Module de.cuioss.http

Package de.cuioss.http.security.pipeline

Class AbstractValidationPipeline

java.lang.Object

de.cuioss.http.security.pipeline.AbstractValidationPipeline

All Implemented Interfaces:

HttpSecurityValidator

Direct Known Subclasses:

HTTPHeaderValidationPipeline, URLParameterValidationPipeline, URLPathValidationPipeline

public abstract class AbstractValidationPipeline
extends Object
implements HttpSecurityValidator

Abstract base class for validation pipelines that provides common validation logic.

This class implements the standard pipeline validation pattern where multiple validation stages are executed sequentially with early termination on security violations.

Key Features

• Sequential Processing - Each stage processes the output of the previous stage
• Early Termination - Pipeline stops on first security violation
• Event Tracking - Security violations are tracked via SecurityEventCounter
• Exception Enhancement - Exceptions are re-thrown with correct validation type

Since:

1.0

Field Summary

Fields

Modifier and Type	Field	Description
protected final SecurityEventCounter	eventCounter	Counter for tracking security events.
protected final List<HttpSecurityValidator>	stages	The ordered list of validation stages to execute.

Constructor Summary

Constructors

Constructor	Description
AbstractValidationPipeline()

Method Summary

Modifier and Type	Method	Description
abstract ValidationType	getValidationType()	Returns the validation type handled by this pipeline.
Optional<String>	validate(@Nullable String value)	Validates the input string and returns the sanitized/normalized version.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface de.cuioss.http.security.core.HttpSecurityValidator

andThen, compose, when

Field Details

stages

protected final List<HttpSecurityValidator> stages

The ordered list of validation stages to execute.

eventCounter

protected final SecurityEventCounter eventCounter

Counter for tracking security events.

Constructor Details

AbstractValidationPipeline

public AbstractValidationPipeline()

Method Details

getValidationType

public abstract ValidationType getValidationType()

Returns the validation type handled by this pipeline.

Returns:

The validation type for this pipeline

validate

public Optional<String> validate(@Nullable String value)
                          throws UrlSecurityException

Description copied from interface: HttpSecurityValidator

Validates the input string and returns the sanitized/normalized version.

This method should examine the input for security violations and either:

• Return the input unchanged if it's safe
• Return a sanitized/normalized version if safe transformations are possible
• Return Optional.empty() if the input was null
• Throw UrlSecurityException if the input represents a security threat

The decision between sanitization and rejection depends on the specific validator and security requirements. Critical security validators should prefer rejection over sanitization to avoid bypasses.

Specified by:

validate in interface HttpSecurityValidator

Parameters:

value - The input to validate. May be null.

Returns:

The validated, potentially sanitized or normalized value wrapped in Optional. Returns Optional.empty() if the input was null.

Throws:

UrlSecurityException - If the input represents a security violation that cannot be safely sanitized. The exception should include detailed context about the failure for logging and debugging purposes.