private void ConfigureHttpInterfaces(ConfigurationExpression x)
{
// Woot!! Interfaces for HttpContext stuff! Goodbye to nasty unmockable
// abstract base classes.
// http://haacked.com/archive/2007/09/09/ihttpcontext-and-other-interfaces-for-your-duck-typing-benefit.aspx
// Update: the third party library in that post causes problems in production if multiple
// requests during the bootstrapping process. I made hand-rolled proxies instead, which you can get here:
// http://github.com/jonkruger/httpinterfaces
x.For <IHttpApplication>().Use(
c => WebContext.Cast(HttpContext.Current.ApplicationInstance));
x.For <IHttpApplicationState>().Use(
c => WebContext.Cast(HttpContext.Current.Application));
x.For <IHttpCachePolicy>().Use(
c => WebContext.Cast(HttpContext.Current.Response.Cache));
x.For <IHttpClientCertificate>().Use(
c => WebContext.Cast(HttpContext.Current.Request.ClientCertificate));
x.For <IHttpContext>().Use(
c => WebContext.Cast(HttpContext.Current));
x.For <IHttpFileCollection>().Use(
c => WebContext.Cast(HttpContext.Current.Request.Files));
x.For <IHttpModuleCollection>().Use(
c => WebContext.Cast(HttpContext.Current.ApplicationInstance.Modules));
x.For <IHttpRequest>().Use(
c => WebContext.Cast(HttpContext.Current.Request));
x.For <IHttpResponse>().Use(
c => WebContext.Cast(HttpContext.Current.Response));
x.For <IHttpServerUtility>().Use(
c => WebContext.Cast(HttpContext.Current.Server));
x.For <IHttpSession>().Use(
c => WebContext.Cast(HttpContext.Current.Session));
x.For <ITraceContext>().Use(
c => WebContext.Cast(HttpContext.Current.Trace));
}
private void Application_BeginRequest(Object source, EventArgs e)
{
HttpContext context = HttpContext.Current;
HttpRequest request = (HttpRequest)context.Request;
HttpResponse response = (HttpResponse)context.Response;
try
{
// figure out who the current user is
try
{
((Authenticator)Esapi.Authenticator()).Context = WebContext.Cast(HttpContext.Current);
Esapi.Authenticator().Login();
}
catch (AuthenticationException ex)
{
((Authenticator)Esapi.Authenticator()).Logout();
// FIXME: use safeforward!
// FIXME: make configurable with config
// int position = request.Url.ToString().LastIndexOf('/') + 1;
// string page = request.Url.ToString().Substring(position, request.Url.ToString().Length - position);
// if (!page.ToLower().Equals("default.aspx"))
// {
// response.Redirect("default.aspx");
// }
// return;
}
// log this request, obfuscating any parameter named password
logger.LogHttpRequest(new ArrayList(ignore));
// check access to this URL
if (!Esapi.AccessController().IsAuthorizedForUrl(request.RawUrl.ToString()))
{
context.Items["message"] = "Unauthorized";
context.Server.Transfer("login.aspx");
}
// verify if this request meets the baseline input requirements
if (!Esapi.Validator().IsValidHttpRequest(WebContext.Cast(request)))
{
context.Items["message"] = "Validation error";
context.Server.Transfer("login.aspx");
}
// check for CSRF attacks and set appropriate caching headers
IHttpUtilities utils = Esapi.HttpUtilities();
// utils.checkCSRFToken();
utils.SetNoCacheHeaders();
//utils.SafeSetContentType();
// forward this request on to the web application
}
catch (Exception ex)
{
logger.LogSpecial("Security error in ESAPI Filter", ex);
response.Output.WriteLine("<H1>Security Error</H1>");
}
}
/// <summary>
/// Gets the user from the current session.
/// </summary>
/// <param name="request">The current HTTP request.</param>
/// <returns>The current user.</returns>
/// <seealso cref="Owasp.Esapi.Interfaces.IAuthenticator.GetUserFromSession(IHttpRequest)">
/// </seealso>
public IUser GetUserFromSession(HttpRequest request)
{
return(GetUserFromSession(WebContext.Cast(request)));
}