You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by ga...@apache.org on 2012/05/10 20:12:05 UTC
svn commit: r1336818 - in /geronimo/server/branches/3.0-beta/plugins/console:
console-filter/src/main/java/org/apache/geronimo/console/filter/
console-portal-driver/src/main/webapp/WEB-INF/
Author: gawor
Date: Thu May 10 18:12:05 2012
New Revision: 1336818
URL: http://svn.apache.org/viewvc?rev=1336818&view=rev
Log:
GERONIMO-6348: Ability to configure XSRF filter with resource paths that should be ignored during XSRF check.
Modified:
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java?rev=1336818&r1=1336817&r2=1336818&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java Thu May 10 18:12:05 2012
@@ -21,8 +21,11 @@ import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.HashSet;
import java.util.Map;
import java.util.Random;
+import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.http.HttpServletRequest;
@@ -51,6 +54,7 @@ public class XSRFHandler
private static final String NOXSS_HASH_OF_PAGE_TO_REDIRECT = "noxssPage";
private Map<String, String> sessionMap = new ConcurrentHashMap<String, String>();
+ private Set<String> ignoredPaths = new HashSet<String>();
private String xsrfJS;
private Random random = new Random();
@@ -63,6 +67,18 @@ public class XSRFHandler
log.debug("loaded xsrf file");
}
+ /**
+ * A comma separated list of resource paths that will be ignored during XSRF check.
+ *
+ * @param resourceList
+ */
+ public void setIgnorePaths(String pathList) {
+ String values[] = pathList.split(",");
+ for (String value : values) {
+ ignoredPaths.add(value.trim());
+ }
+ }
+
//----- Session handler routines -----
/**
@@ -85,21 +101,21 @@ public class XSRFHandler
return false;
}
+ if (isIgnoredPath(hreq)) {
+ log.debug("Skipped XSRF checking for requestURI=" + hreq.getRequestURI());
+ return false;
+ }
+
if ((hreq.getQueryString() != null && hreq.getQueryString().length() > 0)
|| (hreq.getParameterNames().hasMoreElements())) {
-
if (hreq.getParameterMap().keySet().size() == 1 && hreq.getParameter(NOXSS_SHOW_TREE) != null) {
-
return false;
-
}
if (hreq.getParameterMap().keySet().size() == 2 && hreq.getParameter(NOXSS_SHOW_TREE) != null
&& hreq.getParameter(NOXSS_HASH_OF_PAGE_TO_REDIRECT)!=null) {
-
return false;
-
}
String sesId = (String)hses.getAttribute(XSRF_UNIQUEID);
@@ -204,6 +220,17 @@ public class XSRFHandler
sessionMap.remove(sesId);
}
}
+
+ private boolean isIgnoredPath(HttpServletRequest hreq) {
+ if (!ignoredPaths.isEmpty() && "GET".equals(hreq.getMethod())) {
+ String path = hreq.getServletPath();
+ if (hreq.getPathInfo() != null) {
+ path = path + hreq.getPathInfo();
+ }
+ return ignoredPaths.contains(path);
+ }
+ return false;
+ }
//----- Response handler routines -----
/**
@@ -234,31 +261,30 @@ public class XSRFHandler
* @return String containing the JavaScript content, else null
*/
private String getFile(String filename) {
- StringBuilder sb = new StringBuilder();
InputStream is = getClass().getResourceAsStream(filename);
if (is != null) {
+ StringBuilder sb = new StringBuilder();
+ InputStreamReader reader = null;
try {
+ reader = new InputStreamReader(is, "UTF-8");
+ char[] buffer = new char[1024];
int i = 0;
- while ((i = is.read()) > 0) {
- sb.append((char) i);
+ while ((i = reader.read(buffer)) > 0) {
+ sb.append(buffer, 0, i);
}
- }
- catch (IOException ioe) {
+ } catch (IOException ioe) {
log.error("Could not read resource=" + filename, ioe);
- }
- finally {
- try {
- is.close();
- }
- catch (IOException ioe) {
+ } finally {
+ if (reader != null) {
+ try { reader.close(); } catch (IOException ignored) {}
}
+ try { is.close(); } catch (IOException ignored) {}
}
- }
- else {
+ return sb.toString();
+ } else {
log.error("Could not load required resource=" + filename);
return null;
}
- return sb.toString();
}
}
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java?rev=1336818&r1=1336817&r2=1336818&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java Thu May 10 18:12:05 2012
@@ -59,13 +59,19 @@ public class XSSXSRFFilter implements Fi
public void init(FilterConfig config) throws ServletException {
log.debug("init() called");
String parmEnableXSS = config.getInitParameter("enableXSS");
- String parmEnableXSRF = config.getInitParameter("enableXSRF");
- if ((parmEnableXSS != null) && (parmEnableXSS.equals("false"))) {
+ if ((parmEnableXSS != null) && (parmEnableXSS.equalsIgnoreCase("false"))) {
this.enableXSS = false;
}
- if ((parmEnableXSRF != null) && (parmEnableXSRF.equals("false"))) {
+
+ String parmEnableXSRF = config.getInitParameter("enableXSRF");
+ if ((parmEnableXSRF != null) && (parmEnableXSRF.equalsIgnoreCase("false"))) {
this.enableXSRF = false;
}
+
+ String ignoreResources = config.getInitParameter("xsrf.ignorePaths");
+ if (ignoreResources != null) {
+ xsrf.setIgnorePaths(ignoreResources);
+ }
}
/* (non-Javadoc)
@@ -93,6 +99,7 @@ public class XSSXSRFFilter implements Fi
HttpServletRequest hreq = (HttpServletRequest)request;
hreq.setCharacterEncoding("UTF-8");
String errStr = null;
+
//--------------------------------------------------------------
// Check the URI and QueryString for simple XSS attacks
// Validate any FORM submission with our XSRF protection code
@@ -100,15 +107,15 @@ public class XSSXSRFFilter implements Fi
// check the URI/Params first, as they get logged during the XSRF checks
if (enableXSS && xss.isInvalidURI(hreq)) {
// Block simple XSS attacks in GET request URIs
- errStr = new String("XSSXSRFFilter blocked HttpServletRequest due to invalid URI content.");
+ errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid URI content.";
}
else if (enableXSS && xss.isInvalidParameters(hreq)) {
// Block simple XSS attacks in POST parameters
- errStr = new String("XSSXSRFFilter blocked HttpServletRequest due to invalid POST content.");
+ errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid POST content.";
}
else if (enableXSRF && xsrf.isInvalidSession(hreq)) {
// Block simple XSRF attacks on our forms
- errStr = new String("XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content.");
+ errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content.";
}
// if we found a problem, return a HTTP 400 error code and message
if (errStr != null) {
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml?rev=1336818&r1=1336817&r2=1336818&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml Thu May 10 18:12:05 2012
@@ -35,6 +35,10 @@ limitations under the License.
<filter>
<filter-name>XSSXSRFFilter</filter-name>
<filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+ <init-param>
+ <param-name>xsrf.ignorePaths</param-name>
+ <param-value>/dojo/dojo/resources/blank.html</param-value>
+ </init-param>
</filter>
<filter-mapping>
<filter-name>XSSXSRFFilter</filter-name>