_DETERMINISTIC) { body = msg.getResponseBody().toString().replaceAll(getPathRegex(uri), "") .replaceAll("\\s[012]\\d:[0-5]\\d:[0-5]\\d\\s", ""); // ZAP: FindBugs fix - added call to HttpBody.toString() if (sample.getMessage().getResponseBody().toString().equals(body)) { return false; } return true; } } catch (Exception e) { logger.error(e.getMessage(), e); } return true; }
From source file:org.parosproxy.paros.core.scanner.plugin.TestInfoGatheringObsoleteFile.java
/** * Test existence of obsolete file with the suffix. * /*from ww w. j ava2 s .c o m*/ * @param suffix * suffix to run scan with. * @param replaceSuffix * true = replace the suffix for checking. false = append the * suffix. */ private void testSuffix(String suffix, boolean replaceSuffix) throws IOException { HttpMessage msg = getNewMsg(); URI uri = msg.getRequestHeader().getURI(); String path = uri.getPath(); if (path == null || path.equals("")) { return; } if (replaceSuffix) { int pos = path.lastIndexOf("."); if (pos > -1) { path = path.substring(0, pos); } } path = path + suffix; uri.setPath(path); msg.getRequestHeader().setURI(uri); sendAndReceive(msg); if (!isFileExist(msg)) { return; } bingo(Alert.RISK_LOW, Alert.WARNING, uri.toString(), "", "", msg); }
From source file:org.parosproxy.paros.core.scanner.plugin.TestInformationDisclosurePhpInfo.java
/** * Test existence of file./*from ww w .j a v a2s . c o m*/ * * @param fileName * to run scan with. */ private void testFile(String fileName) throws IOException { boolean suspiciousFileFound = false; HttpMessage msg = getNewMsg(); try { URI uri = msg.getRequestHeader().getURI(); String path = uri.getPath(); if (path == null || path.equals("")) { return; } if (!path.endsWith("/")) { path = path + "/"; } path = path + fileName; uri.setPath(path); msg.getRequestHeader().setURI(uri); sendAndReceive(msg); if (msg.getResponseHeader().getStatusCode() != HttpStatusCode.OK) { return; } if (matchBodyPattern(msg, patternPhpInfo, null)) { suspiciousFileFound = true; } } catch (IOException e) { } if (suspiciousFileFound) { bingo(Alert.RISK_MEDIUM, Alert.WARNING, msg.getRequestHeader().getURI().toString(), "", "", msg); } }
From source file:org.parosproxy.paros.core.scanner.VariantODataIdQuery.java
private void parse(URI uri) { try {// w ww . j av a 2 s. co m resourceParameter = null; beforeMultipleIDs = null; afterMultipleIDs = null; listParams = null; String path = uri.getPath(); if (path != null) { // Detection of the resource and resource id (if any) String resourceName = ""; String resourceID; // check for single ID (unnamed) Matcher matcher = patternResourceIdentifierUnquoted.matcher(path); if (matcher.find()) { resourceName = matcher.group(1); resourceID = matcher.group(2); String subString = resourceName + "(" + resourceID + ")"; int begin = path.indexOf(subString); int end = begin + subString.length(); String beforeSubstring = path.substring(0, begin); String afterSubstring = path.substring(end); resourceParameter = new ResourceParameter(resourceName, resourceID, beforeSubstring, afterSubstring); } else { matcher = patternResourceMultipleIdentifier.matcher(path); if (matcher.find()) { // We've found a composite identifier. i.e: /Resource(field1=a,field2=3) String multipleIdentifierSection = matcher.group(1); int begin = path.indexOf(multipleIdentifierSection); int end = begin + multipleIdentifierSection.length(); beforeMultipleIDs = path.substring(0, begin); afterMultipleIDs = path.substring(end); listParams = new ArrayList<>(); matcher = patternResourceMultipleIdentifierDetail.matcher(multipleIdentifierSection); int i = 1; while (matcher.find()) { String paramName = matcher.group(1); String value = matcher.group(2); NameValuePair vp = new NameValuePair(NameValuePair.TYPE_QUERY_STRING, paramName, value, i++); listParams.add(vp); } } } } } catch (URIException e) { log.error(e.getMessage() + uri, e); } }
From source file:org.parosproxy.paros.core.spider.SpiderThread.java
private boolean isNeglectCrawl(HttpMessage msg) { boolean result = false; URI uri = msg.getRequestHeader().getURI(); try {//from www. jav a2 s . c o m // check if need to skip this URL from config if (parent.getSpiderParam().isSkipURL(uri)) { return true; } // check if suffix relevant if (uri.getPath() != null) { String path = uri.getPath().toLowerCase(); for (int i = 0; i < NEGLECT_SUFFIXES.length; i++) { String suffix = "." + NEGLECT_SUFFIXES[i]; if (path.endsWith(suffix)) { return true; } } } } catch (Exception e) { } return result; }
From source file:org.parosproxy.paros.network.HttpMessage.java
/** * 2 messages are equal type if the host, port, path and query names are equal. * Even though the query value may differ. * @param msg/*from w ww . j av a 2s. c om*/ * @return */ public boolean equalType(HttpMessage msg) { boolean result = false; // compare method if (!this.getRequestHeader().getMethod().equalsIgnoreCase(msg.getRequestHeader().getMethod())) { return false; } // compare host, port and URI URI uri1 = this.getRequestHeader().getURI(); URI uri2 = msg.getRequestHeader().getURI(); try { if (uri1.getHost() == null || uri2.getHost() == null || !uri1.getHost().equalsIgnoreCase(uri2.getHost())) { return false; } if (uri1.getPort() != uri2.getPort()) { return false; } String path1 = uri1.getPath(); String path2 = uri2.getPath(); if (path1 == null && path2 == null) { return true; } if (path1 != null && path2 != null && !path1.equalsIgnoreCase(path2)) { return false; } else { if (path1 == null || path2 == null) { return false; } } if (!queryEquals(msg)) { return false; } result = true; } catch (URIException e) { // ZAP: log error log.error(e.getMessage(), e); } return result; }