| Methods Summary |
|---|
| private IConnection | getConnectionWithRedirectedURL(IConnection connection, java.net.URL redirect)
ServletConnection sc = ((ServletConnection)connection);
// create new connection details.
// 1. Use host from original connection and port from redirected URL
HttpConnectorAddress hca = new HttpConnectorAddress(
sc.getURL().getHost(), redirect.getPort());
// 2. Use path from original connection
hca.setPath(sc.getURL().getPath());
// 3. Use authentication info from original connection
hca.setAuthenticationInfo(
sc.getHttpConnectorAddress().getAuthenticationInfo());
// 4. Use Protocol from redirected URL to determine secure flag
if (redirect.getProtocol().equalsIgnoreCase(
HttpConnectorAddress.HTTPS_CONNECTOR)) {
hca.setSecure(true);
} else if (redirect.getProtocol().equalsIgnoreCase(
HttpConnectorAddress.HTTP_CONNECTOR)) {
hca.setSecure(false);
}
return ConnectionFactory.createConnection(hca);
|
| public javax.management.remote.message.MBeanServerResponseMessage | invoke(int methodId, java.lang.Object[] params)
final StreamMBeanServerRequestMessage request =
new StreamMBeanServerRequestMessage(methodId, params, null);
// delegationSubject to be considered: todo
connection.send(request);
MBeanServerResponseMessage response = null;
try {
response = ((MBeanServerResponseMessage)connection.receive());
} catch(RedirectException ex) {
// if auto redirect is disabled throw the exception as is
if (!autoRedirect) throw ex;
// So we have received a redirect in response. So fetch the
// redirection details
processRedirect(ex); // basically change existing connection
// to reflect received redirect URL
response = invoke(request);
}
return response;
|
| public javax.management.remote.message.MBeanServerResponseMessage | invoke(com.sun.enterprise.admin.jmx.remote.streams.StreamMBeanServerRequestMessage request)This method is a second chance to invoke the
operation again with the right redirected URL
connection.send(request);
return ((MBeanServerResponseMessage)connection.receive());
|
| private boolean | isRedirectionInvalid(java.net.URL redirect, IConnection origConn)
ServletConnection sc = ((ServletConnection)origConn);
// check if redirect malformed i.e. it translates to a null. See
// RedirectException.getRedirectURL()
if (redirect == null) return true;
// check if the URL has been morphed by any evil interceptors
String redirectedHost = redirect.getHost();
String origHost = sc.getURL().getHost();
if (redirectedHost == null) return true;
if (!redirectedHost.equalsIgnoreCase(origHost)) return true;
// check if security is being downgraded. For e.g. CLI specifies
// --secure=true and redirect contains HTTP
String newProtocol = redirect.getProtocol();
String origProtocol = sc.getURL().getProtocol();
if (origProtocol.equalsIgnoreCase(HttpConnectorAddress.HTTPS_CONNECTOR)
&& newProtocol.equalsIgnoreCase(HttpConnectorAddress.HTTP_CONNECTOR))
return true;
// Everything seems to be fine. Return "no issues"
return false;
|
| private void | processRedirect(com.sun.appserv.management.client.RedirectException ex)
URL redirect = ex.getRedirectURL();
// Check if redirected URL is valid in terms of
// 1. Validity of new redirect URL itself
// 2. if redirection is not downgrading security unintentionally
// If it is invalid rethrow the RedirectException to CLI
// for further processing - logging and user communciation
if (isRedirectionInvalid(redirect, connection)) {
throw new RedirectException(ex.getRedirectURLStr(),
"Invalid Redirect. " +
"Security cannot be downgraded. Please try with --secure=false");
}
connection = getConnectionWithRedirectedURL(connection, redirect);
|
