01: /*
02:
03: Licensed to the Apache Software Foundation (ASF) under one or more
04: contributor license agreements. See the NOTICE file distributed with
05: this work for additional information regarding copyright ownership.
06: The ASF licenses this file to You under the Apache License, Version 2.0
07: (the "License"); you may not use this file except in compliance with
08: the License. You may obtain a copy of the License at
09:
10: http://www.apache.org/licenses/LICENSE-2.0
11:
12: Unless required by applicable law or agreed to in writing, software
13: distributed under the License is distributed on an "AS IS" BASIS,
14: WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15: See the License for the specific language governing permissions and
16: limitations under the License.
17:
18: */
19: package org.apache.batik.bridge;
20:
21: import org.apache.batik.util.ParsedURL;
22:
23: /**
24: * Default implementation for the <tt>ExternalResourceSecurity</tt> interface.
25: * It allows all types of external resources to be loaded, but only if they
26: * come from the same server as the document they are referenced from.
27: *
28: * @author <a href="mailto:vhardy@apache.org">Vincent Hardy</a>
29: * @version $Id: DefaultExternalResourceSecurity.java 475477 2006-11-15 22:44:28Z cam $
30: */
31: public class DefaultExternalResourceSecurity implements
32: ExternalResourceSecurity {
33: public static final String DATA_PROTOCOL = "data";
34: /**
35: * Message when trying to load a external resource file and the Document
36: * does not have a URL
37: */
38: public static final String ERROR_CANNOT_ACCESS_DOCUMENT_URL = "DefaultExternalResourceSecurity.error.cannot.access.document.url";
39:
40: /**
41: * Message when trying to load a externalResource file from a server
42: * different than the one of the document.
43: */
44: public static final String ERROR_EXTERNAL_RESOURCE_FROM_DIFFERENT_URL = "DefaultExternalResourceSecurity.error.external.resource.from.different.url";
45:
46: /**
47: * The exception is built in the constructor and thrown if
48: * not null and the checkLoadExternalResource method is called.
49: */
50: protected SecurityException se;
51:
52: /**
53: * Controls whether the externalResource should be loaded or not.
54: *
55: * @throws SecurityException if the externalResource should not be loaded.
56: */
57: public void checkLoadExternalResource() {
58: if (se != null) {
59: se.fillInStackTrace();
60: throw se;
61: }
62: }
63:
64: /**
65: * @param externalResourceURL url for the externalResource, as defined in
66: * the externalResource's xlink:href attribute. If that
67: * attribute was empty, then this parameter should
68: * be null
69: * @param docURL url for the document into which the
70: * externalResource was found.
71: */
72: public DefaultExternalResourceSecurity(
73: ParsedURL externalResourceURL, ParsedURL docURL) {
74: // Make sure that the archives comes from the same host
75: // as the document itself
76: if (docURL == null) {
77: se = new SecurityException(Messages.formatMessage(
78: ERROR_CANNOT_ACCESS_DOCUMENT_URL,
79: new Object[] { externalResourceURL }));
80: } else {
81: String docHost = docURL.getHost();
82: String externalResourceHost = externalResourceURL.getHost();
83:
84: if ((docHost != externalResourceHost)
85: && ((docHost == null) || (!docHost
86: .equals(externalResourceHost)))) {
87:
88: if (externalResourceURL == null
89: || !DATA_PROTOCOL.equals(externalResourceURL
90: .getProtocol())) {
91: se = new SecurityException(Messages.formatMessage(
92: ERROR_EXTERNAL_RESOURCE_FROM_DIFFERENT_URL,
93: new Object[] { externalResourceURL }));
94: }
95:
96: }
97: }
98: }
99: }
|