com.jcorporate.expresso.core.security.filters
Class FilterManager

java.lang.Object
  com.jcorporate.expresso.core.security.filters.FilterManager

public class FilterManager

extends Object

The primary purpose of this class is to filer out particular characters from a HTTP respone. The reason for this is that codes can be in- serted into a string that gets returned to a web browser, and these codes can cause the web browser to act on them in a way that is not as the site author inteded, and may be a breach of security. For more on these see: Understanding Malicious Content Mitigation for Web Developers

The Filtermanager implements filtering based upon a particular characterset. It maintains a list of all filters that have been used since the initialization of the class. When a particular filter is requested, the manager checks to see if that particular filter has been loaded. If not, it loads it and stores a reference to it in filterList. Since the number of different charactersets are actually probably fairly small for most applications, this list is never cleaned out until the class is gc'ed. If this becomes a problem, we can implement a caching system that clears out the least frequently used characterset filters.

Since:

Expresso 3

Author:

Michael Rimov

Field Summary

static String	RAW_FILTER Don't do anything
static String	STANDARD_FILTER Replace control characters with appropriate values, protect against XSS attacks
static String	STRIP_FILTER Strip out any unwanted characters, but do not replace them with anything

Constructor Summary

FilterManager()
Manager for filters.

Method Summary

String	filterString(String data, Class filterClass, String filterMethod) The method that does the actual string filtering.
static FilterManager	getInstance() The singleton implementation.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

STANDARD_FILTER

public static final String STANDARD_FILTER

Replace control characters with appropriate values, protect against XSS attacks

See Also:

Constant Field Values

STRIP_FILTER

public static final String STRIP_FILTER

Strip out any unwanted characters, but do not replace them with anything

See Also:

Constant Field Values

RAW_FILTER

public static final String RAW_FILTER

Don't do anything

See Also:

Constant Field Values

Constructor Detail

FilterManager

public FilterManager()

Manager for filters. Filters are named for their character sets, generally speaking. Note that "standardFilter" is not a filter, but rather a command to a filter (called a "filterType"). A common filter is ISO_8859_1.

See Also:

Filter

Method Detail

getInstance

public static FilterManager getInstance()

The singleton implementation. Use getInstance to get an instance of the one and only FilterManager instance. If one does not yet exist, then it is automatically instantiated.

Returns:

A handle to the one and only FilterManager instance.

filterString

public String filterString(String data,
                           Class filterClass,
                           String filterMethod)
                    throws IllegalArgumentException,
                           Exception

The method that does the actual string filtering.

Parameters:

data - The string to filter.

filterClass - the class implementing Filter; class name will be used to hash an instance of this filter within FilterManager; use NULL to get default filtering

filterMethod - one of three filter methods, supported by all filters:
(1) "standardFilter" - Replace control characters with appropriate values. (2) "rawFilter" - Don't strip out any control characters (3) "stripFilter" - Strip out all control characters (these strings are defined as static final constants on this object)

Returns:

The string after it has been filtered

Throws:

IllegalArgumentException - if there is a problem with the Method's parameters

Exception - for any other exception related to loading the specific filter class