github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-16 01:22:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

documentation additions

Browse Source
This commit is contained in:
Mihai Pitu
2013-08-15 21:18:36 +03:00
committed by Felipe Zimmerle
parent 3ad9f3b767
commit 79aa6950d0
9 changed files with 107 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
java/ModSecurityLoader/dist/ModSecurityLoader.jar vendored Normal file
View File

Binary file not shown.

15
java/ModSecurityLoader/src/org/modsecurity/loader/ModSecurityLoader.java
View File

@@ -10,7 +10,6 @@ public class ModSecurityLoader {
File modSecDir = new File(MODSECURITYLIBSDIR_PATH); File modSecDir = new File(MODSECURITYLIBSDIR_PATH);
File[] flibs = modSecDir.listFiles(); File[] flibs = modSecDir.listFiles();
System.out.println("len" + flibs.length);
loadLib(flibs, "zlib1"); loadLib(flibs, "zlib1");
loadLib(flibs, "libxml2"); loadLib(flibs, "libxml2");
@@ -19,6 +18,16 @@ public class ModSecurityLoader {
loadLib(flibs, "libapriconv-1"); loadLib(flibs, "libapriconv-1");
loadLib(flibs, "libaprutil-1"); loadLib(flibs, "libaprutil-1");
loadLib(flibs, "ModSecurityJNI"); loadLib(flibs, "ModSecurityJNI");
//alternative load, this requires native libraries to be in java.library.path, you can set it
//by specifying server VM start-up option: -Djava.library.path=path/to/libs/
// System.loadLibrary("zlib1");
// System.loadLibrary("libxml2");
// System.loadLibrary("pcre");
// System.loadLibrary("libapr-1");
// System.loadLibrary("libapriconv-1");
// System.loadLibrary("libaprutil-1");
// System.loadLibrary("ModSecurityJNI");
} }
private static void loadLib(File[] files, String lib) { private static void loadLib(File[] files, String lib) {
@@ -29,4 +38,8 @@ public class ModSecurityLoader {
} }
} }
} }
public void main(String[] args) {
}
} }

12
java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java
View File

@@ -22,14 +22,24 @@ public final class ModSecurity {
private long confTime; private long confTime;
static { static {
//ModSecurityLoader calls System.load() for every native library needed by ModSecurity.
try { try {
//ModSecurityLoader calls System.load() for every native library needed by ModSecurity
Class.forName("org.modsecurity.loader.ModSecurityLoader"); Class.forName("org.modsecurity.loader.ModSecurityLoader");
System.out.println("ModSecurity libraries loaded."); System.out.println("ModSecurity libraries loaded.");
} catch (ClassNotFoundException ex) { } catch (ClassNotFoundException ex) {
java.util.logging.Logger.getLogger(ModSecurity.class.getName()).log(java.util.logging.Level.SEVERE, java.util.logging.Logger.getLogger(ModSecurity.class.getName()).log(java.util.logging.Level.SEVERE,
"ModSecurityLoader was not found, please make sure that you have \"ModSecurityLoader.jar\" in your server lib folder.", ex); "ModSecurityLoader was not found, please make sure that you have \"ModSecurityLoader.jar\" in your server lib folder.", ex);
} }
//If the ModSecurityLoader is not used, native libraries can be loaded here, however this is bad practice since this will raise UnsatisfiedLinkError if
//ModSecurity is used in multiple webapps. This will also will raise problems when the web-app is redeployed and the server is running.
// System.load("c:\\work\\mod_security\\java\\libs\\zlib1.dll");
// System.load("c:\\work\\mod_security\\java\\libs\\libxml2.dll");
// System.load("c:\\work\\mod_security\\java\\libs\\pcre.dll");
// System.load("c:\\work\\mod_security\\java\\libs\\libapr-1.dll");
// System.load("c:\\work\\mod_security\\java\\libs\\libapriconv-1.dll");
// System.load("c:\\work\\mod_security\\java\\libs\\libaprutil-1.dll");
// System.load("c:\\work\\mod_security\\java\\Debug\\ModSecurityJNI.dll");
} }
public ModSecurity(FilterConfig fc, String confFile) throws ServletException { public ModSecurity(FilterConfig fc, String confFile) throws ServletException {

6
java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java
View File

@@ -1,6 +1,7 @@
package org.modsecurity; package org.modsecurity;
import java.io.IOException; import java.io.IOException;
import java.net.URLDecoder;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.FilterConfig; import javax.servlet.FilterConfig;
@@ -25,7 +26,6 @@ public class ModSecurityFilter implements Filter {
throw new ServletException("ModSecurity: parameter 'conf' not available in web.xml"); throw new ServletException("ModSecurity: parameter 'conf' not available in web.xml");
} }
modsecurity = new ModSecurity(fc, confFilename); modsecurity = new ModSecurity(fc, confFilename);
} }
@@ -35,14 +35,14 @@ public class ModSecurityFilter implements Filter {
HttpServletResponse httpResp = (HttpServletResponse) response; HttpServletResponse httpResp = (HttpServletResponse) response;
MsHttpTransaction httpTran = new MsHttpTransaction(httpReq, httpResp); //transaction object used by native code MsHttpTransaction httpTran = new MsHttpTransaction(httpReq, httpResp); //transaction object used by native code
try { try {
int status = modsecurity.onRequest(modsecurity.getConfFilename(), httpTran, modsecurity.checkModifiedConfig()); //modsecurity reloads only if primary config file is modified int status = modsecurity.onRequest(modsecurity.getConfFilename(), httpTran, modsecurity.checkModifiedConfig()); //modsecurity reloads only if primary config file is modified
if (status != ModSecurity.DECLINED) { if (status != ModSecurity.DECLINED) {
httpTran.getHttpResponse().sendError(403); httpTran.getHttpResponse().sendError(403);
return; return;
} }
//process request //process request
fc.doFilter(httpTran.getMsHttpRequest(), httpTran.getMsHttpResponse()); fc.doFilter(httpTran.getMsHttpRequest(), httpTran.getMsHttpResponse());

9
java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java
View File

@@ -132,17 +132,18 @@ public class MsHttpServletRequest extends HttpServletRequestWrapper {
String contentType = req.getContentType(); String contentType = req.getContentType();
bodyBytes = new byte[bytes.length]; bodyBytes = new byte[bytes.length];
System.arraycopy(bytes, 0, bodyBytes, 0, bytes.length); System.arraycopy(bytes, 0, bodyBytes, 0, bytes.length);
body = new String(bodyBytes, encoding); body = new String(bodyBytes, encoding);
if ((contentType != null) && ((contentType.compareTo("application/x-www-form-urlencoded") == 0) || (contentType.compareTo("application/x-form-urlencoded") == 0))) { if ((contentType != null) && ((contentType.compareTo("application/x-www-form-urlencoded") == 0) || (contentType.compareTo("application/x-form-urlencoded") == 0))) {
addUrlEncoded(body); addUrlEncoded(body);
} }
} }
@Override @Override
public int getContentLength() { public int getContentLength() {
if (bodyBytes == null) if (bodyBytes == null) {
return req.getContentLength(); return req.getContentLength();
}
return bodyBytes.length; return bodyBytes.length;
} }
@@ -275,7 +276,7 @@ public class MsHttpServletRequest extends HttpServletRequestWrapper {
} }
} }
} }
//test with <£2.00 price
if (flag == 1) { if (flag == 1) {
value = ""; value = "";
if (startPos != -1) { if (startPos != -1) {

7
java/ModSecurityTestApp/web/WEB-INF/web.xml
View File

@@ -10,8 +10,11 @@
<filter-class>org.modsecurity.ModSecurityFilter</filter-class> <filter-class>org.modsecurity.ModSecurityFilter</filter-class>
<init-param> <init-param>
<param-name>conf</param-name> <param-name>conf</param-name>
<param-value>c:\inetpub\wwwroot\owasp-crs\modsecurity.conf</param-value> <param-value>c:\inetpub\wwwroot\owasp-crs\modsecurity.conf</param-value>
<!--<param-value>/etc/modsecurity/modsecurity.conf</param-value>--> <!-- Path to the main configuration file of ModSecurity. You can activate the core rules by including in modsecurity.conf file:
Include modsecurity_crs_10_setup.conf
Include activated_rules\*.conf
-->
</init-param> </init-param>
</filter> </filter>

63
java/ModSecurityTestApp/web/help.html
View File

@@ -8,8 +8,12 @@
font-family: Courier; font-family: Courier;
font-size: 14px; font-size: 14px;
} }
.codecanvas {
background: #DDDDDD;
}
</style> </style>
</head> </head>
<body style="background: #333333;"> <body style="background: #333333;">
<div align="center" style="width:930px; margin:0 auto; box-shadow: 5px 5px 6px #000; background: #FFFFFF;"> <div align="center" style="width:930px; margin:0 auto; box-shadow: 5px 5px 6px #000; background: #FFFFFF;">
<div style="width: 930px;"> <div style="width: 930px;">
@@ -30,18 +34,18 @@
the web server, acting as a powerful umbrella, shielding applications from attacks. the web server, acting as a powerful umbrella, shielding applications from attacks.
</p> </p>
<p> <p>
ModSecurity for Java is designed as a <b>Java Servlet Filter</b> which makes use of ModSecurity's ModSecurity for Java is designed as a <a href="http://www.oracle.com/technetwork/java/filters-137243.html">Java Filter</a> which makes use of ModSecurity's
<a href="https://github.com/SpiderLabs/ModSecurity">native code</a> using the <b>JNI technology</b>. <a href="https://github.com/SpiderLabs/ModSecurity">native code</a> using the <b>JNI technology</b>.
</p> </p>
<br /> <br />
<h3>Installation</h3> <h3>Installation</h3>
<p> <p>
First you need to choose whether to install the latest version of ModSecurity directly from First you need to choose whether to download and compile ModSecurity from the project's version control web-site:
<a href="https://github.com/SpiderLabs/ModSecurity">github.com/SpiderLabs/ModSecurity</a> or using pre-compiled binaries from <a href="https://github.com/SpiderLabs/ModSecurity">github.com/SpiderLabs/ModSecurity</a> or using pre-compiled binaries from
<a href="https://www.modsecurity.org/">modsecurity.org</a>. We will not discuss how to compile <a href="https://www.modsecurity.org/">modsecurity.org</a>. We will not discuss how to compile
the native libraries needed since these steps are described in the README files from ModSecurity's repository. the dependent native libraries needed since these steps are described in the README files from ModSecurity's repository.
The native libraries (.so, .dll, etc.) needed for <b>ModSecurity for Java</b> are: The native libraries (.so, .dll, etc.) needed for <b>ModSecurity for Java</b> are:
</p> </p>
<ol> <ol>
<li> <li>
@@ -66,13 +70,58 @@
ModSecurityJNI ModSecurityJNI
</li> </li>
</ol> </ol>
<p> <p>
These libraries are loaded by the <span class="code">ModSecurityLoader.jar</span>, which should be placed in your Java server library loader These native libraries are loaded by the <span class="code">ModSecurityLoader.jar</span>, which should be placed in your Java server library loader
(for example, in Tomcat 7: <span class="code">$CATALINA_HOME/lib</span>). You can build or modify the load directory of <span class="code">ModSecurityLoader</span> from (for example, in Tomcat 7: <span class="code">$CATALINA_HOME/lib</span>). You can build or modify the load directory of <span class="code">ModSecurityLoader</span> from
<span class="code">/mod_security/java/ModSecurityLoader/src/</span>. The libraries have to be copied in a directory (for example, <span class="code">c:\work\mod_security\java\libs\</span>), <span class="code">/mod_security/java/ModSecurityLoader/src/</span>. The libraries have to be copied in a directory (for example, <span class="code">c:\work\mod_security\java\libs\</span>),
which should be accessible to <span class="code">ModSecurityLoader.jar</span>. which should be accessible to <span class="code">ModSecurityLoader.jar</span>.
</p> </p>
<br />
<h4>Java Web Applications with ModSecurity Filter</h4>
<p>
ModSecurity for Java uses <a href="http://www.oracle.com/technetwork/java/filters-137243.html">Java Filters</a> in order to
intercept Http requests and responses. <b>ModsecurityTestApp</b> is an example of Java EE Web application using the ModSecurity
Filter. To use ModSecurity Filter in your Web application, copy the source files from
<span class="code">mod_security/java/ModSecurityTestApp/src/</span>
in your application and add the following entry for the filter tag in your <b>web.xml</b> file:
</p>
<pre class="codecanvas"><code >
&lt;filter&gt;
&lt;filter-name&gt;ModSecurityFilter&lt;/filter-name&gt;
&lt;filter-class>org.modsecurity.ModSecurityFilter&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;conf&lt;/param-name&gt;
&lt;param-value&gt;c:\inetpub\wwwroot\owasp-crs\modsecurity.conf&lt;/param-value&gt;
&lt;!-- Path to the main configuration file of ModSecurity. You can activate the core
rules by including in modsecurity.conf file:
Include modsecurity_crs_10_setup.conf
Include activated_rules\*.conf
--&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;ModSecurityFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
&lt;/filter&gt;
</code>
</pre>
<p>
The ModSecurity Filter makes use of the native libraries written in C/C++ using the JNI technology.
As stated earlier, the native libraries are loaded by the <span class="code">ModSecurityLoader.jar</span>
which should be loaded by the server at start-up. If you are unable to configure the server to load the
ModSecurity libraries at startup, you may load them in your web application although this is not
recommended because this will raise <span class="code">UnsatisfiedLinkError</span> if the ModSecurity
Filter is used in multiple applications within the same server.
</p>
<br/>
<br/>
<br/>
</td> </td>
</tr> </tr>
</table> </table>

7
java/ModSecurityTestApp/web/index.jsp
View File

@@ -1,3 +1,4 @@
<%@page import="java.net.URLDecoder"%>
<%@page contentType="text/html" pageEncoding="UTF-8"%> <%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
@@ -34,7 +35,7 @@
</tr> </tr>
<tr> <tr>
<td> <td>
<form id="demoForm" method="post" action="index.jsp"> <form id="demoForm" method="get" action="index.jsp">
<b>Payload:</b> <b>Payload:</b>
<fieldset> <fieldset>
<textarea name="test" rows="6" cols="90" style="max-width:800px;"></textarea> <!--Foo' or '2' < '1' ;--example payload--> <textarea name="test" rows="6" cols="90" style="max-width:800px;"></textarea> <!--Foo' or '2' < '1' ;--example payload-->
@@ -88,10 +89,10 @@
</tr> </tr>
<tr> <tr>
<td> <td>
<% if (request.getParameter("test") != null) {%> <% if (request.getParameter("test") != null) {%>
<h3>Last submitted payload:</h3> <h3>Last submitted payload:</h3>
<p><%= request.getParameter("test")%></p> <p><%= request.getParameter("test") %></p>
<br /> <br />
<% }%> <% }%>
</td> </td>

9
java/Readme.html Normal file
View File

@@ -0,0 +1,9 @@
<!DOCTYPE html>
<html>
<head>
<title>ModSecurity WAF: Help page</title>
</head>
<body onload=window.location="./ModSecurityTestApp/web/help.html">
Please read the instructions from <a href="./ModSecurityTestApp/web/help.html">./ModSecurityTestApp/web/help.html</a>
</body>
</html>