I have a legacy code base that assigns urls in the constructor of some object called UiModule. My goal is to turn on the CSRF prevention measures available in TomCat (Enabling the CSRF prevention filter as described here; http://ift.tt/1PGWkKv). The problem is urls contained in this class do not have encodeURL applied to them which means they do not get a nonce and the requests are broken (TomCat returns a 403, I tested by just turning on CSRF prevention and crossing my fingers).
In this file, which has no access to instances of HttpServletResponse (that is in some other class called BaseServlet) I need to call encodeURL. HttpServletResponse is an interface so of course you can't instantiate it, the next best thing is HttpServletResponseWrapper but that requires you pass it a non-null HttpServletResponse!
Is there another way I can call HttpServletResponse's encodeURL method in this scope? Seems like I'll have to create a code path from the request handler to this class because there is no way to instantiate an object from which I can call encodeURL, is that true? When submitting an answer keep in mind I want to make the least change possible. Ideally, I would just add a reference to HttpServletResponseWrapper in UiModule.java and do something like the following;
import javax.servlet.http.HttpServletResponseWrapper;
private UIModule(String moduleId,
// a lot of arguments like the one below
String helpBaseUrl, String helpContext)
{
// a bunch of proprietary set up
// what I would like to do but it throws IllegalArgumentException
HttpServletResponseWrapper encoder = new HttpServletResponseWrapper(null);
this.helpContext = helpContext;
// need to do the encoding like this to limit the scope of change
// if it doesn't happen in this constructor I go from 1 file changed to several hundred
this.helpBaseUrl = encoder.encodeURL(helpBaseUrl);
}
Are there any known work arounds or options which are similar to the sample above?
Aucun commentaire:
Enregistrer un commentaire