Class NuxeoCorsCsrfFilter
java.lang.Object
org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoCorsCsrfFilter
- All Implemented Interfaces:
javax.servlet.Filter
Nuxeo CORS and CSRF filter, returning CORS configuration and preventing CSRF attacks by rejecting dubious requests.
- Since:
- 5.7.2 for CORS, 10.1 for CSRF
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Wrapper for the request to hide the Origin header. -
Field Summary
Modifier and TypeFieldDescriptionstatic final String
Allows to disable strict CORS checks when a request has Origin: null.protected boolean
static final String
Session attribute in which token is stored.static final String
static final String
Allows enforcing the use of a CSRF token.static final String
Pseudo-value to fetch a token.static final String
Request header to pass a token, or fetch one.static final String
Pseudo-value to denote an invalid token.static final String
Configuration property (namespace) for CSRF tokens.static final String
Request parameter to pass a token.static final String
Allows definition of endpoints for which no CSRF token check is done.protected boolean
static final String
static final String
static final String
static final String
static final URI
protected static final Random
static final String
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
destroy()
void
doFilter
(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) protected String
getSourceURI
(javax.servlet.http.HttpServletRequest request) Gets the source URI: the URI of the page from which the request is actually coming.getTargetURI
(javax.servlet.http.HttpServletRequest request) Gets the target URI: the URI to which the browser is connecting.void
init
(javax.servlet.FilterConfig filterConfig) protected boolean
isSafeMethod
(String method) Check safe method according to RFC 7231 4.2.1.protected boolean
isWhitelistedScheme
(URI uri) protected boolean
manageCSRFToken
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Manages the CSRF token.protected javax.servlet.http.HttpServletRequest
maybeIgnoreWhitelistedOrigin
(javax.servlet.http.HttpServletRequest request) protected com.thetransactioncompany.cors.Origin
originFromURI
(URI uri) Gets an Origin from a URI.boolean
sourceAndTargetMatch
(URI sourceURI, URI targetURI)
-
Field Details
-
GET
- See Also:
-
HEAD
- See Also:
-
OPTIONS
- See Also:
-
TRACE
- See Also:
-
SAFE_METHODS
-
ORIGIN_NULL
- See Also:
-
PRIVACY_SENSITIVE
-
SCHEMES_ALLOWED
-
ALLOW_NULL_ORIGIN_PROP
Allows to disable strict CORS checks when a request has Origin: null.This may happen for local files, or for a JavaScript-triggered redirect. Setting this to false may expose the application to CSRF problems from files locally hosted on the user's disk.
- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_NS_PROP
Configuration property (namespace) for CSRF tokens.- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_ENABLED_SUBPROP
Allows enforcing the use of a CSRF token. Configuration property (under the "nuxeo.csrf.token" namespace).- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_ENABLED_DEFAULT
- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_SKIP_SUBPROP
Allows definition of endpoints for which no CSRF token check is done. Configuration list property (under the "nuxeo.csrf.token" namespace).- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_ATTRIBUTE
Session attribute in which token is stored.- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_HEADER
Request header to pass a token, or fetch one.- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_FETCH
Pseudo-value to fetch a token.- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_INVALID
Pseudo-value to denote an invalid token.- Since:
- 10.3
- See Also:
-
CSRF_TOKEN_PARAM
Request parameter to pass a token.- Since:
- 10.3
- See Also:
-
RANDOM
-
allowNullOrigin
protected boolean allowNullOrigin -
csrfTokenEnabled
protected boolean csrfTokenEnabled -
csrfTokenSkipPaths
-
-
Constructor Details
-
NuxeoCorsCsrfFilter
public NuxeoCorsCsrfFilter()
-
-
Method Details
-
init
public void init(javax.servlet.FilterConfig filterConfig) - Specified by:
init
in interfacejavax.servlet.Filter
-
destroy
public void destroy()- Specified by:
destroy
in interfacejavax.servlet.Filter
-
doFilter
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException - Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
-
isSafeMethod
Check safe method according to RFC 7231 4.2.1. -
manageCSRFToken
protected boolean manageCSRFToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException Manages the CSRF token.This method may return a response with token fetch information or with an error if needed, in which case it will return
true
.- Returns:
true
if the caller doesn't need to do more work (a response has been sent)- Throws:
IOException
- Since:
- 10.3
-
generateNewToken
-
getSourceURI
Gets the source URI: the URI of the page from which the request is actually coming.null
is returned is there is no header.PRIVACY_SENSITIVE
is returned is there is a null origin (RFC 6454 7.3, "privacy-sensitive" context) unless configured to be ignored. -
getTargetURI
Gets the target URI: the URI to which the browser is connecting. -
sourceAndTargetMatch
-
originFromURI
Gets an Origin from a URI. Strips the path and query (which may be present in Referer headers). -
maybeIgnoreWhitelistedOrigin
protected javax.servlet.http.HttpServletRequest maybeIgnoreWhitelistedOrigin(javax.servlet.http.HttpServletRequest request) -
isWhitelistedScheme
-