Package org.nuxeo.ecm.platform.web.common.requestcontroller.filter

Class NuxeoCorsCsrfFilter

java.lang.Object
org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoCorsCsrfFilter
All Implemented Interfaces:
javax.servlet.Filter
public class NuxeoCorsCsrfFilter extends Object implements javax.servlet.Filter
Nuxeo CORS and CSRF filter, returning CORS configuration and preventing CSRF attacks by rejecting dubious requests.
Since:
5.7.2 for CORS, 10.1 for CSRF

  • Field Details

    • GET

      public static final String GET
      See Also:

    • OPTIONS

      public static final String OPTIONS
      See Also:

    • TRACE

      public static final String TRACE
      See Also:

    • SAFE_METHODS

      protected static final Set<String> SAFE_METHODS

    • ORIGIN_NULL

      public static final String ORIGIN_NULL
      See Also:

    • PRIVACY_SENSITIVE

      public static final URI PRIVACY_SENSITIVE

    • SCHEMES_ALLOWED

      public static final List<String> SCHEMES_ALLOWED

    • ALLOW_NULL_ORIGIN_PROP

      public static final String ALLOW_NULL_ORIGIN_PROP
      Allows to disable strict CORS checks when a request has Origin: null.

      This may happen for local files, or for a JavaScript-triggered redirect. Setting this to false may expose the application to CSRF problems from files locally hosted on the user's disk.

      Since:
      10.3
      See Also:

    • CSRF_TOKEN_NS_PROP

      public static final String CSRF_TOKEN_NS_PROP
      Configuration property (namespace) for CSRF tokens.
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_ENABLED_SUBPROP

      public static final String CSRF_TOKEN_ENABLED_SUBPROP
      Allows enforcing the use of a CSRF token. Configuration property (under the "nuxeo.csrf.token" namespace).
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_ENABLED_DEFAULT

      public static final String CSRF_TOKEN_ENABLED_DEFAULT
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_SKIP_SUBPROP

      public static final String CSRF_TOKEN_SKIP_SUBPROP
      Allows definition of endpoints for which no CSRF token check is done. Configuration list property (under the "nuxeo.csrf.token" namespace).
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_ATTRIBUTE

      public static final String CSRF_TOKEN_ATTRIBUTE
      Session attribute in which token is stored.
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_HEADER

      public static final String CSRF_TOKEN_HEADER
      Request header to pass a token, or fetch one.
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_FETCH

      public static final String CSRF_TOKEN_FETCH
      Pseudo-value to fetch a token.
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_INVALID

      public static final String CSRF_TOKEN_INVALID
      Pseudo-value to denote an invalid token.
      Since:
      10.3
      See Also:

    • CSRF_TOKEN_PARAM

      public static final String CSRF_TOKEN_PARAM
      Request parameter to pass a token.
      Since:
      10.3
      See Also:

    • RANDOM

      protected static final Random RANDOM

    • allowNullOrigin

      protected boolean allowNullOrigin

    • csrfTokenEnabled

      protected boolean csrfTokenEnabled

    • csrfTokenSkipPaths

      protected List<String> csrfTokenSkipPaths

  • Constructor Details

    • NuxeoCorsCsrfFilter

      public NuxeoCorsCsrfFilter()

  • Method Details

    • init

      public void init(javax.servlet.FilterConfig filterConfig)
      Specified by:
      init in interface javax.servlet.Filter

    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter

    • doFilter

      public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
      Specified by:
      doFilter in interface javax.servlet.Filter
      Throws:
      IOException
      javax.servlet.ServletException

    • isSafeMethod

      protected boolean isSafeMethod(String method)
      Check safe method according to RFC 7231 4.2.1.

    • manageCSRFToken

      protected boolean manageCSRFToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException
      Manages the CSRF token.

      This method may return a response with token fetch information or with an error if needed, in which case it will return true.

      Returns:
      true if the caller doesn't need to do more work (a response has been sent)
      Throws:
      IOException
      Since:
      10.3

    • generateNewToken

      protected String generateNewToken()

    • getSourceURI

      public URI getSourceURI(javax.servlet.http.HttpServletRequest request)
      Gets the source URI: the URI of the page from which the request is actually coming.

      null is returned is there is no header.

      PRIVACY_SENSITIVE is returned is there is a null origin (RFC 6454 7.3, "privacy-sensitive" context) unless configured to be ignored.

    • getTargetURI

      public URI getTargetURI(javax.servlet.http.HttpServletRequest request)
      Gets the target URI: the URI to which the browser is connecting.

    • sourceAndTargetMatch

      public boolean sourceAndTargetMatch(URI sourceURI, URI targetURI)

    • originFromURI

      protected com.thetransactioncompany.cors.Origin originFromURI(URI uri)
      Gets an Origin from a URI. Strips the path and query (which may be present in Referer headers).

    • maybeIgnoreWhitelistedOrigin

      protected javax.servlet.http.HttpServletRequest maybeIgnoreWhitelistedOrigin(javax.servlet.http.HttpServletRequest request)

    • isWhitelistedScheme

      protected boolean isWhitelistedScheme(URI uri)