public class NuxeoCorsCsrfFilter extends Object implements javax.servlet.Filter
Modifier and Type | Class and Description |
---|---|
static class |
NuxeoCorsCsrfFilter.IgnoredOriginRequestWrapper
Wrapper for the request to hide the Origin header.
|
Modifier and Type | Field and Description |
---|---|
static String |
ALLOW_NULL_ORIGIN_DEFAULT |
static String |
ALLOW_NULL_ORIGIN_PROP
Allows to disable strict CORS checks when a request has Origin: null.
|
protected boolean |
allowNullOrigin |
static String |
CSRF_TOKEN_ATTRIBUTE
Session attribute in which token is stored.
|
static String |
CSRF_TOKEN_ENABLED_DEFAULT |
static String |
CSRF_TOKEN_ENABLED_SUBPROP
Allows enforcing the use of a CSRF token.
|
static String |
CSRF_TOKEN_FETCH
Pseudo-value to fetch a token.
|
static String |
CSRF_TOKEN_HEADER
Request header to pass a token, or fetch one.
|
static String |
CSRF_TOKEN_INVALID
Pseudo-value to denote an invalid token.
|
static String |
CSRF_TOKEN_NS_PROP
Configuration property (namespace) for CSRF tokens.
|
static String |
CSRF_TOKEN_PARAM
Request parameter to pass a token.
|
static String |
CSRF_TOKEN_SKIP_SUBPROP
Allows definition of endpoints for which no CSRF token check is done.
|
protected boolean |
csrfTokenEnabled |
protected List<String> |
csrfTokenSkipPaths |
static String |
GET |
static String |
HEAD |
static String |
OPTIONS |
static String |
ORIGIN_NULL |
static URI |
PRIVACY_SENSITIVE |
protected static Random |
RANDOM |
protected static Set<String> |
SAFE_METHODS |
static List<String> |
SCHEMES_ALLOWED |
static String |
TRACE |
Constructor and Description |
---|
NuxeoCorsCsrfFilter() |
Modifier and Type | Method and Description |
---|---|
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain chain) |
protected String |
generateNewToken() |
URI |
getSourceURI(javax.servlet.http.HttpServletRequest request)
Gets the source URI: the URI of the page from which the request is actually coming.
|
URI |
getTargetURI(javax.servlet.http.HttpServletRequest request)
Gets the target URI: the URI to which the browser is connecting.
|
void |
init(javax.servlet.FilterConfig filterConfig) |
protected boolean |
isSafeMethod(String method)
Check safe method according to RFC 7231 4.2.1.
|
protected boolean |
isWhitelistedScheme(URI uri) |
protected boolean |
manageCSRFToken(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Manages the CSRF token.
|
protected javax.servlet.http.HttpServletRequest |
maybeIgnoreWhitelistedOrigin(javax.servlet.http.HttpServletRequest request) |
protected com.thetransactioncompany.cors.Origin |
originFromURI(URI uri)
Gets an Origin from a URI.
|
boolean |
sourceAndTargetMatch(URI sourceURI,
URI targetURI) |
public static final String GET
public static final String HEAD
public static final String OPTIONS
public static final String TRACE
protected static final Set<String> SAFE_METHODS
public static final String ORIGIN_NULL
public static final URI PRIVACY_SENSITIVE
public static final List<String> SCHEMES_ALLOWED
public static final String ALLOW_NULL_ORIGIN_PROP
This may happen for local files, or for a JavaScript-triggered redirect. Setting this to false may expose the application to CSRF problems from files locally hosted on the user's disk.
public static final String ALLOW_NULL_ORIGIN_DEFAULT
public static final String CSRF_TOKEN_NS_PROP
public static final String CSRF_TOKEN_ENABLED_SUBPROP
public static final String CSRF_TOKEN_ENABLED_DEFAULT
public static final String CSRF_TOKEN_SKIP_SUBPROP
public static final String CSRF_TOKEN_ATTRIBUTE
public static final String CSRF_TOKEN_HEADER
public static final String CSRF_TOKEN_FETCH
public static final String CSRF_TOKEN_INVALID
public static final String CSRF_TOKEN_PARAM
protected boolean allowNullOrigin
protected boolean csrfTokenEnabled
protected List<String> csrfTokenSkipPaths
public NuxeoCorsCsrfFilter()
public void init(javax.servlet.FilterConfig filterConfig)
init
in interface javax.servlet.Filter
public void destroy()
destroy
in interface javax.servlet.Filter
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
IOException
javax.servlet.ServletException
protected boolean isSafeMethod(String method)
protected boolean manageCSRFToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException
This method may return a response with token fetch information or with an error if needed, in which case it will
return true
.
true
if the caller doesn't need to do more work (a response has been sent)IOException
protected String generateNewToken()
public URI getSourceURI(javax.servlet.http.HttpServletRequest request)
null
is returned is there is no header.
PRIVACY_SENSITIVE
is returned is there is a null origin (RFC 6454 7.3, "privacy-sensitive" context)
unless configured to be ignored.
public URI getTargetURI(javax.servlet.http.HttpServletRequest request)
public boolean sourceAndTargetMatch(URI sourceURI, URI targetURI)
protected com.thetransactioncompany.cors.Origin originFromURI(URI uri)
protected javax.servlet.http.HttpServletRequest maybeIgnoreWhitelistedOrigin(javax.servlet.http.HttpServletRequest request)
protected boolean isWhitelistedScheme(URI uri)
Copyright © 2019 Nuxeo. All rights reserved.