Package org.nuxeo.ecm.platform.web.common.requestcontroller.filter

Class NuxeoCorsCsrfFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class NuxeoCorsCsrfFilter
extends Object
implements javax.servlet.Filter
    Nuxeo CORS and CSRF filter, returning CORS configuration and preventing CSRF attacks by rejecting dubious requests.
    Since:
    5.7.2 for CORS, 10.1 for CSRF

    • Field Detail

      • SAFE_METHODS

        protected static final Set<String> SAFE_METHODS

      • PRIVACY_SENSITIVE

        public static final URI PRIVACY_SENSITIVE

      • SCHEMES_ALLOWED

        public static final List<String> SCHEMES_ALLOWED

      • ALLOW_NULL_ORIGIN_PROP

        public static final String ALLOW_NULL_ORIGIN_PROP
        Allows to disable strict CORS checks when a request has Origin: null.

        This may happen for local files, or for a JavaScript-triggered redirect. Setting this to false may expose the application to CSRF problems from files locally hosted on the user's disk.

        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_NS_PROP

        public static final String CSRF_TOKEN_NS_PROP
        Configuration property (namespace) for CSRF tokens.
        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_ENABLED_SUBPROP

        public static final String CSRF_TOKEN_ENABLED_SUBPROP
        Allows enforcing the use of a CSRF token. Configuration property (under the "nuxeo.csrf.token" namespace).
        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_SKIP_SUBPROP

        public static final String CSRF_TOKEN_SKIP_SUBPROP
        Allows definition of endpoints for which no CSRF token check is done. Configuration list property (under the "nuxeo.csrf.token" namespace).
        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_ATTRIBUTE

        public static final String CSRF_TOKEN_ATTRIBUTE
        Session attribute in which token is stored.
        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_HEADER

        public static final String CSRF_TOKEN_HEADER
        Request header to pass a token, or fetch one.
        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_FETCH

        public static final String CSRF_TOKEN_FETCH
        Pseudo-value to fetch a token.
        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_INVALID

        public static final String CSRF_TOKEN_INVALID
        Pseudo-value to denote an invalid token.
        Since:
        10.3
        See Also:
        Constant Field Values

      • CSRF_TOKEN_PARAM

        public static final String CSRF_TOKEN_PARAM
        Request parameter to pass a token.
        Since:
        10.3
        See Also:
        Constant Field Values

      • RANDOM

        protected static final Random RANDOM

      • allowNullOrigin

        protected boolean allowNullOrigin

      • csrfTokenEnabled

        protected boolean csrfTokenEnabled

      • csrfTokenSkipPaths

        protected List<String> csrfTokenSkipPaths

    • Constructor Detail

      • NuxeoCorsCsrfFilter

        public NuxeoCorsCsrfFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
        Specified by:
        init in interface javax.servlet.Filter

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException

      • isSafeMethod

        protected boolean isSafeMethod​(String method)
        Check safe method according to RFC 7231 4.2.1.

      • manageCSRFToken

        protected boolean manageCSRFToken​(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response)
                           throws IOException
        Manages the CSRF token.

        This method may return a response with token fetch information or with an error if needed, in which case it will return true.

        Returns:
        true if the caller doesn't need to do more work (a response has been sent)
        Throws:
        IOException
        Since:
        10.3

      • generateNewToken

        protected String generateNewToken()

      • getSourceURI

        public URI getSourceURI​(javax.servlet.http.HttpServletRequest request)
        Gets the source URI: the URI of the page from which the request is actually coming.

        null is returned is there is no header.

        PRIVACY_SENSITIVE is returned is there is a null origin (RFC 6454 7.3, "privacy-sensitive" context) unless configured to be ignored.

      • getTargetURI

        public URI getTargetURI​(javax.servlet.http.HttpServletRequest request)
        Gets the target URI: the URI to which the browser is connecting.

      • sourceAndTargetMatch

        public boolean sourceAndTargetMatch​(URI sourceURI,
                                    URI targetURI)

      • originFromURI

        protected com.thetransactioncompany.cors.Origin originFromURI​(URI uri)
        Gets an Origin from a URI. Strips the path and query (which may be present in Referer headers).

      • maybeIgnoreWhitelistedOrigin

        protected javax.servlet.http.HttpServletRequest maybeIgnoreWhitelistedOrigin​(javax.servlet.http.HttpServletRequest request)

      • isWhitelistedScheme

        protected boolean isWhitelistedScheme​(URI uri)