Package org.springframework.extensions.webscripts.servlet

Class CSRFFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class CSRFFilter
extends java.lang.Object
implements javax.servlet.Filter
    A CSRF Filter class for the web-tier checking that certain requests supply a secret token that is compared to the token existing in the user's session to mitigate CSRF attacks. It is also possible to check the referer or origin headers.

    The logic is configurable making it possible to: disable the filter, use 1 and same token per session, refresh the token when certain urls are requested (i.e. on a new page visit, which is recommended) OR refresh the token on every request made to the server (which is not recommended since multiple requests might span over each other making some tokens stale and therefor get treated as a CSRF attack).

    It is recommended to run the filter with a filter-mapping that NOT includes client side resources since that is pointless and unnecessarily would decrease the performance of the webapp (even though the filter still would work).

    Since:
    6.11 NOTE: Copied from Slingshot project to WebScripts 6.11 on 5/11/2016
    Author:
    Erik Winlof

    • Constructor Summary

      Constructors 
      Constructor Description
      CSRFFilter()  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Action createAction​(java.lang.String name)
      Creates a rule action based on a name
      protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule createRule​(org.springframework.extensions.config.ConfigElement ruleConfig)
      Creates a rule object based on the config.
      void destroy()  
      void doFilter​(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain)
      Will check the requests method, path, request headers & the session's attributes against the rule config to see which rule actions that should be used, will either generate a new token, assert that the request's token equals the session's token, remove the token fmor the cookie and session OR simply do nothing.
      protected java.lang.String getPath​(javax.servlet.http.HttpServletRequest request)
      Returns the path for a request where a path is the request uri with the request context stripped out.
      void init​(javax.servlet.FilterConfig config)
      Parses the filter rule config.
      protected boolean matchRequest​(org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule rule, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpSession session)
      Compare the request against the configured rules.
      protected boolean matchString​(java.lang.String str, java.lang.String regexp)
      Checks if str matches the regular expression defined in regexp.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • CSRFFilter

        public CSRFFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException
        Parses the filter rule config.
        Specified by:
        init in interface javax.servlet.Filter
        Parameters:
        config - The filter config
        Throws:
        javax.servlet.ServletException - if the rule filter config is invalid

      • createRule

        protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule createRule​(org.springframework.extensions.config.ConfigElement ruleConfig)
                                                                                throws javax.servlet.ServletException
        Creates a rule object based on the config.
        Parameters:
        ruleConfig - The rule config element
        Returns:
        A rul eobject created form the config
        Throws:
        javax.servlet.ServletException - if the config is invalid

      • createAction

        protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Action createAction​(java.lang.String name)
                                                                                    throws javax.servlet.ServletException
        Creates a rule action based on a name
        Parameters:
        name - The name of the action, can be "generateToken", "assertToken" and "clearToken"
        Returns:
        An action object
        Throws:
        javax.servlet.ServletException - if there is no action for name

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain filterChain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Will check the requests method, path, request headers & the session's attributes against the rule config to see which rule actions that should be used, will either generate a new token, assert that the request's token equals the session's token, remove the token fmor the cookie and session OR simply do nothing.
        Specified by:
        doFilter in interface javax.servlet.Filter
        Parameters:
        servletRequest - The servlet request
        servletResponse - The servlet response
        filterChain - The filter chain
        Throws:
        java.io.IOException
        javax.servlet.ServletException - if the request requires a CSRF token but there is no such token in the request matching the token in the user's session.

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter

      • getPath

        protected java.lang.String getPath​(javax.servlet.http.HttpServletRequest request)
        Returns the path for a request where a path is the request uri with the request context stripped out.
        Parameters:
        request - The http request
        Returns:
        The path for a request where a path is the request uri with the request context stripped out.

      • matchRequest

        protected boolean matchRequest​(org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule rule,
                               javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpSession session)
                        throws javax.servlet.ServletException
        Compare the request against the configured rules.
        Parameters:
        rule - The rule to match against the request and session
        request - The http request
        session - The user's session
        Returns:
        The first rule that matches the request and sessions or null if there is no such rule.
        Throws:
        javax.servlet.ServletException

      • matchString

        protected boolean matchString​(java.lang.String str,
                              java.lang.String regexp)
        Checks if str matches the regular expression defined in regexp.
        Parameters:
        str - The value to match
        regexp - The regular expression to match against str
        Returns:
        true if str matches regexp