Class NuxeoCorsCsrfFilter

  • All Implemented Interfaces:
    javax.servlet.Filter

    public class NuxeoCorsCsrfFilter
    extends Object
    implements javax.servlet.Filter
    Nuxeo CORS and CSRF filter, returning CORS configuration and preventing CSRF attacks by rejecting dubious requests.
    Since:
    5.7.2 for CORS, 10.1 for CSRF
    • Field Detail

      • SAFE_METHODS

        protected static final Set<String> SAFE_METHODS
      • PRIVACY_SENSITIVE

        public static final URI PRIVACY_SENSITIVE
      • SCHEMES_ALLOWED

        public static final List<String> SCHEMES_ALLOWED
      • ALLOW_NULL_ORIGIN_PROP

        public static final String ALLOW_NULL_ORIGIN_PROP
        Allows to disable strict CORS checks when a request has Origin: null.

        This may happen for local files, or for a JavaScript-triggered redirect. Setting this to false may expose the application to CSRF problems from files locally hosted on the user's disk.

        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_NS_PROP

        public static final String CSRF_TOKEN_NS_PROP
        Configuration property (namespace) for CSRF tokens.
        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_ENABLED_SUBPROP

        public static final String CSRF_TOKEN_ENABLED_SUBPROP
        Allows enforcing the use of a CSRF token. Configuration property (under the "nuxeo.csrf.token" namespace).
        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_SKIP_SUBPROP

        public static final String CSRF_TOKEN_SKIP_SUBPROP
        Allows definition of endpoints for which no CSRF token check is done. Configuration list property (under the "nuxeo.csrf.token" namespace).
        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_ATTRIBUTE

        public static final String CSRF_TOKEN_ATTRIBUTE
        Session attribute in which token is stored.
        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_HEADER

        public static final String CSRF_TOKEN_HEADER
        Request header to pass a token, or fetch one.
        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_FETCH

        public static final String CSRF_TOKEN_FETCH
        Pseudo-value to fetch a token.
        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_INVALID

        public static final String CSRF_TOKEN_INVALID
        Pseudo-value to denote an invalid token.
        Since:
        10.3
        See Also:
        Constant Field Values
      • CSRF_TOKEN_PARAM

        public static final String CSRF_TOKEN_PARAM
        Request parameter to pass a token.
        Since:
        10.3
        See Also:
        Constant Field Values
      • RANDOM

        protected static final Random RANDOM
      • allowNullOrigin

        protected boolean allowNullOrigin
      • csrfTokenEnabled

        protected boolean csrfTokenEnabled
      • csrfTokenSkipPaths

        protected List<String> csrfTokenSkipPaths
    • Constructor Detail

      • NuxeoCorsCsrfFilter

        public NuxeoCorsCsrfFilter()
    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
        Specified by:
        init in interface javax.servlet.Filter
      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter
      • doFilter

        public void doFilter​(javax.servlet.ServletRequest servletRequest,
                             javax.servlet.ServletResponse servletResponse,
                             javax.servlet.FilterChain chain)
                      throws IOException,
                             javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException
      • isSafeMethod

        protected boolean isSafeMethod​(String method)
        Check safe method according to RFC 7231 4.2.1.
      • manageCSRFToken

        protected boolean manageCSRFToken​(javax.servlet.http.HttpServletRequest request,
                                          javax.servlet.http.HttpServletResponse response)
                                   throws IOException
        Manages the CSRF token.

        This method may return a response with token fetch information or with an error if needed, in which case it will return true.

        Returns:
        true if the caller doesn't need to do more work (a response has been sent)
        Throws:
        IOException
        Since:
        10.3
      • generateNewToken

        protected String generateNewToken()
      • getSourceURI

        public URI getSourceURI​(javax.servlet.http.HttpServletRequest request)
        Gets the source URI: the URI of the page from which the request is actually coming.

        null is returned is there is no header.

        PRIVACY_SENSITIVE is returned is there is a null origin (RFC 6454 7.3, "privacy-sensitive" context) unless configured to be ignored.

      • getTargetURI

        public URI getTargetURI​(javax.servlet.http.HttpServletRequest request)
        Gets the target URI: the URI to which the browser is connecting.
      • sourceAndTargetMatch

        public boolean sourceAndTargetMatch​(URI sourceURI,
                                            URI targetURI)
      • originFromURI

        protected com.thetransactioncompany.cors.Origin originFromURI​(URI uri)
        Gets an Origin from a URI. Strips the path and query (which may be present in Referer headers).
      • maybeIgnoreWhitelistedOrigin

        protected javax.servlet.http.HttpServletRequest maybeIgnoreWhitelistedOrigin​(javax.servlet.http.HttpServletRequest request)
      • isWhitelistedScheme

        protected boolean isWhitelistedScheme​(URI uri)