Package org.springframework.extensions.webscripts.servlet

Class CSRFFilter

java.lang.Object
org.springframework.extensions.webscripts.servlet.CSRFFilter
All Implemented Interfaces:
jakarta.servlet.Filter
public class CSRFFilter extends Object implements jakarta.servlet.Filter
A CSRF Filter class for the web-tier checking that certain requests supply a secret token that is compared to the token existing in the user's session to mitigate CSRF attacks. It is also possible to check the referer or origin headers.

The logic is configurable making it possible to: disable the filter, use 1 and same token per session, refresh the token when certain urls are requested (i.e. on a new page visit, which is recommended) OR refresh the token on every request made to the server (which is not recommended since multiple requests might span over each other making some tokens stale and therefor get treated as a CSRF attack).

It is recommended to run the filter with a filter-mapping that NOT includes client side resources since that is pointless and unnecessarily would decrease the performance of the webapp (even though the filter still would work).

Since:
6.11 NOTE: Copied from Slingshot project to WebScripts 6.11 on 5/11/2016
Author:
Erik Winlof

  • Constructor Summary

    Constructors
    Constructor
    Description
    CSRFFilter()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Action
    createAction(String name)
    Creates a rule action based on a name
    protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule
    createRule(org.springframework.extensions.config.ConfigElement ruleConfig)
    Creates a rule object based on the config.
    void
    destroy()
     
    void
    doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain filterChain)
    Will check the requests method, path, request headers & the session's attributes against the rule config to see which rule actions that should be used, will either generate a new token, assert that the request's token equals the session's token, remove the token fmor the cookie and session OR simply do nothing.
    protected String
    getPath(jakarta.servlet.http.HttpServletRequest request)
    Returns the path for a request where a path is the request uri with the request context stripped out.
    void
    init(jakarta.servlet.FilterConfig config)
    Parses the filter rule config.
    protected boolean
    matchRequest(org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule rule, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpSession session)
    Compare the request against the configured rules.
    protected boolean
    matchString(String str, String regexp)
    Checks if str matches the regular expression defined in regexp.
    protected void
    postprocessOnHttpBasicAuth(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpSession session)
    If the request is using HTTP Basic Authentication then clean the session attributes set in preprocessOnHttpBasicAuth
    protected void
    preprocessOnHttpBasicAuth(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpSession session)
    If the request is using HTTP Basic Authentication then we set the _alf_USER_ID and Alfresco-CSRFToken into session, so the CSRF rules will be applied to the request

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • CSRFFilter

      public CSRFFilter()

  • Method Details

    • init

      public void init(jakarta.servlet.FilterConfig config) throws jakarta.servlet.ServletException
      Parses the filter rule config.
      Specified by:
      init in interface jakarta.servlet.Filter
      Parameters:
      config - The filter config
      Throws:
      jakarta.servlet.ServletException - if the rule filter config is invalid

    • createRule

      protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule createRule(org.springframework.extensions.config.ConfigElement ruleConfig) throws jakarta.servlet.ServletException
      Creates a rule object based on the config.
      Parameters:
      ruleConfig - The rule config element
      Returns:
      A rul eobject created form the config
      Throws:
      jakarta.servlet.ServletException - if the config is invalid

    • createAction

      protected org.springframework.extensions.webscripts.servlet.CSRFFilter.Action createAction(String name) throws jakarta.servlet.ServletException
      Creates a rule action based on a name
      Parameters:
      name - The name of the action, can be "generateToken", "assertToken" and "clearToken"
      Returns:
      An action object
      Throws:
      jakarta.servlet.ServletException - if there is no action for name

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain filterChain) throws IOException, jakarta.servlet.ServletException
      Will check the requests method, path, request headers & the session's attributes against the rule config to see which rule actions that should be used, will either generate a new token, assert that the request's token equals the session's token, remove the token fmor the cookie and session OR simply do nothing.
      Specified by:
      doFilter in interface jakarta.servlet.Filter
      Parameters:
      servletRequest - The servlet request
      servletResponse - The servlet response
      filterChain - The filter chain
      Throws:
      IOException
      jakarta.servlet.ServletException - if the request requires a CSRF token but there is no such token in the request matching the token in the user's session.

    • preprocessOnHttpBasicAuth

      protected void preprocessOnHttpBasicAuth(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpSession session)
      If the request is using HTTP Basic Authentication then we set the _alf_USER_ID and Alfresco-CSRFToken into session, so the CSRF rules will be applied to the request
      Parameters:
      request - The servlet request
      session - The session

    • postprocessOnHttpBasicAuth

      protected void postprocessOnHttpBasicAuth(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpSession session)
      If the request is using HTTP Basic Authentication then clean the session attributes set in preprocessOnHttpBasicAuth
      Parameters:
      request -
      session -

    • destroy

      public void destroy()
      Specified by:
      destroy in interface jakarta.servlet.Filter

    • getPath

      protected String getPath(jakarta.servlet.http.HttpServletRequest request)
      Returns the path for a request where a path is the request uri with the request context stripped out.
      Parameters:
      request - The http request
      Returns:
      The path for a request where a path is the request uri with the request context stripped out.

    • matchRequest

      protected boolean matchRequest(org.springframework.extensions.webscripts.servlet.CSRFFilter.Rule rule, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpSession session) throws jakarta.servlet.ServletException
      Compare the request against the configured rules.
      Parameters:
      rule - The rule to match against the request and session
      request - The http request
      session - The user's session
      Returns:
      The first rule that matches the request and sessions or null if there is no such rule.
      Throws:
      jakarta.servlet.ServletException

    • matchString

      protected boolean matchString(String str, String regexp)
      Checks if str matches the regular expression defined in regexp.
      Parameters:
      str - The value to match
      regexp - The regular expression to match against str
      Returns:
      true if str matches regexp