fix for: https://issues.apache.org/jira/browse/AMQ-2740

Fix for NPE indicate possible CSRF attack instead. git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@1418061 13f79535-47bb-0310-9956-ffa450edef68
2012-12-06 20:37:04 +00:00 · 2012-12-06 20:37:04 +00:00 · 67252fe60d
parent 4321ae065d
commit 67252fe60d
1 changed files with 18 additions and 18 deletions
--- a/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
+++ b/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
@ -17,7 +17,6 @@
 package org.apache.activemq.web.handler;

 import java.util.Arrays;
-import java.util.UUID;

 import javax.servlet.http.HttpServletRequest;

@ -25,15 +24,16 @@ import org.apache.activemq.web.DestinationFacade;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.ServletRequestDataBinder;
-import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;
 import org.springframework.web.servlet.HandlerExecutionChain;
+import org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping;

 /**
- * 
+ *
 */
 public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping {
    private static final transient Logger LOG = LoggerFactory.getLogger(BindingBeanNameUrlHandlerMapping.class);

+    @Override
    protected Object getHandlerInternal(HttpServletRequest request) throws Exception {
        Object object = super.getHandlerInternal(request);

@ -45,21 +45,21 @@ public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping
            HandlerExecutionChain handlerExecutionChain = (HandlerExecutionChain) object;
            object = handlerExecutionChain.getHandler();
        }
-        
+
        if (object != null) {
-        	// prevent CSRF attacks
-        	if (object instanceof DestinationFacade) {
-        		// check supported methods
-        		if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod())) {
-        			throw new UnsupportedOperationException("Unsupported method " + request.getMethod() + " for path " + request.getRequestURI());
-        		}
-        		// check the 'secret'
-        		if (!request.getSession().getAttribute("secret").equals(request.getParameter("secret"))) {
-        			throw new UnsupportedOperationException("Possible CSRF attack");
-        		}
-        	}
-        	
-        	
+            // prevent CSRF attacks
+            if (object instanceof DestinationFacade) {
+                // check supported methods
+                if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod())) {
+                    throw new UnsupportedOperationException("Unsupported method " + request.getMethod() + " for path " + request.getRequestURI());
+                }
+                // check the 'secret'
+                if (request.getSession().getAttribute("secret") == null ||
+                    !request.getSession().getAttribute("secret").equals(request.getParameter("secret"))) {
+                    throw new UnsupportedOperationException("Possible CSRF attack");
+                }
+            }
+
            ServletRequestDataBinder binder = new ServletRequestDataBinder(object, "request");
            try {
                binder.bind(request);
@ -73,7 +73,7 @@ public class BindingBeanNameUrlHandlerMapping extends BeanNameUrlHandlerMapping
                throw e;
            }
        }
-        
+
        return object;
    }
 }