001    /**
002     * Licensed to the Apache Software Foundation (ASF) under one or more
003     * contributor license agreements.  See the NOTICE file distributed with
004     * this work for additional information regarding copyright ownership.
005     * The ASF licenses this file to You under the Apache License, Version 2.0
006     * (the "License"); you may not use this file except in compliance with
007     * the License.  You may obtain a copy of the License at
008     *
009     *      http://www.apache.org/licenses/LICENSE-2.0
010     *
011     * Unless required by applicable law or agreed to in writing, software
012     * distributed under the License is distributed on an "AS IS" BASIS,
013     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     * See the License for the specific language governing permissions and
015     * limitations under the License.
016     */
017    package org.apache.activemq.web.handler;
018    
019    import java.util.Arrays;
020    import java.util.UUID;
021    
022    import javax.servlet.http.HttpServletRequest;
023    
024    import org.apache.activemq.web.DestinationFacade;
025    import org.apache.commons.logging.Log;
026    import org.apache.commons.logging.LogFactory;
027    import org.springframework.web.bind.ServletRequestDataBinder;
028    import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
029    import org.springframework.web.servlet.HandlerExecutionChain;
030    
031    /**
032     * @version $Revision: 915387 $
033     */
034    public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping {
035        private static final transient Log LOG = LogFactory.getLog(BindingBeanNameUrlHandlerMapping.class);
036    
037        protected Object getHandlerInternal(HttpServletRequest request) throws Exception {
038            Object object = super.getHandlerInternal(request);
039    
040            if (object instanceof String) {
041                String handlerName = (String) object;
042                object = getApplicationContext().getBean(handlerName);
043            }
044            if (object instanceof HandlerExecutionChain) {
045                HandlerExecutionChain handlerExecutionChain = (HandlerExecutionChain) object;
046                object = handlerExecutionChain.getHandler();
047            }
048            
049            if (object != null) {
050                    // prevent CSRF attacks
051                    if (object instanceof DestinationFacade) {
052                            // check supported methods
053                            if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod())) {
054                                    throw new UnsupportedOperationException("Unsupported method " + request.getMethod() + " for path " + request.getRequestURI());
055                            }
056                            // check the 'secret'
057                            if (!request.getSession().getAttribute("secret").equals(request.getParameter("secret"))) {
058                                    throw new UnsupportedOperationException("Possible CSRF attack");
059                            }
060                    }
061                    
062                    
063                ServletRequestDataBinder binder = new ServletRequestDataBinder(object, "request");
064                try {
065                    binder.bind(request);
066                    binder.setIgnoreUnknownFields(true);
067                    if (LOG.isDebugEnabled()) {
068                        LOG.debug("Bound POJO is now: " + object);
069                    }
070                }
071                catch (Exception e) {
072                    LOG.warn("Caught: " + e, e);
073                    throw e;
074                }
075            }
076            
077            return object;
078        }
079    }