002 <%@ page import="java.util.Enumeration,
003 java.io.PrintWriter"%>
004
005 <%!
006 /**
007 * <p>This helper method can be used to help prevent Cross Site Scripting
008 * vulnerabilities. Any Servlet or JSP which sends user input (eg.
009 * query parameters in HTTP requests) to be rendered into a user's browser
010 * needs to use this method to encode the user input. This ensures that any
011 * HTML in their input (either malicious or otherwise) is not executed by
012 * the browser. This is achieved by converting characters to their HTML
013 * escaped form. For example, '&' is converted to '&amp;'.
014 * <p>
015 * A full description of Cross Site Scripting (XSS) vulnerabilities can
016 * be found at
017 * <a href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">
018 * http://www.cert.org/tech_tips/malicious_code_mitigation.html</a>.
019 *
020 * @param str
021 */
022 public String encodeXSS(String str) {
023 return weblogic.servlet.security.Utils.encodeXSS(str);
024 }
025 %>
026
027 <%
028 try {
029 %>
030 <p>
031 This servlet returns information about the HTTP request
032 itself. You can modify this servlet to take this information
033 and store it elsewhere for your HTTP server records. This
034 servlet is also useful for debugging.
035 </p>
036 <h3>
037 Servlet Spec Version Implemented
038 </h3>
039 <pre>
040 <%= getServletConfig().getServletContext().getMajorVersion() + "." + getServletConfig().getServletContext().getMinorVersion() %>
041 </pre>
042 <h3>
043 Requested URL
044 </h3>
045 <pre>
046 <%= request.getRequestURL().toString() %>
047 </pre>
048 <h3>
049 Request parameters
050 </h3>
051 <pre>
052 <%
053
054 Enumeration enum_ = request.getParameterNames();
055 while(enum_.hasMoreElements()){
056 String key = (String)enum_.nextElement();
057 String[] paramValues = request.getParameterValues(key);
058 for(int i=0;i < paramValues.length;i++){
059 out.println(key + " : " + encodeXSS(paramValues[i]));
060 }
061 }
062
063 %>
064 </pre>
065 <h3>
066 Request information
067 </h3>
068 <pre>
069 Request Method: <%= request.getMethod() %>
070 Request URI: <%= request.getRequestURI() %>
071 Request Protocol: <%= request.getProtocol() %>
072 Servlet Path: <%= request.getServletPath() %>
073 Path Info: <%= request.getPathInfo() %>
074 Path Translated: <%= request.getPathTranslated() %>
075 Query String: <%= encodeXSS(request.getQueryString()) %>
076 Content Length: <%= request.getContentLength() %>
077 Content Type: <%= request.getContentType() %>
078 Server Name: <%= request.getServerName() %>
079 Server Port: <%= request.getServerPort() %>
080 Remote User: <%= request.getRemoteUser() %>
081 Remote Address: <%= request.getRemoteAddr() %>
082 Remote Host: <%= request.getRemoteHost() %>
083 Authorization Scheme: <%= request.getAuthType() %>
084 </pre>
085 <h3>Certificate Information</h3>
086 <pre>
087 <%
088 java.security.cert.X509Certificate certs [];
089 certs = (java.security.cert.X509Certificate [])
090 request.getAttribute("javax.servlet.request.X509Certificate");
091 if ((certs != null) && (certs.length > 0)) {
092 %>
093 Subject Name : <%= certs[0].getSubjectDN().getName() %> <br>
094 Issuer Name :<%= certs[0].getIssuerDN().getName() %> <br>
095 Certificate Chain Length : <%= certs.length %> <br>
096 <%
097
098 // List the Certificate chain
099 for (int i=0; i<certs.length;i++) {
100 %> Certificate[<%= i %>] : <%= certs[i].toString() %>
101
102 <%
103 } // end of for loop
104
105 }
106 else // certs==null
107 {
108 %>
109 Not using SSL or client certificate not required.
110 <%
111 } // end of else
112 %>
113 </pre>
114 <h3>
115 Request headers
116 </h3>
117 <pre>
118 <%
119 enum_ = request.getHeaderNames();
120 while (enum_.hasMoreElements()) {
121 String name = (String)enum_.nextElement();
122 out.println(name + ": " +encodeXSS(request.getHeader(name)));
123 }
124 %>
125 </pre>
126 </td>
127 </tr>
128 <%
129 }
130 catch (Exception ex) {
131 ex.printStackTrace(new PrintWriter(out));
132 }
133 %>
|