mirror of
https://github.com/google/nomulus.git
synced 2025-05-01 20:47:52 +02:00
c458c05801
The dark lord Gosling designed the Java package naming system so that ownership flows from the DNS system. Since we own the domain name registry.google, it seems only appropriate that we should use google.registry as our package name.
76 lines
2.6 KiB
Java
76 lines
2.6 KiB
Java
// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package google.registry.security;
|
|
|
|
import static com.google.common.base.Preconditions.checkNotNull;
|
|
import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
|
|
import static javax.servlet.http.HttpServletResponse.SC_OK;
|
|
|
|
import google.registry.request.HttpException;
|
|
|
|
import java.io.IOException;
|
|
import java.util.Map;
|
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
/**
|
|
* Secure servlet that speaks JSON for both input and output.
|
|
*
|
|
* <p>This servlet accepts only JSON inputs (using the payload) and returns only JSON
|
|
* responses, using and various security best practices such as a parser breaker,
|
|
* {@code Content-Disposition: attachment}, etc.
|
|
*
|
|
* @see JsonHttp
|
|
*/
|
|
public abstract class JsonTransportServlet extends XsrfProtectedServlet {
|
|
|
|
protected JsonTransportServlet(String xsrfScope, boolean requireAdmin) {
|
|
super(xsrfScope, requireAdmin);
|
|
}
|
|
|
|
/**
|
|
* Verify that this is a well-formed request and then execute it. A well-formed request will have
|
|
* either a JSON string in the "json" param that evaluates to a map, or nothing in "json".
|
|
*/
|
|
@Override
|
|
protected final void doPost(HttpServletRequest req, HttpServletResponse rsp) throws IOException {
|
|
Map<String, ?> input = JsonHttp.read(req);
|
|
if (input == null) {
|
|
rsp.sendError(SC_BAD_REQUEST, "Malformed JSON");
|
|
return;
|
|
}
|
|
Map<String, ?> output;
|
|
try {
|
|
output = doJsonPost(req, input);
|
|
} catch (HttpException e) {
|
|
e.send(rsp);
|
|
return;
|
|
}
|
|
checkNotNull(output, "doJsonPost() returned null");
|
|
rsp.setStatus(SC_OK);
|
|
JsonHttp.write(rsp, output);
|
|
}
|
|
|
|
/**
|
|
* Handler for HTTP POST requests.
|
|
*
|
|
* @param req Servlet request object.
|
|
* @param input JSON request object or empty if none was provided.
|
|
* @return an arbitrary JSON object. Must not be {@code null}.
|
|
* @throws HttpException in order to send a non-200 status code / message to the client.
|
|
*/
|
|
public abstract Map<String, Object> doJsonPost(HttpServletRequest req, Map<String, ?> input);
|
|
}
|