/**
* Called by the server (via the <code>service</code> method) to allow a servlet to handle a TRACE
* request.
*
* <p>A TRACE returns the headers sent with the TRACE request to the client, so that they can be
* used in debugging. There's no need to override this method.
*
* @param req the {@link HttpServletRequest} object that contains the request the client made of
* the servlet
* @param resp the {@link HttpServletResponse} object that contains the response the servlet
* returns to the client
* @exception IOException if an input or output error occurs while the servlet is handling the
* TRACE request
* @exception ServletException if the request for the TRACE cannot be handled
*/
protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
int responseLength;
String CRLF = "\r\n";
StringBuilder buffer =
new StringBuilder("TRACE ")
.append(req.getRequestURI())
.append(" ")
.append(req.getProtocol());
Enumeration<String> reqHeaderEnum = req.getHeaderNames();
while (reqHeaderEnum.hasMoreElements()) {
String headerName = reqHeaderEnum.nextElement();
buffer.append(CRLF).append(headerName).append(": ").append(req.getHeader(headerName));
}
buffer.append(CRLF);
responseLength = buffer.length();
resp.setContentType("message/http");
resp.setContentLength(responseLength);
ServletOutputStream out = resp.getOutputStream();
out.print(buffer.toString());
out.close();
return;
}
public static void setContentLength(HttpServletResponse sres, long length) {
if (length <= Integer.MAX_VALUE) {
sres.setContentLength((int) length);
} else {
sres.addHeader("Content-Length", Long.toString(length));
}
}
/**
* This method will open the sample report pdf.
*
* @param reportFilePath - full path of the sample report to be shown.
* @param request - instance of HttpServletRequest
* @param response - instance of HttpServletResponse
* @throws ServletException - error
* @throws IOException - error
*/
private static void showSampleReport(
String reportFilePath, HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if (null != request.getSession().getAttribute(ReportServiceConstant.VIEW_SAMPLE_REPORT)
&& request
.getSession()
.getAttribute(ReportServiceConstant.VIEW_SAMPLE_REPORT)
.toString()
.equalsIgnoreCase("Y")) {
ServletOutputStream output = null;
try {
FileInputStream fis = new FileInputStream(reportFilePath);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
byte[] buf = new byte[256];
try {
for (int readNum; (readNum = fis.read(buf)) != -1; ) {
baos.write(buf, 0, readNum); // no doubt here is 0
// Writes len bytes from the specified byte array starting at offset off to this byte
// array output stream.
}
} catch (IOException ex) {
ex.printStackTrace();
}
if (null != baos) {
// Init servlet response.
response.reset();
response.setContentType("application/pdf");
response.setContentLength(baos.size());
response.setHeader("Content-disposition", "inline; filename=\"" + reportFilePath);
response.setHeader("Expires", "0");
response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
// response.setHeader("Transfer-Encoding", "identity");
output = response.getOutputStream();
output.write(baos.toByteArray(), 0, baos.size());
// Finalize task.
output.flush();
}
} catch (Exception exception) {
OPPE_LOG.error("ERROR.SHOW_PDF.ERROR", exception);
} finally {
// Gently close streams.
close((Closeable) output);
}
}
}
/**
* return OutputStream of JasperReport object, this page could only be viewed from localhost for
* security concern. parameter can be (id), or (table and type)
*
* @param id - report id, or
* @param table - table name
* @param type - reporttype "s","l","o", case insensitive
* @param client(*) - client domain
* @param version - version number, default to -1
*/
public void process(HttpServletRequest request, HttpServletResponse response) throws Exception {
String clientName = request.getParameter("client");
int objectId = ParamUtils.getIntAttributeOrParameter(request, "id", -1);
if (objectId == -1) {
// try using table and type
objectId =
getReportId(clientName, request.getParameter("table"), request.getParameter("type"));
}
if (objectId == -1) {
logger.error("report not found, request is:" + Tools.toString(request));
throw new NDSException("report not found");
}
int version = ParamUtils.getIntAttributeOrParameter(request, "version", -1);
File reportXMLFile = new File(ReportTools.getReportFile(objectId, clientName));
if (reportXMLFile.exists()) {
// generate jasperreport if file not exists or not newer
String reportName =
reportXMLFile.getName().substring(0, reportXMLFile.getName().lastIndexOf("."));
File reportJasperFile = new File(reportXMLFile.getParent(), reportName + ".jasper");
if (!reportJasperFile.exists()
|| reportJasperFile.lastModified() < reportXMLFile.lastModified()) {
JasperCompileManager.compileReportToFile(
reportXMLFile.getAbsolutePath(), reportJasperFile.getAbsolutePath());
}
InputStream is = new FileInputStream(reportJasperFile);
response.setContentType("application/octetstream;");
response.setContentLength((int) reportJasperFile.length());
// response.setHeader("Content-Disposition","inline;filename=\""+reportJasperFile.getName()+"\"");
ServletOutputStream os = response.getOutputStream();
byte[] b = new byte[8192];
int bInt;
while ((bInt = is.read(b, 0, b.length)) != -1) {
os.write(b, 0, bInt);
}
is.close();
os.flush();
os.close();
} else {
throw new NDSException("Not found report template");
}
}
public void download(HttpServletResponse response, String filename) throws IOException {
StringTokenizer tokenTO = new StringTokenizer(filename, "\\");
int j = 0;
String[] filepath1 = new String[10];
while (tokenTO.hasMoreTokens()) {
filepath1[j] = tokenTO.nextToken();
j++;
}
String filepath = "";
for (int m = 0; m < j - 1; m++) {
filepath = filepath + filepath1[m] + "\\";
}
filepath = filepath + filepath1[j - 1];
File down_file = new java.io.File(filepath);
long l = down_file.length(); // 文件长度
InputStream in = new FileInputStream(down_file);
if (in != null) {
try {
String fs = down_file.getName();
response.reset();
response.setContentType(null); //
String s = "attachment; filename=" + fs; //
response.setHeader("Content-Disposition", s); // 以上输出文件元信息
OutputStream output = null;
FileInputStream fis = null;
output = response.getOutputStream();
fis = new FileInputStream(filepath);
response.setContentLength((int) l);
byte[] b = new byte[2048];
int i = 0;
while ((i = fis.read(b)) > 0) {
output.write(b, 0, i);
}
output.flush();
in.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
/**
* This method handles response of showing pdf servlet.
*
* @param request - instance of HttpServletRequest
* @param response - instance of HttpServletResponse
* @throws ServletException - error
* @throws IOException - error
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String preview = request.getParameter(PREVIEW_REPORT_PARAMETER);
String sampleReportParam = request.getParameter(SAMPLE_REPORT_PARAM);
if (null != sampleReportParam) {
String sampleReportPath = "";
if (sampleReportParam.equalsIgnoreCase(ReportServiceConstant.PROVIDER_SUMMARY)) {
sampleReportPath =
WL_HOME_PATH + RESOURCES_PATH + ReportServiceConstant.PROVIDER_SUMMARY_SAMPLE_FILE;
showSampleReport(sampleReportPath, request, response);
} else if (sampleReportParam.equalsIgnoreCase(ReportServiceConstant.COMPARATIVE_SUMMARY)) {
sampleReportPath =
WL_HOME_PATH + RESOURCES_PATH + ReportServiceConstant.COMPARITIVE_SUMMARY_SAMPLE_FILE;
showSampleReport(sampleReportPath, request, response);
} else if (sampleReportParam.equalsIgnoreCase(ReportServiceConstant.EXECUTIVE_SUMMARY)) {
sampleReportPath =
WL_HOME_PATH + RESOURCES_PATH + ReportServiceConstant.EXECUTIVE_SUMMARY_SAMPLE_FILE;
showSampleReport(sampleReportPath, request, response);
}
} else if (null != preview && STR_TRUE.equals(preview)) {
// report generation using OracleBI
ServletOutputStream output = null;
byte[] rawBinaryFile = null;
Map<String, String> parameterMap = null;
PublicReportServicePortClient client = null;
FileStream fileStream = null;
try {
if (null != request.getSession().getAttribute(REPORTS_PARAMETERS_MAP)) {
parameterMap =
(Map<String, String>) request.getSession().getAttribute(REPORTS_PARAMETERS_MAP);
// request.getSession().removeAttribute(REPORTS_PARAMETERS_MAP);
}
if (null != parameterMap && parameterMap.containsKey("REPORT_PATH")) {
client = new PublicReportServicePortClient();
fileStream = client.generateReport(parameterMap);
rawBinaryFile = fileStream.getFileContent();
}
if (null != rawBinaryFile) {
// Init servlet response.
response.reset();
response.setContentType("application/pdf");
response.setContentLength(rawBinaryFile.length);
response.setHeader(
"Content-disposition", "inline; filename=\"" + fileStream.getFileName() + ".pdf\"");
response.setHeader("Expires", "0");
response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
// response.setHeader("Transfer-Encoding", "identity");
output = response.getOutputStream();
output.write(rawBinaryFile, 0, rawBinaryFile.length);
// Finalize task.
output.flush();
}
} catch (Exception exception) {
OPPE_LOG.error("ERROR.SHOW_PDF.ERROR", exception);
} finally {
// Gently close streams.
close((Closeable) output);
}
}
}
/**
* Perform form authentication. Called from SecurityHandler.
*
* @return UserPrincipal if authenticated else null.
*/
public Principal authenticate(
UserRealm realm, String pathInContext, HttpRequest httpRequest, HttpResponse httpResponse)
throws IOException {
HttpServletRequest request = (ServletHttpRequest) httpRequest.getWrapper();
HttpServletResponse response =
httpResponse == null ? null : (HttpServletResponse) httpResponse.getWrapper();
// Handle paths
String uri = pathInContext;
// Setup session
HttpSession session = request.getSession(response != null);
if (session == null) return null;
// Handle a request for authentication.
if (uri.substring(uri.lastIndexOf("/") + 1).startsWith(__J_SECURITY_CHECK)) {
// Check the session object for login info.
FormCredential form_cred = new FormCredential();
form_cred.authenticate(
realm,
request.getParameter(__J_USERNAME),
request.getParameter(__J_PASSWORD),
httpRequest);
String nuri = (String) session.getAttribute(__J_URI);
if (nuri == null || nuri.length() == 0) {
nuri = request.getContextPath();
if (nuri.length() == 0) nuri = "/";
}
if (form_cred._userPrincipal != null) {
// Authenticated OK
if (log.isDebugEnabled()) log.debug("Form authentication OK for " + form_cred._jUserName);
session.removeAttribute(__J_URI); // Remove popped return URI.
httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH);
httpRequest.setAuthUser(form_cred._jUserName);
httpRequest.setUserPrincipal(form_cred._userPrincipal);
session.setAttribute(__J_AUTHENTICATED, form_cred);
// Sign-on to SSO mechanism
if (realm instanceof SSORealm) {
((SSORealm) realm)
.setSingleSignOn(
httpRequest,
httpResponse,
form_cred._userPrincipal,
new Password(form_cred._jPassword));
}
// Redirect to original request
if (response != null) {
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
}
} else if (response != null) {
if (log.isDebugEnabled())
log.debug("Form authentication FAILED for " + form_cred._jUserName);
if (_formErrorPage != null) {
response.setContentLength(0);
response.sendRedirect(
response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formErrorPage)));
} else {
response.sendError(HttpResponse.__403_Forbidden);
}
}
// Security check is always false, only true after final redirection.
return null;
}
// Check if the session is already authenticated.
FormCredential form_cred = (FormCredential) session.getAttribute(__J_AUTHENTICATED);
if (form_cred != null) {
// We have a form credential. Has it been distributed?
if (form_cred._userPrincipal == null) {
// This form_cred appears to have been distributed. Need to reauth
form_cred.authenticate(realm, httpRequest);
// Sign-on to SSO mechanism
if (form_cred._userPrincipal != null && realm instanceof SSORealm) {
((SSORealm) realm)
.setSingleSignOn(
httpRequest,
httpResponse,
form_cred._userPrincipal,
new Password(form_cred._jPassword));
}
} else if (!realm.reauthenticate(form_cred._userPrincipal))
// Else check that it is still authenticated.
form_cred._userPrincipal = null;
// If this credential is still authenticated
if (form_cred._userPrincipal != null) {
if (log.isDebugEnabled())
log.debug("FORM Authenticated for " + form_cred._userPrincipal.getName());
httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH);
httpRequest.setAuthUser(form_cred._userPrincipal.getName());
httpRequest.setUserPrincipal(form_cred._userPrincipal);
return form_cred._userPrincipal;
} else session.setAttribute(__J_AUTHENTICATED, null);
} else if (realm instanceof SSORealm) {
// Try a single sign on.
Credential cred = ((SSORealm) realm).getSingleSignOn(httpRequest, httpResponse);
if (httpRequest.hasUserPrincipal()) {
form_cred = new FormCredential();
form_cred._userPrincipal = request.getUserPrincipal();
form_cred._jUserName = form_cred._userPrincipal.getName();
if (cred != null) form_cred._jPassword = cred.toString();
if (log.isDebugEnabled()) log.debug("SSO for " + form_cred._userPrincipal);
httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH);
session.setAttribute(__J_AUTHENTICATED, form_cred);
return form_cred._userPrincipal;
}
}
// Don't authenticate authform or errorpage
if (isLoginOrErrorPage(pathInContext)) return SecurityConstraint.__NOBODY;
// redirect to login page
if (response != null) {
if (httpRequest.getQuery() != null) uri += "?" + httpRequest.getQuery();
session.setAttribute(
__J_URI,
request.getScheme()
+ "://"
+ request.getServerName()
+ ":"
+ request.getServerPort()
+ URI.addPaths(request.getContextPath(), uri));
response.setContentLength(0);
response.sendRedirect(
response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formLoginPage)));
}
return null;
}
public void writeLandingPage(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String landingPage = getNewTokenLandingPage();
/** default to current page * */
if (landingPage == null) {
StringBuilder sb = new StringBuilder();
sb.append(request.getContextPath());
sb.append(request.getServletPath());
landingPage = sb.toString();
}
/** create auto posting form * */
StringBuilder sb = new StringBuilder();
sb.append("<html>\r\n");
sb.append("<head>\r\n");
sb.append("<title>OWASP CSRFGuard Project - New Token Landing Page</title>\r\n");
sb.append("</head>\r\n");
sb.append("<body>\r\n");
sb.append("<script type=\"text/javascript\">\r\n");
sb.append("var form = document.createElement(\"form\");\r\n");
sb.append("form.setAttribute(\"method\", \"post\");\r\n");
sb.append("form.setAttribute(\"action\", \"");
sb.append(landingPage);
sb.append("\");\r\n");
/** only include token if needed * */
if (isProtectedPage(landingPage)) {
sb.append("var hiddenField = document.createElement(\"input\");\r\n");
sb.append("hiddenField.setAttribute(\"type\", \"hidden\");\r\n");
sb.append("hiddenField.setAttribute(\"name\", \"");
sb.append(getTokenName());
sb.append("\");\r\n");
sb.append("hiddenField.setAttribute(\"value\", \"");
sb.append(getTokenValue(request, landingPage));
sb.append("\");\r\n");
sb.append("form.appendChild(hiddenField);\r\n");
}
sb.append("document.body.appendChild(form);\r\n");
sb.append("form.submit();\r\n");
sb.append("</script>\r\n");
sb.append("</body>\r\n");
sb.append("</html>\r\n");
String code = sb.toString();
/** setup headers * */
response.setContentType("text/html");
response.setContentLength(code.length());
/** write auto posting form * */
OutputStream output = null;
PrintWriter writer = null;
try {
output = response.getOutputStream();
writer = new PrintWriter(output);
writer.write(code);
writer.flush();
} finally {
Writers.close(writer);
Streams.close(output);
}
}
package com.jspsmart.upload;
/**
* Write a file to the response stream. Handles Range requests.
*
* @param req request
* @param res response
* @param file must exists and not be a directory
* @param contentType must not be null
* @throws IOException or error
*/
public static void returnFile(
HttpServletRequest req, HttpServletResponse res, File file, String contentType)
throws IOException {
res.setContentType(contentType);
// see if its a Range Request
boolean isRangeRequest = false;
long startPos = 0, endPos = Long.MAX_VALUE;
String rangeRequest = req.getHeader("Range");
if (rangeRequest != null) { // bytes=12-34 or bytes=12-
int pos = rangeRequest.indexOf("=");
if (pos > 0) {
int pos2 = rangeRequest.indexOf("-");
if (pos2 > 0) {
String startString = rangeRequest.substring(pos + 1, pos2);
String endString = rangeRequest.substring(pos2 + 1);
startPos = Long.parseLong(startString);
if (endString.length() > 0) endPos = Long.parseLong(endString) + 1;
isRangeRequest = true;
}
}
}
// set content length
long fileSize = file.length();
long contentLength = fileSize;
if (isRangeRequest) {
endPos = Math.min(endPos, fileSize);
contentLength = endPos - startPos;
}
if (contentLength > Integer.MAX_VALUE)
res.addHeader(
"Content-Length", Long.toString(contentLength)); // allow content length > MAX_INT
else res.setContentLength((int) contentLength); // note HEAD only allows this
String filename = file.getPath();
boolean debugRequest = Debug.isSet("returnFile");
if (debugRequest)
log.debug(
"returnFile(): filename = "
+ filename
+ " contentType = "
+ contentType
+ " contentLength = "
+ contentLength);
// indicate we allow Range Requests
res.addHeader("Accept-Ranges", "bytes");
if (req.getMethod().equals("HEAD")) {
log.info(
"returnFile(): "
+ UsageLog.closingMessageForRequestContext(HttpServletResponse.SC_OK, 0));
return;
}
try {
if (isRangeRequest) {
// set before content is sent
res.addHeader("Content-Range", "bytes " + startPos + "-" + (endPos - 1) + "/" + fileSize);
res.setStatus(HttpServletResponse.SC_PARTIAL_CONTENT);
FileCacheRaf.Raf craf = null;
try {
craf = fileCacheRaf.acquire(filename);
IO.copyRafB(
craf.getRaf(), startPos, contentLength, res.getOutputStream(), new byte[60000]);
log.info(
"returnFile(): "
+ UsageLog.closingMessageForRequestContext(
HttpServletResponse.SC_PARTIAL_CONTENT, contentLength));
return;
} finally {
if (craf != null) fileCacheRaf.release(craf);
}
}
// Return the file
ServletOutputStream out = res.getOutputStream();
IO.copyFileB(file, out, 60000);
res.flushBuffer();
out.close();
if (debugRequest) log.debug("returnFile(): returnFile ok = " + filename);
log.info(
"returnFile(): "
+ UsageLog.closingMessageForRequestContext(HttpServletResponse.SC_OK, contentLength));
}
// @todo Split up this exception handling: those from file access vs those from dealing with
// response
// File access: catch and res.sendError()
// response: don't catch (let bubble up out of doGet() etc)
catch (FileNotFoundException e) {
log.error("returnFile(): FileNotFoundException= " + filename);
log.info(
"returnFile(): "
+ UsageLog.closingMessageForRequestContext(HttpServletResponse.SC_NOT_FOUND, 0));
if (!res.isCommitted()) res.sendError(HttpServletResponse.SC_NOT_FOUND);
} catch (java.net.SocketException e) {
log.info("returnFile(): SocketException sending file: " + filename + " " + e.getMessage());
log.info("returnFile(): " + UsageLog.closingMessageForRequestContext(STATUS_CLIENT_ABORT, 0));
} catch (IOException e) {
String eName =
e.getClass().getName(); // dont want compile time dependency on ClientAbortException
if (eName.equals("org.apache.catalina.connector.ClientAbortException")) {
log.info(
"returnFile(): ClientAbortException while sending file: "
+ filename
+ " "
+ e.getMessage());
log.info(
"returnFile(): " + UsageLog.closingMessageForRequestContext(STATUS_CLIENT_ABORT, 0));
return;
}
log.error("returnFile(): IOException (" + e.getClass().getName() + ") sending file ", e);
log.error(
"returnFile(): "
+ UsageLog.closingMessageForRequestContext(HttpServletResponse.SC_NOT_FOUND, 0));
if (!res.isCommitted())
res.sendError(HttpServletResponse.SC_NOT_FOUND, "Problem sending file: " + e.getMessage());
}
}
