public class CSRFFilter
extends java.lang.Object
implements javax.servlet.Filter
The logic is configurable making it possible to: disable the filter, use 1 and same token per session, refresh the token when certain urls are requested (i.e. on a new page visit, which is recommended) OR refresh the token on every request made to the server (which is not recommended since multiple requests might span over each other making some tokens stale and therefor get treated as a CSRF attack).
It is recommended to run the filter with a filter-mapping that NOT includes client side resources since that is pointless and unnecessarily would decrease the performance of the webapp (even though the filter still would work).
Constructor and Description |
---|
CSRFFilter() |
Modifier and Type | Method and Description |
---|---|
protected org.alfresco.web.site.servlet.CSRFFilter.Action |
createAction(java.lang.String name)
Creates a rule action based on a name
|
protected org.alfresco.web.site.servlet.CSRFFilter.Rule |
createRule(org.springframework.extensions.config.ConfigElement ruleConfig)
Creates a rule object based on the config.
|
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain filterChain)
Will check the requests method, path, request headers & the session's attributes against the rule config
to see which rule actions that should be used, will either generate a new token, assert that the request's token
equals the session's token, remove the token fmor the cookie and session OR simply do nothing.
|
protected java.lang.String |
getPath(javax.servlet.http.HttpServletRequest request)
Returns the path for a request where a path is the request uri with the request context stripped out.
|
void |
init(javax.servlet.FilterConfig config)
Parses the filter rule config.
|
protected boolean |
matchRequest(org.alfresco.web.site.servlet.CSRFFilter.Rule rule,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpSession session)
Compare the requets against the configured rules.
|
protected boolean |
matchString(java.lang.String str,
java.lang.String regexp)
Checks if str matches the regular expression defined in regexp.
|
public void init(javax.servlet.FilterConfig config) throws javax.servlet.ServletException
init
in interface javax.servlet.Filter
config
- The filter configjavax.servlet.ServletException
- if the rule filter config is invalidprotected org.alfresco.web.site.servlet.CSRFFilter.Rule createRule(org.springframework.extensions.config.ConfigElement ruleConfig) throws javax.servlet.ServletException
ruleConfig
- The rule config elementjavax.servlet.ServletException
- if the config is invalidprotected org.alfresco.web.site.servlet.CSRFFilter.Action createAction(java.lang.String name) throws javax.servlet.ServletException
name
- The name of the action, can be "generateToken", "assertToken" and "clearToken"javax.servlet.ServletException
- if there is no action for namepublic void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) throws java.io.IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
servletRequest
- The servlet requestservletResponse
- The servlet responsefilterChain
- The filter chainjava.io.IOException
javax.servlet.ServletException
- if the request requires a CSRF token but there is no such token in the request matching
the token in the user's session.public void destroy()
destroy
in interface javax.servlet.Filter
protected java.lang.String getPath(javax.servlet.http.HttpServletRequest request)
request
- The http requestprotected boolean matchRequest(org.alfresco.web.site.servlet.CSRFFilter.Rule rule, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpSession session) throws javax.servlet.ServletException
rule
- The rule to match against the request and sessionrequest
- The http requestsession
- The user's sessionjavax.servlet.ServletException
protected boolean matchString(java.lang.String str, java.lang.String regexp)
str
- The value to matchregexp
- The regular expression to match against strCopyright © 2005 - 2013 Alfresco Software, Inc. All Rights Reserved.