github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-21 03:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

configs

Browse Source
This commit is contained in:
Mihai Pitu
2013-08-22 14:44:02 +03:00
committed by Felipe Zimmerle
parent 656f7c513c
commit e1cd024c26
17 changed files with 1306 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurity.java
View File

@@ -7,10 +7,7 @@ import java.net.UnknownHostException;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
/**
*
* @author Mihai Pitu
*/
public final class ModSecurity {
//From build/classes: >"c:\Program Files\Java\jdk1.7.0_05\bin\javah.exe" -classpath c:\work\apache-tomcat-7.0.39\lib\servlet-api.jar;. org.modsecurity.ModSecurity
@@ -23,14 +20,14 @@ public final class ModSecurity {
static {
//ModSecurityLoader calls System.load() for every native library needed by ModSecurity.
try {
Class.forName("org.modsecurity.loader.ModSecurityLoader");
System.out.println("ModSecurity libraries loaded.");
} catch (ClassNotFoundException ex) {
java.util.logging.Logger.getLogger(ModSecurity.class.getName()).log(java.util.logging.Level.SEVERE,
"ModSecurityLoader was not found, please make sure that you have \"ModSecurityLoader.jar\" in your server lib folder.", ex);
}
// try {
// Class.forName("org.modsecurity.loader.ModSecurityLoader");
// System.out.println("ModSecurity libraries loaded.");
// } catch (ClassNotFoundException ex) {
// java.util.logging.Logger.getLogger(ModSecurity.class.getName()).log(java.util.logging.Level.SEVERE,
// "ModSecurityLoader was not found, please make sure that you have \"ModSecurityLoader.jar\" in your server lib folder.", ex);
// }
//If the ModSecurityLoader is not used, native libraries can be loaded here, however this is bad practice since this will raise UnsatisfiedLinkError if
//ModSecurity is used in multiple webapps. This will also will raise problems when the web-app is redeployed and the server is running.
// System.load("c:\\work\\mod_security\\java\\libs\\zlib1.dll");
@@ -40,6 +37,19 @@ public final class ModSecurity {
// System.load("c:\\work\\mod_security\\java\\libs\\libapriconv-1.dll");
// System.load("c:\\work\\mod_security\\java\\libs\\libaprutil-1.dll");
// System.load("c:\\work\\mod_security\\java\\Debug\\ModSecurityJNI.dll");
try {
System.loadLibrary("zlib1"); //needed for libxml2 in Windows
} catch(UnsatisfiedLinkError ex) {
}
System.loadLibrary("libxml2");
System.loadLibrary("pcre");
System.loadLibrary("libapr-1");
try {
System.loadLibrary("libapriconv-1");
} catch(UnsatisfiedLinkError ex) { //needed for libaprutil-1 in Windows
}
System.loadLibrary("libaprutil-1");
System.loadLibrary("ModSecurityJNI");
}
public ModSecurity(FilterConfig fc, String confFile) throws ServletException {

1
java/ModSecurityTestApp/src/java/org/modsecurity/ModSecurityFilter.java
View File

@@ -1,7 +1,6 @@
package org.modsecurity;
import java.io.IOException;
import java.net.URLDecoder;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;

2
java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletRequest.java
View File

@@ -491,7 +491,7 @@ public class MsHttpServletRequest extends HttpServletRequestWrapper {
*/
@Override
public Enumeration getParameterNames() {
Hashtable parameterNames = new Hashtable();
Hashtable<Object, Object> parameterNames = new Hashtable<Object, Object>();
for (int i = 0, n = parameters.size(); i < n; i++) {
Parameter p = (Parameter) parameters.get(i);
parameterNames.put(p.name, p.value);

10
java/ModSecurityTestApp/src/java/org/modsecurity/MsHttpServletResponse.java
View File

@@ -25,8 +25,8 @@ public class MsHttpServletResponse extends HttpServletResponseWrapper {
private static final int INTERCEPT_OBSERVE_ONLY = 2;
public static final String DEFAULT_CHARACTER_ENCODING = "ISO-8859-1";
private int interceptMode = INTERCEPT_ON;
private ArrayList headers = new ArrayList();
private ArrayList cookies = new ArrayList();
private ArrayList<Object> headers = new ArrayList<Object>();
private ArrayList<Object> cookies = new ArrayList<Object>();
private int status = -1;
private boolean committed = false;
private boolean suspended = false;
@@ -593,11 +593,11 @@ final class FastHttpDateFormat {
/**
* Formatter cache.
*/
protected static final HashMap formatCache = new HashMap();
protected static final HashMap<Object, Object> formatCache = new HashMap<Object, Object>();
/**
* Parser cache.
*/
protected static final HashMap parseCache = new HashMap();
protected static final HashMap<Object, Object> parseCache = new HashMap<Object, Object>();
// --------------------------------------------------------- Public Methods
/**
@@ -705,7 +705,7 @@ final class FastHttpDateFormat {
/**
* Update cache.
*/
private static void updateCache(HashMap cache, Object key,
private static void updateCache(HashMap<Object, Object> cache, Object key,
Object value) {
if (value == null) {
return;

91
java/ModSecurityTestApp/web/help.html
View File

@@ -13,7 +13,7 @@
}
</style>
</head>
<body style="background: #333333;">
<div align="center" style="width:930px; margin:0 auto; box-shadow: 5px 5px 6px #000; background: #FFFFFF;">
<div style="width: 930px;">
@@ -39,17 +39,16 @@
</p>
<br />
<h3>Installation</h3>
<h2>Installation</h2>
<p>
First you need to choose whether to download and compile ModSecurity from the project's version control web-site:
<a href="https://github.com/SpiderLabs/ModSecurity">github.com/SpiderLabs/ModSecurity</a> or using pre-compiled binaries from
<a href="https://www.modsecurity.org/">modsecurity.org</a>. We will not discuss how to compile
the dependent native libraries needed since these steps are described in the README files from ModSecurity's repository.
<a href="https://www.modsecurity.org/">modsecurity.org</a>.
The native libraries (.so, .dll, etc.) needed for <b>ModSecurity for Java</b> are:
</p>
<ol>
<li>
zlib1
zlib1 (Windows only)
</li>
<li>
libxml2
@@ -61,25 +60,53 @@
libapr-1
</li>
<li>
libapriconv-1
libapriconv-1 (Windows only)
</li>
<li>
libaprutil-1
</li>
<li>
ModSecurityJNI
ModSecurityJNI (JNI wrapper for mod_security code)
</li>
</ol>
<p>
These native libraries are loaded by the <span class="code">ModSecurityLoader.jar</span>, which should be placed in your Java server library loader
(for example, in Tomcat 7: <span class="code">$CATALINA_HOME/lib</span>). You can build or modify the load directory of <span class="code">ModSecurityLoader</span> from
<span class="code">/mod_security/java/ModSecurityLoader/src/</span>. The libraries have to be copied in a directory (for example, <span class="code">c:\work\mod_security\java\libs\</span>),
which should be accessible to <span class="code">ModSecurityLoader.jar</span>.
These native libraries are used by the <a class="code" href="../src/java/org/modsecurity/ModSecurityFilter.java">ModSecurityFilter</a>.
</p>
<br />
<h4>Java Web Applications with ModSecurity Filter</h4>
<h3>Compile ModSecurity native library</h3>
<p>
Install required packages for compilation. For example, on Debian/Ubuntu like systems (Windows users have a Visual Studio solution):
</p>
<pre class="codecanvas">
sudo apt-get install g++ make automake autoconf libtool
</pre>
<p>
Install required dependent packages:
</p>
<pre class="codecanvas">
sudo apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev apache2-prefork-dev
</pre>
<p>
Download mod_security source code from <a href="https://github.com/mihaipitu/ModSecurity">GitHub</a>, compile and install:
</p>
<pre class="codecanvas">
cd mod_security/
./autogen.sh
./configure --enable-java-module
make
</pre>
<p>
Copy compiled library in a convenient folder:
</p>
<pre class="codecanvas">
sudo cp ./java/.libs/libModSecurityJNI.so /usr/lib/
</pre>
<br />
<h3>Java Web Applications with ModSecurity Filter</h3>
<p>
ModSecurity for Java uses <a href="http://www.oracle.com/technetwork/java/filters-137243.html">Java Filters</a> in order to
intercept Http requests and responses. <b>ModsecurityTestApp</b> is an example of Java EE Web application using the ModSecurity
@@ -110,15 +137,41 @@
&lt;/filter&gt;
</code>
</pre>
<p>
The ModSecurity Filter makes use of the native libraries written in C/C++ using the JNI technology.
As stated earlier, the native libraries are loaded by the <span class="code">ModSecurityLoader.jar</span>
which should be loaded by the server at start-up. If you are unable to configure the server to load the
ModSecurity libraries at startup, you may load them in your web application although this is not
recommended because this will raise <span class="code">UnsatisfiedLinkError</span> if the ModSecurity
Filter is used in multiple applications within the same server.
</p>
There are two ways of loading native libraries by Java Web Applications:
<ol>
<li>
<h4>Loading native libraries directly in the ModSecurityFilter</h4>
<p>
Although this is the easier, this is not recommended because the JVM will raise
<span class="code">UnsatisfiedLinkError</span> if the ModSecurity Filter is used in
multiple applications within the same server.
The libraries are loaded in the <a class="code" href="../src/java/org/modsecurity/ModSecurity.java">ModSecurity</a> class using
<span class="code">System.loadLibrary()</span>. In this case the server has to be started with
the following VM options:
</p>
<pre class="codecanvas">
-Djava.library.path=/path/to/libraries/folder/
</pre>
<p>
You can specify multiple folders for the <span class="code">java.library.path</span> variable by using
: (colon) or ; (semi-colon), depending on your environment.
</p>
</li>
<li>
<h4>Loading native libraries when the Web Server starts</h4>
<p>
<a class="code" href="../../ModSecurityLoader/dist/ModSecurityLoader.jar">ModSecurityLoader.jar</a> should be placed
in the Java server library loader folder (for example, in Tomcat 7: <span class="code">$CATALINA_HOME/lib</span>).
You can build or modify the load directory of <span class="code">ModSecurityLoader</span> from
<span class="code">/mod_security/java/ModSecurityLoader/src/</span>.
</p>
</li>
</ol>
<br/>
<br/>
<br/>