001    /**
002     * Licensed to the Apache Software Foundation (ASF) under one or more
003     * contributor license agreements.  See the NOTICE file distributed with
004     * this work for additional information regarding copyright ownership.
005     * The ASF licenses this file to You under the Apache License, Version 2.0
006     * (the "License"); you may not use this file except in compliance with
007     * the License.  You may obtain a copy of the License at
008     *
009     *      http://www.apache.org/licenses/LICENSE-2.0
010     *
011     * Unless required by applicable law or agreed to in writing, software
012     * distributed under the License is distributed on an "AS IS" BASIS,
013     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     * See the License for the specific language governing permissions and
015     * limitations under the License.
016     */
017    package org.apache.activemq.web.handler;
018    
019    import java.util.Arrays;
020    
021    import javax.servlet.http.HttpServletRequest;
022    
023    import org.apache.activemq.web.DestinationFacade;
024    import org.slf4j.Logger;
025    import org.slf4j.LoggerFactory;
026    import org.springframework.web.bind.ServletRequestDataBinder;
027    import org.springframework.web.servlet.HandlerExecutionChain;
028    import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
029    
030    /**
031     *
032     */
033    public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping {
034        private static final transient Logger LOG = LoggerFactory.getLogger(BindingBeanNameUrlHandlerMapping.class);
035    
036        @Override
037        protected Object getHandlerInternal(HttpServletRequest request) throws Exception {
038            Object object = super.getHandlerInternal(request);
039    
040            if (object instanceof String) {
041                String handlerName = (String) object;
042                object = getApplicationContext().getBean(handlerName);
043            }
044            if (object instanceof HandlerExecutionChain) {
045                HandlerExecutionChain handlerExecutionChain = (HandlerExecutionChain) object;
046                object = handlerExecutionChain.getHandler();
047            }
048    
049            if (object != null) {
050                // prevent CSRF attacks
051                if (object instanceof DestinationFacade) {
052                    // check supported methods
053                    if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod())) {
054                        throw new UnsupportedOperationException("Unsupported method " + request.getMethod() + " for path " + request.getRequestURI());
055                    }
056                    // check the 'secret'
057                    if (request.getSession().getAttribute("secret") == null ||
058                        !request.getSession().getAttribute("secret").equals(request.getParameter("secret"))) {
059                        throw new UnsupportedOperationException("Possible CSRF attack");
060                    }
061                }
062    
063                ServletRequestDataBinder binder = new ServletRequestDataBinder(object, "request");
064                try {
065                    binder.bind(request);
066                    binder.setIgnoreUnknownFields(true);
067                    if (LOG.isDebugEnabled()) {
068                        LOG.debug("Bound POJO is now: " + object);
069                    }
070                }
071                catch (Exception e) {
072                    LOG.warn("Caught: " + e, e);
073                    throw e;
074                }
075            }
076    
077            return object;
078        }
079    }