Class NuxeoCorsCsrfFilter
- java.lang.Object
-
- org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoCorsCsrfFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
public class NuxeoCorsCsrfFilter extends Object implements javax.servlet.Filter
Nuxeo CORS and CSRF filter, returning CORS configuration and preventing CSRF attacks by rejecting dubious requests.- Since:
- 5.7.2 for CORS, 10.1 for CSRF
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
NuxeoCorsCsrfFilter.IgnoredOriginRequestWrapper
Wrapper for the request to hide the Origin header.
-
Field Summary
Fields Modifier and Type Field Description static String
ALLOW_NULL_ORIGIN_PROP
Allows to disable strict CORS checks when a request has Origin: null.protected boolean
allowNullOrigin
static String
CSRF_TOKEN_ATTRIBUTE
Session attribute in which token is stored.static String
CSRF_TOKEN_ENABLED_DEFAULT
static String
CSRF_TOKEN_ENABLED_SUBPROP
Allows enforcing the use of a CSRF token.static String
CSRF_TOKEN_FETCH
Pseudo-value to fetch a token.static String
CSRF_TOKEN_HEADER
Request header to pass a token, or fetch one.static String
CSRF_TOKEN_INVALID
Pseudo-value to denote an invalid token.static String
CSRF_TOKEN_NS_PROP
Configuration property (namespace) for CSRF tokens.static String
CSRF_TOKEN_PARAM
Request parameter to pass a token.static String
CSRF_TOKEN_SKIP_SUBPROP
Allows definition of endpoints for which no CSRF token check is done.protected boolean
csrfTokenEnabled
protected List<String>
csrfTokenSkipPaths
static String
GET
static String
HEAD
static String
OPTIONS
static String
ORIGIN_NULL
static URI
PRIVACY_SENSITIVE
protected static Random
RANDOM
protected static Set<String>
SAFE_METHODS
static List<String>
SCHEMES_ALLOWED
static String
TRACE
-
Constructor Summary
Constructors Constructor Description NuxeoCorsCsrfFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
destroy()
void
doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain)
protected String
generateNewToken()
URI
getSourceURI(javax.servlet.http.HttpServletRequest request)
Gets the source URI: the URI of the page from which the request is actually coming.URI
getTargetURI(javax.servlet.http.HttpServletRequest request)
Gets the target URI: the URI to which the browser is connecting.void
init(javax.servlet.FilterConfig filterConfig)
protected boolean
isSafeMethod(String method)
Check safe method according to RFC 7231 4.2.1.protected boolean
isWhitelistedScheme(URI uri)
protected boolean
manageCSRFToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Manages the CSRF token.protected javax.servlet.http.HttpServletRequest
maybeIgnoreWhitelistedOrigin(javax.servlet.http.HttpServletRequest request)
protected com.thetransactioncompany.cors.Origin
originFromURI(URI uri)
Gets an Origin from a URI.boolean
sourceAndTargetMatch(URI sourceURI, URI targetURI)
-
-
-
Field Detail
-
GET
public static final String GET
- See Also:
- Constant Field Values
-
HEAD
public static final String HEAD
- See Also:
- Constant Field Values
-
OPTIONS
public static final String OPTIONS
- See Also:
- Constant Field Values
-
TRACE
public static final String TRACE
- See Also:
- Constant Field Values
-
ORIGIN_NULL
public static final String ORIGIN_NULL
- See Also:
- Constant Field Values
-
PRIVACY_SENSITIVE
public static final URI PRIVACY_SENSITIVE
-
ALLOW_NULL_ORIGIN_PROP
public static final String ALLOW_NULL_ORIGIN_PROP
Allows to disable strict CORS checks when a request has Origin: null.This may happen for local files, or for a JavaScript-triggered redirect. Setting this to false may expose the application to CSRF problems from files locally hosted on the user's disk.
- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_NS_PROP
public static final String CSRF_TOKEN_NS_PROP
Configuration property (namespace) for CSRF tokens.- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_ENABLED_SUBPROP
public static final String CSRF_TOKEN_ENABLED_SUBPROP
Allows enforcing the use of a CSRF token. Configuration property (under the "nuxeo.csrf.token" namespace).- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_ENABLED_DEFAULT
public static final String CSRF_TOKEN_ENABLED_DEFAULT
- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_SKIP_SUBPROP
public static final String CSRF_TOKEN_SKIP_SUBPROP
Allows definition of endpoints for which no CSRF token check is done. Configuration list property (under the "nuxeo.csrf.token" namespace).- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_ATTRIBUTE
public static final String CSRF_TOKEN_ATTRIBUTE
Session attribute in which token is stored.- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_HEADER
public static final String CSRF_TOKEN_HEADER
Request header to pass a token, or fetch one.- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_FETCH
public static final String CSRF_TOKEN_FETCH
Pseudo-value to fetch a token.- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_INVALID
public static final String CSRF_TOKEN_INVALID
Pseudo-value to denote an invalid token.- Since:
- 10.3
- See Also:
- Constant Field Values
-
CSRF_TOKEN_PARAM
public static final String CSRF_TOKEN_PARAM
Request parameter to pass a token.- Since:
- 10.3
- See Also:
- Constant Field Values
-
RANDOM
protected static final Random RANDOM
-
allowNullOrigin
protected boolean allowNullOrigin
-
csrfTokenEnabled
protected boolean csrfTokenEnabled
-
-
Method Detail
-
init
public void init(javax.servlet.FilterConfig filterConfig)
- Specified by:
init
in interfacejavax.servlet.Filter
-
destroy
public void destroy()
- Specified by:
destroy
in interfacejavax.servlet.Filter
-
doFilter
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
-
isSafeMethod
protected boolean isSafeMethod(String method)
Check safe method according to RFC 7231 4.2.1.
-
manageCSRFToken
protected boolean manageCSRFToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException
Manages the CSRF token.This method may return a response with token fetch information or with an error if needed, in which case it will return
true
.- Returns:
true
if the caller doesn't need to do more work (a response has been sent)- Throws:
IOException
- Since:
- 10.3
-
generateNewToken
protected String generateNewToken()
-
getSourceURI
public URI getSourceURI(javax.servlet.http.HttpServletRequest request)
Gets the source URI: the URI of the page from which the request is actually coming.null
is returned is there is no header.PRIVACY_SENSITIVE
is returned is there is a null origin (RFC 6454 7.3, "privacy-sensitive" context) unless configured to be ignored.
-
getTargetURI
public URI getTargetURI(javax.servlet.http.HttpServletRequest request)
Gets the target URI: the URI to which the browser is connecting.
-
originFromURI
protected com.thetransactioncompany.cors.Origin originFromURI(URI uri)
Gets an Origin from a URI. Strips the path and query (which may be present in Referer headers).
-
maybeIgnoreWhitelistedOrigin
protected javax.servlet.http.HttpServletRequest maybeIgnoreWhitelistedOrigin(javax.servlet.http.HttpServletRequest request)
-
isWhitelistedScheme
protected boolean isWhitelistedScheme(URI uri)
-
-