mv com/google/domain/registry google/registry

This change renames directories in preparation for the great package
rename. The repository is now in a broken state because the code
itself hasn't been updated. However this should ensure that git
correctly preserves history for each file.

java/google/registry/security/JsonTransportServlet.java

@@ -0,0 +1,76 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.domain.registry.security;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
+import static javax.servlet.http.HttpServletResponse.SC_OK;
+
+import com.google.domain.registry.request.HttpException;
+
+import java.io.IOException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Secure servlet that speaks JSON for both input and output.
+ *
+ * <p>This servlet accepts only JSON inputs (using the payload) and returns only JSON
+ * responses, using and various security best practices such as a parser breaker,
+ * {@code Content-Disposition: attachment}, etc.
+ *
+ * @see JsonHttp
+ */
+public abstract class JsonTransportServlet extends XsrfProtectedServlet {
+
+  protected JsonTransportServlet(String xsrfScope, boolean requireAdmin) {
+    super(xsrfScope, requireAdmin);
+  }
+
+  /**
+   * Verify that this is a well-formed request and then execute it. A well-formed request will have
+   * either a JSON string in the "json" param that evaluates to a map, or nothing in "json".
+   */
+  @Override
+  protected final void doPost(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
+    Map<String, ?> input = JsonHttp.read(req);
+    if (input == null) {
+      rsp.sendError(SC_BAD_REQUEST, "Malformed JSON");
+      return;
+    }
+    Map<String, ?> output;
+    try {
+      output = doJsonPost(req, input);
+    } catch (HttpException e) {
+      e.send(rsp);
+      return;
+    }
+    checkNotNull(output, "doJsonPost() returned null");
+    rsp.setStatus(SC_OK);
+    JsonHttp.write(rsp, output);
+  }
+
+  /**
+   * Handler for HTTP POST requests.
+   *
+   * @param req Servlet request object.
+   * @param input JSON request object or empty if none was provided.
+   * @return an arbitrary JSON object. Must not be {@code null}.
+   * @throws HttpException in order to send a non-200 status code / message to the client.
+   */
+  public abstract Map<String, Object> doJsonPost(HttpServletRequest req, Map<String, ?> input);
+}