/** * Writes the HTTP response to the output stream. * * @param http The HttpExchange object that allows access to the request and response. * @param isGet Flag indicating whether or not the request was a GET request or POST request. * @param pretty Flag indicating whether or not the output, if JSON, should be pretty printed or * not. * @param response The DMR response from the operation. * @param status The HTTP status code to be included in the response. * @param encode Flag indicating whether or not to Base64 encode the response payload. * @throws IOException if an error occurs while attempting to generate the HTTP response. */ private void writeResponse( final HttpExchange http, boolean isGet, boolean pretty, ModelNode response, int status, boolean encode, String contentType) throws IOException { final Headers responseHeaders = http.getResponseHeaders(); responseHeaders.add(CONTENT_TYPE, contentType); http.sendResponseHeaders(status, 0); final OutputStream out = http.getResponseBody(); final PrintWriter print = new PrintWriter(out); // GET (read) operations will never have a compensating update, and the status is already // available via the http response status code, so unwrap them. if (isGet && status == OK) response = response.get("result"); try { if (encode) { response.writeBase64(out); } else { response.writeJSONString(print, !pretty); } } finally { print.flush(); out.flush(); safeClose(print); safeClose(out); } }
/** * Handles a operation request via HTTP. * * @param http The HttpExchange object that allows access to the request and response. * @throws IOException if an error occurs while attempting to process the request. */ private void processRequest(final HttpExchange http) throws IOException { final URI request = http.getRequestURI(); final String requestMethod = http.getRequestMethod(); boolean isGet = GET.equals(requestMethod); if (!isGet && !POST.equals(requestMethod)) { http.sendResponseHeaders(METHOD_NOT_ALLOWED, -1); return; } ModelNode dmr; ModelNode response; int status = OK; Headers requestHeaders = http.getRequestHeaders(); boolean encode = APPLICATION_DMR_ENCODED.equals(requestHeaders.getFirst(ACCEPT)) || APPLICATION_DMR_ENCODED.equals(requestHeaders.getFirst(CONTENT_TYPE)); try { dmr = isGet ? convertGetRequest(request) : convertPostRequest(http.getRequestBody(), encode); } catch (IllegalArgumentException iae) { ROOT_LOGGER.debugf("Unable to construct ModelNode '%s'", iae.getMessage()); http.sendResponseHeaders(INTERNAL_SERVER_ERROR, -1); return; } try { response = modelController.execute(new OperationBuilder(dmr).build()); } catch (Throwable t) { ROOT_LOGGER.modelRequestError(t); http.sendResponseHeaders(INTERNAL_SERVER_ERROR, -1); return; } if (response.hasDefined(OUTCOME) && FAILED.equals(response.get(OUTCOME).asString())) { status = INTERNAL_SERVER_ERROR; } boolean pretty = dmr.hasDefined("json.pretty") && dmr.get("json.pretty").asBoolean(); writeResponse(http, isGet, pretty, response, status, encode); }
/** * Extracts the body content contained in a POST request. * * @param http The <code>HttpExchange</code> object containing POST request data. * @return a result containing the stream and the file name reported by the client * @throws IOException if an error occurs while attempting to extract the POST request data. */ private SeekResult seekToDeployment(final HttpExchange http) throws IOException { final String type = http.getRequestHeaders().getFirst(CONTENT_TYPE); if (type == null) throw MESSAGES.invalidContentType(); Matcher matcher = MULTIPART_FD_BOUNDARY.matcher(type); if (!matcher.matches()) throw MESSAGES.invalidContentType(type); final String boundary = "--" + matcher.group(1); final BoundaryDelimitedInputStream stream = new BoundaryDelimitedInputStream(http.getRequestBody(), boundary.getBytes("US-ASCII")); // Eat preamble byte[] ignore = new byte[1024]; while (stream.read(ignore) != -1) {} // From here on out a boundary is prefixed with a CRLF that should be skipped stream.setBoundary(("\r\n" + boundary).getBytes(US_ASCII)); while (!stream.isOuterStreamClosed()) { // purposefully send the trailing CRLF to headers so that a headerless body can be detected MimeHeaderParser.ParseResult result = MimeHeaderParser.parseHeaders(stream); if (result.eof()) continue; // Skip content-less part Headers partHeaders = result.headers(); String disposition = partHeaders.getFirst(CONTENT_DISPOSITION); if (disposition != null) { matcher = DISPOSITION_FILE.matcher(disposition); if (matcher.matches()) { SeekResult seek = new SeekResult(); seek.fileName = matcher.group(1); seek.stream = stream; return seek; } } while (stream.read(ignore) != -1) {} } throw MESSAGES.invalidDeployment(); }
public void handle(HttpExchange http) throws IOException { /** * Request Verification - before the request is handled a set of checks are performed for CSRF * and XSS */ /* * Completely disallow OPTIONS - if the browser suspects this is a cross site request just reject it. */ final String requestMethod = http.getRequestMethod(); if (OPTIONS.equals(requestMethod)) { drain(http); http.sendResponseHeaders(METHOD_NOT_ALLOWED, -1); return; } /* * Origin check, if it is set the Origin header should match the Host otherwise reject the request. * * This check is for cross site scripted GET and POST requests. */ final Headers headers = http.getRequestHeaders(); final URI request = http.getRequestURI(); if (headers.containsKey(ORIGIN)) { String origin = headers.getFirst(ORIGIN); String host = headers.getFirst(HOST); String protocol = http.getHttpContext().getServer() instanceof HttpServer ? HTTP : HTTPS; String allowedOrigin = protocol + "://" + host; // This will reject multi-origin Origin headers due to the exact match. if (origin.equals(allowedOrigin) == false) { drain(http); http.sendResponseHeaders(FORBIDDEN, -1); return; } } /* * Cross Site Request Forgery makes use of a specially constructed form to pass in what appears to be * a valid operation request - except for upload requests any inbound requests where the Content-Type * is not application/json or application/dmr-encoded will be rejected. */ final boolean uploadRequest = UPLOAD_REQUEST.equals(request.getPath()); if (POST.equals(requestMethod)) { if (uploadRequest) { // This type of request doesn't need the content type check. processUploadRequest(http); return; } String contentType = extractContentType(headers.getFirst(CONTENT_TYPE)); if (!(APPLICATION_JSON.equals(contentType) || APPLICATION_DMR_ENCODED.equals(contentType))) { drain(http); http.sendResponseHeaders(FORBIDDEN, -1); return; } } processRequest(http); }