You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by GitBox <gi...@apache.org> on 2020/08/04 14:02:40 UTC
[GitHub] [wicket] martin-g commented on a change in pull request #439: Wicket 6786: Add Fetch Metadata support
martin-g commented on a change in pull request #439:
URL: https://github.com/apache/wicket/pull/439#discussion_r465064988
##########
File path: wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataRequestCycleListener.java
##########
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http;
+
+import static java.util.Arrays.asList;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.VARY_HEADER;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.core.request.handler.IPageRequestHandler;
+import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
+import org.apache.wicket.request.component.IRequestablePage;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
+import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The Fetch Metadata Request Cycle Listener is Wicket's implementation of Fetch Metadata.
+ * This adds a layer of protection for modern browsers that prevents Cross-Site Request Forgery
+ * attacks.
+ *
+ * This request listener uses the {@link DefaultResourceIsolationPolicy} by default and can be
+ * customized with additional Resource Isolation Policies.
+ *
+ * This listener can be configured to add exempted URL paths that are intended to be used cross-site.
+ *
+ * Learn more about Fetch Metadata and resource isolation
+ * at <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
+ *
+ * @author Santiago Diaz - saldiaz@google.com
+ * @author Ecenaz Jen Ozmen - ecenazo@google.com
+ */
+public class FetchMetadataRequestCycleListener implements IRequestCycleListener {
+
+ private static final Logger log = LoggerFactory
+ .getLogger(FetchMetadataRequestCycleListener.class);
+ public static final int ERROR_CODE = 403;
+ public static final String ERROR_MESSAGE = "Forbidden";
+
+ private final Set<String> exemptedPaths = new HashSet<>();
+ private final List<ResourceIsolationPolicy> resourceIsolationPolicies = new ArrayList<>();
+
+ FetchMetadataRequestCycleListener(ResourceIsolationPolicy... additionalPolicies) {
+ this.resourceIsolationPolicies.add(new DefaultResourceIsolationPolicy());
+ this.resourceIsolationPolicies.addAll(asList(additionalPolicies));
+ }
+
+ void addExemptedPaths(String... exemptions) {
+ Arrays.stream(exemptions)
+ .filter(e -> !Strings.isEmpty(e))
+ .forEach(exemptedPaths::add);
+ }
+
+ @Override
+ public void onBeginRequest(RequestCycle cycle)
+ {
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ logAtDebug("Processing request to: {}", containerRequest.getPathInfo());
+ }
+
+ @Override
+ public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
+ {
+ handler = unwrap(handler);
+ Optional<IPageRequestHandler> pageRequestHandler = getPageRequestHandler(handler);
+ if (pageRequestHandler.isEmpty()) {
+ return;
+ }
+
+ IRequestablePage targetedPage = pageRequestHandler.get().getPage();
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ String pathInfo = containerRequest.getPathInfo();
+ if (exemptedPaths.contains(pathInfo)) {
+ logAtDebug("Allowing request to {} because it matches an exempted path", pathInfo);
+ return;
+ }
+
+ for (ResourceIsolationPolicy resourceIsolationPolicy : resourceIsolationPolicies) {
+ if (!resourceIsolationPolicy.isRequestAllowed(containerRequest, targetedPage)) {
+ logAtDebug(
+ "Isolation policy {} has rejected a request to {}",
+ resourceIsolationPolicy.getClass().getSimpleName(),
Review comment:
You can use `Classes.simpleName()` here. It handles better anonymous/inner classes
##########
File path: wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataRequestCycleListener.java
##########
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http;
+
+import static java.util.Arrays.asList;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.VARY_HEADER;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.core.request.handler.IPageRequestHandler;
+import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
+import org.apache.wicket.request.component.IRequestablePage;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
+import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The Fetch Metadata Request Cycle Listener is Wicket's implementation of Fetch Metadata.
+ * This adds a layer of protection for modern browsers that prevents Cross-Site Request Forgery
+ * attacks.
+ *
+ * This request listener uses the {@link DefaultResourceIsolationPolicy} by default and can be
+ * customized with additional Resource Isolation Policies.
+ *
+ * This listener can be configured to add exempted URL paths that are intended to be used cross-site.
+ *
+ * Learn more about Fetch Metadata and resource isolation
+ * at <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
+ *
+ * @author Santiago Diaz - saldiaz@google.com
+ * @author Ecenaz Jen Ozmen - ecenazo@google.com
+ */
+public class FetchMetadataRequestCycleListener implements IRequestCycleListener {
+
+ private static final Logger log = LoggerFactory
+ .getLogger(FetchMetadataRequestCycleListener.class);
+ public static final int ERROR_CODE = 403;
+ public static final String ERROR_MESSAGE = "Forbidden";
+
+ private final Set<String> exemptedPaths = new HashSet<>();
+ private final List<ResourceIsolationPolicy> resourceIsolationPolicies = new ArrayList<>();
+
+ FetchMetadataRequestCycleListener(ResourceIsolationPolicy... additionalPolicies) {
+ this.resourceIsolationPolicies.add(new DefaultResourceIsolationPolicy());
+ this.resourceIsolationPolicies.addAll(asList(additionalPolicies));
+ }
+
+ void addExemptedPaths(String... exemptions) {
+ Arrays.stream(exemptions)
+ .filter(e -> !Strings.isEmpty(e))
+ .forEach(exemptedPaths::add);
+ }
+
+ @Override
+ public void onBeginRequest(RequestCycle cycle)
+ {
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ logAtDebug("Processing request to: {}", containerRequest.getPathInfo());
+ }
+
+ @Override
+ public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
+ {
+ handler = unwrap(handler);
+ Optional<IPageRequestHandler> pageRequestHandler = getPageRequestHandler(handler);
+ if (pageRequestHandler.isEmpty()) {
+ return;
+ }
+
+ IRequestablePage targetedPage = pageRequestHandler.get().getPage();
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ String pathInfo = containerRequest.getPathInfo();
+ if (exemptedPaths.contains(pathInfo)) {
+ logAtDebug("Allowing request to {} because it matches an exempted path", pathInfo);
+ return;
+ }
+
+ for (ResourceIsolationPolicy resourceIsolationPolicy : resourceIsolationPolicies) {
+ if (!resourceIsolationPolicy.isRequestAllowed(containerRequest, targetedPage)) {
+ logAtDebug(
+ "Isolation policy {} has rejected a request to {}",
+ resourceIsolationPolicy.getClass().getSimpleName(),
+ pathInfo
+ );
+ throw new AbortWithHttpErrorCodeException(ERROR_CODE, ERROR_MESSAGE);
+ }
+ }
+ }
+
+ @Override
+ public void onEndRequest(RequestCycle cycle)
+ {
+ // set vary headers to avoid caching responses processed by Fetch Metadata
+ // caching these responses may return 403 responses to legitimate requests
+ // or defeat the protection
+ if (cycle.getResponse() instanceof WebResponse)
+ {
+ WebResponse webResponse = (WebResponse)cycle.getResponse();
+ if (webResponse.isHeaderSupported())
+ {
+ webResponse.addHeader(VARY_HEADER, SEC_FETCH_DEST_HEADER + ", "
+ + SEC_FETCH_SITE_HEADER + ", " + SEC_FETCH_MODE_HEADER);
+ }
+ }
+ }
+
+ private static IRequestHandler unwrap(IRequestHandler handler) {
+ while (handler instanceof IRequestHandlerDelegate)
Review comment:
nit: our code style is to use `{` and `}` even for one-liners
##########
File path: wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
##########
@@ -110,11 +110,15 @@
* <li>{@link #onSuppressed(HttpServletRequest, String, IRequestablePage)} when an origin was in
* conflict and the request should be suppressed</li>
* </ul>
+ *
+ * @see FetchMetadataRequestCycleListener
+ * @deprecated
*/
-public class CsrfPreventionRequestCycleListener implements IRequestCycleListener
+@Deprecated(since = "XXX")
Review comment:
"9.1.0"
But IMO it needs some work before being deprecated. The logic should be extracted in a new class implementing ResourceIsolationPolicy that this listener should extend from. This way we could remove this class for Wicket 10 (as we do with all deprecated classes in a major version release).
##########
File path: wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataRequestCycleListener.java
##########
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http;
+
+import static java.util.Arrays.asList;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.VARY_HEADER;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.core.request.handler.IPageRequestHandler;
+import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
+import org.apache.wicket.request.component.IRequestablePage;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
+import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The Fetch Metadata Request Cycle Listener is Wicket's implementation of Fetch Metadata.
+ * This adds a layer of protection for modern browsers that prevents Cross-Site Request Forgery
+ * attacks.
+ *
+ * This request listener uses the {@link DefaultResourceIsolationPolicy} by default and can be
+ * customized with additional Resource Isolation Policies.
+ *
+ * This listener can be configured to add exempted URL paths that are intended to be used cross-site.
+ *
+ * Learn more about Fetch Metadata and resource isolation
+ * at <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
+ *
+ * @author Santiago Diaz - saldiaz@google.com
+ * @author Ecenaz Jen Ozmen - ecenazo@google.com
+ */
+public class FetchMetadataRequestCycleListener implements IRequestCycleListener {
+
+ private static final Logger log = LoggerFactory
+ .getLogger(FetchMetadataRequestCycleListener.class);
+ public static final int ERROR_CODE = 403;
+ public static final String ERROR_MESSAGE = "Forbidden";
+
+ private final Set<String> exemptedPaths = new HashSet<>();
+ private final List<ResourceIsolationPolicy> resourceIsolationPolicies = new ArrayList<>();
+
+ FetchMetadataRequestCycleListener(ResourceIsolationPolicy... additionalPolicies) {
+ this.resourceIsolationPolicies.add(new DefaultResourceIsolationPolicy());
+ this.resourceIsolationPolicies.addAll(asList(additionalPolicies));
+ }
+
+ void addExemptedPaths(String... exemptions) {
+ Arrays.stream(exemptions)
+ .filter(e -> !Strings.isEmpty(e))
+ .forEach(exemptedPaths::add);
+ }
+
+ @Override
+ public void onBeginRequest(RequestCycle cycle)
+ {
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ logAtDebug("Processing request to: {}", containerRequest.getPathInfo());
+ }
+
+ @Override
+ public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
+ {
+ handler = unwrap(handler);
+ Optional<IPageRequestHandler> pageRequestHandler = getPageRequestHandler(handler);
+ if (pageRequestHandler.isEmpty()) {
+ return;
+ }
+
+ IRequestablePage targetedPage = pageRequestHandler.get().getPage();
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ String pathInfo = containerRequest.getPathInfo();
+ if (exemptedPaths.contains(pathInfo)) {
+ logAtDebug("Allowing request to {} because it matches an exempted path", pathInfo);
+ return;
+ }
+
+ for (ResourceIsolationPolicy resourceIsolationPolicy : resourceIsolationPolicies) {
+ if (!resourceIsolationPolicy.isRequestAllowed(containerRequest, targetedPage)) {
+ logAtDebug(
+ "Isolation policy {} has rejected a request to {}",
+ resourceIsolationPolicy.getClass().getSimpleName(),
+ pathInfo
+ );
+ throw new AbortWithHttpErrorCodeException(ERROR_CODE, ERROR_MESSAGE);
+ }
+ }
+ }
+
+ @Override
+ public void onEndRequest(RequestCycle cycle)
+ {
+ // set vary headers to avoid caching responses processed by Fetch Metadata
+ // caching these responses may return 403 responses to legitimate requests
+ // or defeat the protection
+ if (cycle.getResponse() instanceof WebResponse)
+ {
+ WebResponse webResponse = (WebResponse)cycle.getResponse();
+ if (webResponse.isHeaderSupported())
+ {
+ webResponse.addHeader(VARY_HEADER, SEC_FETCH_DEST_HEADER + ", "
+ + SEC_FETCH_SITE_HEADER + ", " + SEC_FETCH_MODE_HEADER);
+ }
+ }
+ }
+
+ private static IRequestHandler unwrap(IRequestHandler handler) {
+ while (handler instanceof IRequestHandlerDelegate)
+ handler = ((IRequestHandlerDelegate)handler).getDelegateHandler();
+ return handler;
+ }
+
+ private Optional<IPageRequestHandler> getPageRequestHandler(IRequestHandler handler)
Review comment:
IMO there is no need to use `Optional` here since the only caller does not use it in functional style, but calls `.isEmpty()` + `.get()`. Using `null` is just fine.
##########
File path: wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataRequestCycleListener.java
##########
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http;
+
+import static java.util.Arrays.asList;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.VARY_HEADER;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.core.request.handler.IPageRequestHandler;
+import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
+import org.apache.wicket.request.component.IRequestablePage;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
+import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The Fetch Metadata Request Cycle Listener is Wicket's implementation of Fetch Metadata.
+ * This adds a layer of protection for modern browsers that prevents Cross-Site Request Forgery
+ * attacks.
+ *
+ * This request listener uses the {@link DefaultResourceIsolationPolicy} by default and can be
+ * customized with additional Resource Isolation Policies.
+ *
+ * This listener can be configured to add exempted URL paths that are intended to be used cross-site.
+ *
+ * Learn more about Fetch Metadata and resource isolation
+ * at <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
+ *
+ * @author Santiago Diaz - saldiaz@google.com
+ * @author Ecenaz Jen Ozmen - ecenazo@google.com
+ */
+public class FetchMetadataRequestCycleListener implements IRequestCycleListener {
+
+ private static final Logger log = LoggerFactory
+ .getLogger(FetchMetadataRequestCycleListener.class);
+ public static final int ERROR_CODE = 403;
+ public static final String ERROR_MESSAGE = "Forbidden";
+
+ private final Set<String> exemptedPaths = new HashSet<>();
+ private final List<ResourceIsolationPolicy> resourceIsolationPolicies = new ArrayList<>();
+
+ FetchMetadataRequestCycleListener(ResourceIsolationPolicy... additionalPolicies) {
+ this.resourceIsolationPolicies.add(new DefaultResourceIsolationPolicy());
+ this.resourceIsolationPolicies.addAll(asList(additionalPolicies));
+ }
+
+ void addExemptedPaths(String... exemptions) {
+ Arrays.stream(exemptions)
+ .filter(e -> !Strings.isEmpty(e))
+ .forEach(exemptedPaths::add);
+ }
+
+ @Override
+ public void onBeginRequest(RequestCycle cycle)
+ {
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ logAtDebug("Processing request to: {}", containerRequest.getPathInfo());
+ }
+
+ @Override
+ public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
+ {
+ handler = unwrap(handler);
+ Optional<IPageRequestHandler> pageRequestHandler = getPageRequestHandler(handler);
+ if (pageRequestHandler.isEmpty()) {
+ return;
+ }
+
+ IRequestablePage targetedPage = pageRequestHandler.get().getPage();
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ String pathInfo = containerRequest.getPathInfo();
+ if (exemptedPaths.contains(pathInfo)) {
+ logAtDebug("Allowing request to {} because it matches an exempted path", pathInfo);
+ return;
+ }
+
+ for (ResourceIsolationPolicy resourceIsolationPolicy : resourceIsolationPolicies) {
+ if (!resourceIsolationPolicy.isRequestAllowed(containerRequest, targetedPage)) {
+ logAtDebug(
+ "Isolation policy {} has rejected a request to {}",
+ resourceIsolationPolicy.getClass().getSimpleName(),
+ pathInfo
+ );
+ throw new AbortWithHttpErrorCodeException(ERROR_CODE, ERROR_MESSAGE);
+ }
+ }
+ }
+
+ @Override
+ public void onEndRequest(RequestCycle cycle)
+ {
+ // set vary headers to avoid caching responses processed by Fetch Metadata
+ // caching these responses may return 403 responses to legitimate requests
+ // or defeat the protection
+ if (cycle.getResponse() instanceof WebResponse)
+ {
+ WebResponse webResponse = (WebResponse)cycle.getResponse();
+ if (webResponse.isHeaderSupported())
+ {
+ webResponse.addHeader(VARY_HEADER, SEC_FETCH_DEST_HEADER + ", "
+ + SEC_FETCH_SITE_HEADER + ", " + SEC_FETCH_MODE_HEADER);
+ }
+ }
+ }
+
+ private static IRequestHandler unwrap(IRequestHandler handler) {
+ while (handler instanceof IRequestHandlerDelegate)
+ handler = ((IRequestHandlerDelegate)handler).getDelegateHandler();
+ return handler;
+ }
+
+ private Optional<IPageRequestHandler> getPageRequestHandler(IRequestHandler handler)
+ {
+ boolean isPageRequestHandler = handler instanceof IPageRequestHandler &&
+ !(handler instanceof RenderPageRequestHandler);
+ return isPageRequestHandler ? Optional.of((IPageRequestHandler) handler) : Optional.empty();
+ }
+
+ private static void logAtDebug(String message, Object... params) {
Review comment:
IMO this helper method is not needed. Slf4j does not add overhead if `{}` placeholders are used (and they are used!).
##########
File path: wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataRequestCycleListener.java
##########
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http;
+
+import static java.util.Arrays.asList;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.VARY_HEADER;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.core.request.handler.IPageRequestHandler;
+import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
+import org.apache.wicket.request.component.IRequestablePage;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
+import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The Fetch Metadata Request Cycle Listener is Wicket's implementation of Fetch Metadata.
+ * This adds a layer of protection for modern browsers that prevents Cross-Site Request Forgery
+ * attacks.
+ *
+ * This request listener uses the {@link DefaultResourceIsolationPolicy} by default and can be
+ * customized with additional Resource Isolation Policies.
+ *
+ * This listener can be configured to add exempted URL paths that are intended to be used cross-site.
+ *
+ * Learn more about Fetch Metadata and resource isolation
+ * at <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
+ *
+ * @author Santiago Diaz - saldiaz@google.com
+ * @author Ecenaz Jen Ozmen - ecenazo@google.com
+ */
+public class FetchMetadataRequestCycleListener implements IRequestCycleListener {
+
+ private static final Logger log = LoggerFactory
+ .getLogger(FetchMetadataRequestCycleListener.class);
+ public static final int ERROR_CODE = 403;
+ public static final String ERROR_MESSAGE = "Forbidden";
+
+ private final Set<String> exemptedPaths = new HashSet<>();
+ private final List<ResourceIsolationPolicy> resourceIsolationPolicies = new ArrayList<>();
+
+ FetchMetadataRequestCycleListener(ResourceIsolationPolicy... additionalPolicies) {
+ this.resourceIsolationPolicies.add(new DefaultResourceIsolationPolicy());
+ this.resourceIsolationPolicies.addAll(asList(additionalPolicies));
+ }
+
+ void addExemptedPaths(String... exemptions) {
+ Arrays.stream(exemptions)
+ .filter(e -> !Strings.isEmpty(e))
+ .forEach(exemptedPaths::add);
+ }
+
+ @Override
+ public void onBeginRequest(RequestCycle cycle)
+ {
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ logAtDebug("Processing request to: {}", containerRequest.getPathInfo());
+ }
+
+ @Override
+ public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
+ {
+ handler = unwrap(handler);
+ Optional<IPageRequestHandler> pageRequestHandler = getPageRequestHandler(handler);
+ if (pageRequestHandler.isEmpty()) {
+ return;
+ }
+
+ IRequestablePage targetedPage = pageRequestHandler.get().getPage();
+ HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
+ .getContainerRequest();
+
+ String pathInfo = containerRequest.getPathInfo();
+ if (exemptedPaths.contains(pathInfo)) {
+ logAtDebug("Allowing request to {} because it matches an exempted path", pathInfo);
+ return;
+ }
+
+ for (ResourceIsolationPolicy resourceIsolationPolicy : resourceIsolationPolicies) {
+ if (!resourceIsolationPolicy.isRequestAllowed(containerRequest, targetedPage)) {
+ logAtDebug(
+ "Isolation policy {} has rejected a request to {}",
+ resourceIsolationPolicy.getClass().getSimpleName(),
+ pathInfo
+ );
+ throw new AbortWithHttpErrorCodeException(ERROR_CODE, ERROR_MESSAGE);
+ }
+ }
+ }
+
+ @Override
+ public void onEndRequest(RequestCycle cycle)
+ {
+ // set vary headers to avoid caching responses processed by Fetch Metadata
+ // caching these responses may return 403 responses to legitimate requests
+ // or defeat the protection
+ if (cycle.getResponse() instanceof WebResponse)
+ {
+ WebResponse webResponse = (WebResponse)cycle.getResponse();
+ if (webResponse.isHeaderSupported())
+ {
+ webResponse.addHeader(VARY_HEADER, SEC_FETCH_DEST_HEADER + ", "
+ + SEC_FETCH_SITE_HEADER + ", " + SEC_FETCH_MODE_HEADER);
Review comment:
Please define a constant for the value. No need to concatenate again and again for every request.
##########
File path: wicket-core/src/main/java/org/apache/wicket/protocol/http/FetchMetadataRequestCycleListener.java
##########
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.protocol.http;
+
+import static java.util.Arrays.asList;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_DEST_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_MODE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.SEC_FETCH_SITE_HEADER;
+import static org.apache.wicket.protocol.http.ResourceIsolationPolicy.VARY_HEADER;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.wicket.core.request.handler.IPageRequestHandler;
+import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
+import org.apache.wicket.request.component.IRequestablePage;
+import org.apache.wicket.request.cycle.IRequestCycleListener;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.WebResponse;
+import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The Fetch Metadata Request Cycle Listener is Wicket's implementation of Fetch Metadata.
+ * This adds a layer of protection for modern browsers that prevents Cross-Site Request Forgery
+ * attacks.
+ *
+ * This request listener uses the {@link DefaultResourceIsolationPolicy} by default and can be
+ * customized with additional Resource Isolation Policies.
+ *
+ * This listener can be configured to add exempted URL paths that are intended to be used cross-site.
+ *
+ * Learn more about Fetch Metadata and resource isolation
+ * at <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
+ *
+ * @author Santiago Diaz - saldiaz@google.com
+ * @author Ecenaz Jen Ozmen - ecenazo@google.com
+ */
+public class FetchMetadataRequestCycleListener implements IRequestCycleListener {
+
+ private static final Logger log = LoggerFactory
+ .getLogger(FetchMetadataRequestCycleListener.class);
+ public static final int ERROR_CODE = 403;
+ public static final String ERROR_MESSAGE = "Forbidden";
+
+ private final Set<String> exemptedPaths = new HashSet<>();
+ private final List<ResourceIsolationPolicy> resourceIsolationPolicies = new ArrayList<>();
+
+ FetchMetadataRequestCycleListener(ResourceIsolationPolicy... additionalPolicies) {
Review comment:
Why this constructor and the method below are package private ?
How am I supposed to make use of them in my app ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org