Package org.springframework.extensions.webscripts.servlet

Class CSRFFilter

java.lang.Object

org.springframework.extensions.webscripts.servlet.CSRFFilter

All Implemented Interfaces:

javax.servlet.Filter

public class CSRFFilter
extends java.lang.Object
implements javax.servlet.Filter

A CSRF Filter class for the web-tier checking that certain requests supply a secret token that is compared to the token existing in the user's session to mitigate CSRF attacks. It is also possible to check the referer or origin headers.

The logic is configurable making it possible to: disable the filter, use 1 and same token per session, refresh the token when certain urls are requested (i.e. on a new page visit, which is recommended) OR refresh the token on every request made to the server (which is not recommended since multiple requests might span over each other making some tokens stale and therefor get treated as a CSRF attack).

It is recommended to run the filter with a filter-mapping that NOT includes client side resources since that is pointless and unnecessarily would decrease the performance of the webapp (even though the filter still would work).

Since:

6.11 NOTE: Copied from Slingshot project to WebScripts 6.11 on 5/11/2016

Author:

Erik Winlof

Constructor Summary

Constructors

Constructor	Description
CSRFFilter()

Method Summary

Modifier and Type	Method	Description
protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Action	createAction(java.lang.String name)	Creates a rule action based on a name
protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule	createRule(org.springframework.extensions.config.ConfigElement ruleConfig)	Creates a rule object based on the config.
void	destroy()
void	doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain)	Will check the requests method, path, request headers & the session's attributes against the rule config to see which rule actions that should be used, will either generate a new token, assert that the request's token equals the session's token, remove the token fmor the cookie and session OR simply do nothing.
protected java.lang.String	getPath(javax.servlet.http.HttpServletRequest request)	Returns the path for a request where a path is the request uri with the request context stripped out.
void	init(javax.servlet.FilterConfig config)	Parses the filter rule config.
protected boolean	matchRequest(org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule rule, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpSession session)	Compare the request against the configured rules.
protected boolean	matchString(java.lang.String str, java.lang.String regexp)	Checks if str matches the regular expression defined in regexp.
protected void	postprocessOnHttpBasicAuth(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpSession session)	If the request is using HTTP Basic Authentication then clean the session attributes set in preprocessOnHttpBasicAuth
protected void	preprocessOnHttpBasicAuth(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpSession session)	If the request is using HTTP Basic Authentication then we set the _alf_USER_ID and Alfresco-CSRFToken into session, so the CSRF rules will be applied to the request

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CSRFFilter

public CSRFFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException

Parses the filter rule config.

Specified by:

init in interface javax.servlet.Filter

Parameters:

config - The filter config

Throws:

javax.servlet.ServletException - if the rule filter config is invalid

createRule

protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule createRule(org.springframework.extensions.config.ConfigElement ruleConfig)
                                                                                throws javax.servlet.ServletException

Creates a rule object based on the config.

Parameters:

ruleConfig - The rule config element

Returns:

A rul eobject created form the config

Throws:

javax.servlet.ServletException - if the config is invalid

createAction

protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Action createAction(java.lang.String name)
                                                                                    throws javax.servlet.ServletException

Creates a rule action based on a name

Parameters:

name - The name of the action, can be "generateToken", "assertToken" and "clearToken"

Returns:

An action object

Throws:

javax.servlet.ServletException - if there is no action for name

doFilter

public void doFilter(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain filterChain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Will check the requests method, path, request headers & the session's attributes against the rule config to see which rule actions that should be used, will either generate a new token, assert that the request's token equals the session's token, remove the token fmor the cookie and session OR simply do nothing.

Specified by:

doFilter in interface javax.servlet.Filter

Parameters:

servletRequest - The servlet request

servletResponse - The servlet response

filterChain - The filter chain

Throws:

java.io.IOException

javax.servlet.ServletException - if the request requires a CSRF token but there is no such token in the request matching the token in the user's session.

preprocessOnHttpBasicAuth

protected void preprocessOnHttpBasicAuth(javax.servlet.http.HttpServletRequest request,
                                         javax.servlet.http.HttpSession session)

If the request is using HTTP Basic Authentication then we set the _alf_USER_ID and Alfresco-CSRFToken into session, so the CSRF rules will be applied to the request

Parameters:

request - The servlet request

session - The session

postprocessOnHttpBasicAuth

protected void postprocessOnHttpBasicAuth(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpSession session)

If the request is using HTTP Basic Authentication then clean the session attributes set in preprocessOnHttpBasicAuth

Parameters:

request -

session -

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter

getPath

protected java.lang.String getPath(javax.servlet.http.HttpServletRequest request)

Returns the path for a request where a path is the request uri with the request context stripped out.

Parameters:

request - The http request

Returns:

The path for a request where a path is the request uri with the request context stripped out.

matchRequest

protected boolean matchRequest(org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule rule,
                               javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpSession session)
                        throws javax.servlet.ServletException

Compare the request against the configured rules.

Parameters:

rule - The rule to match against the request and session

request - The http request

session - The user's session

Returns:

The first rule that matches the request and sessions or null if there is no such rule.

Throws:

javax.servlet.ServletException

matchString

protected boolean matchString(java.lang.String str,
                              java.lang.String regexp)

Checks if str matches the regular expression defined in regexp.

Parameters:

str - The value to match

regexp - The regular expression to match against str

Returns:

true if str matches regexp