You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2016/05/28 20:15:44 UTC
svn commit: r1745929 - in
/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp:
ActionHandler.java AxisAdminServlet.java CSRFPreventionResponseWrapper.java
CSRFTokenCache.java
Author: veithen
Date: Sat May 28 20:15:43 2016
New Revision: 1745929
URL: http://svn.apache.org/viewvc?rev=1745929&view=rev
Log:
Implement CSRF prevention.
Added:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java (with props)
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFTokenCache.java (with props)
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
Modified: axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java?rev=1745929&r1=1745928&r2=1745929&view=diff
==============================================================================
--- axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java (original)
+++ axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java Sat May 28 20:15:43 2016
@@ -44,6 +44,10 @@ final class ActionHandler {
return post ? method.equals("POST") : method.equals("GET");
}
+ boolean isCSRFTokenRequired() {
+ return post && authorizationRequired;
+ }
+
ActionResult handle(HttpServletRequest request, boolean securityEnabled) throws IOException, ServletException {
if (securityEnabled && authorizationRequired && request.getSession().getAttribute(Constants.LOGGED) == null) {
return new Redirect("welcome");
Modified: axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java?rev=1745929&r1=1745928&r2=1745929&view=diff
==============================================================================
--- axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java (original)
+++ axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java Sat May 28 20:15:43 2016
@@ -33,8 +33,10 @@ import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.lang.reflect.Method;
+import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Map;
+import java.util.Random;
/**
*
@@ -42,7 +44,8 @@ import java.util.Map;
public class AxisAdminServlet extends AxisServlet {
private static final long serialVersionUID = -6740625806509755370L;
- private Map<String,ActionHandler> actionHandlers = new HashMap<String,ActionHandler>();
+ private final Random random = new SecureRandom();
+ private final Map<String,ActionHandler> actionHandlers = new HashMap<String,ActionHandler>();
private boolean axisSecurityEnabled() {
Parameter parameter = configContext.getAxisConfiguration()
@@ -67,6 +70,18 @@ public class AxisAdminServlet extends Ax
if (actionHandler != null) {
if (actionHandler.isMethodAllowed(request.getMethod())) {
HttpSession session = request.getSession();
+ CSRFTokenCache tokenCache = (CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
+ if (tokenCache == null) {
+ tokenCache = new CSRFTokenCache();
+ session.setAttribute(CSRFTokenCache.class.getName(), tokenCache);
+ }
+ if (actionHandler.isCSRFTokenRequired()) {
+ String token = request.getParameter("token");
+ if (token == null || !tokenCache.isValid(token)) {
+ response.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid CSRF token found in request");
+ return;
+ }
+ }
session.setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());
String statusKey = request.getParameter("status");
if (statusKey != null) {
@@ -78,7 +93,8 @@ public class AxisAdminServlet extends Ax
}
}
}
- ((ActionResult)actionHandler.handle(request, axisSecurityEnabled())).process(request, response);
+ ActionResult result = actionHandler.handle(request, axisSecurityEnabled());
+ result.process(request, new CSRFPreventionResponseWrapper(response, actionHandlers, tokenCache, random));
} else {
response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
}
Added: axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java?rev=1745929&view=auto
==============================================================================
--- axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java (added)
+++ axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java Sat May 28 20:15:43 2016
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis2.webapp;
+
+import java.util.Map;
+import java.util.Random;
+
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+final class CSRFPreventionResponseWrapper extends HttpServletResponseWrapper {
+ private static final Log log = LogFactory.getLog(CSRFPreventionResponseWrapper.class);
+
+ private final Map<String,ActionHandler> actionHandlers;
+ private final CSRFTokenCache tokenCache;
+ private final Random random;
+ private String token;
+
+ CSRFPreventionResponseWrapper(HttpServletResponse response, Map<String,ActionHandler> actionHandlers, CSRFTokenCache tokenCache, Random random) {
+ super(response);
+ this.actionHandlers = actionHandlers;
+ this.tokenCache = tokenCache;
+ this.random = random;
+ }
+
+ protected String getToken() {
+ if (token == null) {
+ byte[] bytes = new byte[16];
+ StringBuilder buffer = new StringBuilder();
+ random.nextBytes(bytes);
+ for (int j = 0; j < bytes.length; j++) {
+ byte b1 = (byte)((bytes[j] & 0xf0) >> 4);
+ byte b2 = (byte)(bytes[j] & 0x0f);
+ if (b1 < 10) {
+ buffer.append((char)('0' + b1));
+ } else {
+ buffer.append((char)('A' + (b1 - 10)));
+ }
+ if (b2 < 10) {
+ buffer.append((char)('0' + b2));
+ } else {
+ buffer.append((char)('A' + (b2 - 10)));
+ }
+ }
+ token = buffer.toString();
+ tokenCache.add(token);
+ }
+ return token;
+ }
+
+ @Override
+ public String encodeUrl(String url) {
+ return encodeURL(url);
+ }
+
+ @Override
+ public String encodeURL(String url) {
+ int idx = url.indexOf('?');
+ String path = idx == -1 ? url : url.substring(0, idx);
+ String action = path.substring(path.lastIndexOf('/')+1);
+ ActionHandler actionHandler = actionHandlers.get(action);
+ if (actionHandler == null) {
+ log.warn("Unknown action: " + action);
+ } else if (actionHandler.isCSRFTokenRequired()) {
+ url = url + (idx == -1 ? '?' : '&') + "token=" + getToken();
+ }
+ return super.encodeURL(url);
+ }
+}
Propchange: axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFTokenCache.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFTokenCache.java?rev=1745929&view=auto
==============================================================================
--- axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFTokenCache.java (added)
+++ axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFTokenCache.java Sat May 28 20:15:43 2016
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis2.webapp;
+
+import java.io.Serializable;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+final class CSRFTokenCache implements Serializable {
+ private static final long serialVersionUID = 1L;
+
+ private final Set<String> tokens = new LinkedHashSet<String>();
+
+ synchronized void add(String token) {
+ tokens.add(token);
+ if (tokens.size() > 10) {
+ Iterator<String> it = tokens.iterator();
+ it.next();
+ it.remove();
+ }
+ }
+
+ synchronized boolean isValid(String token) {
+ return tokens.contains(token);
+ }
+}
Propchange: axis/axis2/java/core/trunk/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFTokenCache.java
------------------------------------------------------------------------------
svn:eol-style = native