Package org.broadleafcommerce.openadmin.security

Interface ClassNameRequestParamValidationService

All Known Implementing Classes:
ClassNameRequestParamValidationServiceImpl
public interface ClassNameRequestParamValidationService
Validation service for reviewing any fully qualified classname data that is part of a Http request. If detected, this data is validated against a whitelist of qualified classes. This is a security measure to protect against any subsequent class initialization of unexpected classes via Class.forName(..).
Author:
Jeff Fischer

  • Method Summary

    Modifier and Type
    Method
    Description
    String
    getClassNameForSection(String sectionKey)
    Retrieve a fully qualified classname using a sectionKey.
    List<SectionCrumb>
    getSectionCrumbs(String crumbList)
    Retrieve a list of section crumbs given a delimited string (usually harvested from the "sectionCrumbs" param on a Http request).
    boolean
    validateClassNameParams(Map<String,String> requestParamToClassName, String persistenceUnitName)
    Compare a map of request params to fully qualified classname values against the whitelist.

  • Method Details

    • validateClassNameParams

      boolean validateClassNameParams(Map<String,String> requestParamToClassName, String persistenceUnitName)
      Compare a map of request params to fully qualified classname values against the whitelist.
      Parameters:
      requestParamToClassName - a map of request params and associated fully qualified classnames to confirm against the whitelist
      persistenceUnitName - the persistence unit the white list is generated from
      Returns:
      whether or not the map of values is valid

    • getClassNameForSection

      String getClassNameForSection(String sectionKey)
      Retrieve a fully qualified classname using a sectionKey. Will return the passed in sectionKey if not classname is registered for it in the datastore. Since it's possible for no classname to be registered and for the key to be a fully qualified classname itself, any unmatched sectionKey is confirmed against the whitelist. If found to be not valid, a SectionKeyValidationException instance is thrown. If thrown from within a Spring MVC controller, this exception will result in an Http 404 status code back to the requester.
      Parameters:
      sectionKey - the sectionKey used to retrieve the fully qualified classname
      Returns:
      the fully qualified classname associated with the sectionKey, or the sectionKey itself if no match is found

    • getSectionCrumbs

      List<SectionCrumb> getSectionCrumbs(String crumbList)
      Retrieve a list of section crumbs given a delimited string (usually harvested from the "sectionCrumbs" param on a Http request). The SectionCrumb instances contains sectionKey information, and are therefore susceptible to the same validation requirements as getClassNameForSection(String). If a sectionKey is found to be not valid, a SectionKeyValidationException instance is thrown. If thrown from within a Spring MVC controller, this exception will result in an Http 404 status code back to the requester.
      Parameters:
      crumbList - the delimited string (related to the "sectionCrumbs" param in an Http request)
      Returns:
      the list of section crumbs representing the currently active admin sections for a given request