You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by ol...@apache.org on 2017/05/08 11:18:47 UTC
[1/2] archiva-redback-core git commit: add some logs
Repository: archiva-redback-core
Updated Branches:
refs/heads/master 1b13cbd01 -> 396694765
add some logs
Signed-off-by: olivier lamy <ol...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/commit/69c41ad3
Tree: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/tree/69c41ad3
Diff: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/diff/69c41ad3
Branch: refs/heads/master
Commit: 69c41ad38b22f02a517453fdea415d5c46c64e6f
Parents: 1b13cbd
Author: olivier lamy <ol...@apache.org>
Authored: Mon May 8 21:17:54 2017 +1000
Committer: olivier lamy <ol...@apache.org>
Committed: Mon May 8 21:17:54 2017 +1000
----------------------------------------------------------------------
.../rest/services/interceptors/RequestValidationInterceptor.java | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/archiva-redback-core/blob/69c41ad3/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
----------------------------------------------------------------------
diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
index b36e8e4..bd824d0 100644
--- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
+++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
@@ -285,10 +285,14 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
enabled = config.getBoolean(UserConfigurationKeys.REST_CSRF_ENABLED,true);
if (!enabled) {
log.info("CSRF Filter is disabled by configuration");
+ } else {
+ log.info("CSRF Filter is enable");
}
checkToken = !config.getBoolean(UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, false);
if (!checkToken) {
log.info("CSRF Token validation is disabled by configuration");
+ } else {
+ log.info("CSRF Token validation is enable");
}
}
[2/2] archiva-redback-core git commit: formatting
Posted by ol...@apache.org.
formatting
Signed-off-by: olivier lamy <ol...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/commit/39669476
Tree: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/tree/39669476
Diff: http://git-wip-us.apache.org/repos/asf/archiva-redback-core/diff/39669476
Branch: refs/heads/master
Commit: 396694765fc58f42a634dd26cd3f0490445f2544
Parents: 69c41ad
Author: olivier lamy <ol...@apache.org>
Authored: Mon May 8 21:18:13 2017 +1000
Committer: olivier lamy <ol...@apache.org>
Committed: Mon May 8 21:18:13 2017 +1000
----------------------------------------------------------------------
.../RequestValidationInterceptor.java | 509 ++++++++++++-------
1 file changed, 321 insertions(+), 188 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/archiva-redback-core/blob/39669476/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
----------------------------------------------------------------------
diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
index bd824d0..0351348 100644
--- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
+++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java
@@ -53,39 +53,51 @@ import java.util.List;
/**
* Created by Martin Stockhammer on 19.01.17.
- *
+ * <p>
* This interceptor tries to check if requests come from a valid origin and
* are not generated by another site on behalf of the real client.
- *
+ * <p>
* We are using some of the techniques mentioned in
* https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
- *
+ * <p>
* Try to find Origin and Referer of the request.
* Match them to the target address, that may be either statically configured or is determined
* by the Host/X-Forwarded-For Header.
- *
- *
*/
@Provider
@Service( "requestValidationInterceptor#rest" )
-public class RequestValidationInterceptor extends AbstractInterceptor implements ContainerRequestFilter {
+public class RequestValidationInterceptor
+ extends AbstractInterceptor
+ implements ContainerRequestFilter
+{
private static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";
+
private static final String X_FORWARDED_HOST = "X-Forwarded-Host";
+
private static final String X_XSRF_TOKEN = "X-XSRF-TOKEN";
+
private static final String ORIGIN = "Origin";
+
private static final String REFERER = "Referer";
+
private static final int DEFAULT_HTTP = 80;
+
private static final int DEFAULT_HTTPS = 443;
private final Logger log = LoggerFactory.getLogger( getClass() );
private boolean enabled = true;
+
private boolean checkToken = true;
+
private boolean useStaticUrl = false;
+
private boolean denyAbsentHeaders = true;
+
private List<URL> baseUrl = new ArrayList<URL>();
+
private HttpServletRequest httpRequest = null;
@Inject
@@ -93,258 +105,337 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
private HttpBasicAuthentication httpAuthenticator;
@Inject
- @Named( value = "tokenManager#default")
+ @Named( value = "tokenManager#default" )
TokenManager tokenManager;
private UserConfiguration config;
-
- private class HeaderValidationInfo {
+
+ private class HeaderValidationInfo
+ {
final static int UNKNOWN = -1;
+
final static int OK = 0;
+
final static int F_REFERER_HOST = 1;
+
final static int F_REFERER_PORT = 2;
+
final static int F_ORIGIN_HOST = 8;
+
final static int F_ORIGIN_PORT = 16;
+
final static int F_ORIGIN_PROTOCOL = 32;
+
boolean headerFound = false;
URL targetUrl;
+
URL originUrl;
+
URL refererUrl;
-
+
String targetHost;
+
String originHost;
+
String refererHost;
-
+
int targetPort;
+
int originPort;
+
int refererPort;
int status = UNKNOWN;
-
- public HeaderValidationInfo(URL targetUrl) {
- setTargetUrl(targetUrl);
+
+ public HeaderValidationInfo( URL targetUrl )
+ {
+ setTargetUrl( targetUrl );
}
- public URL getTargetUrl() {
+ public URL getTargetUrl()
+ {
return targetUrl;
}
- public void setTargetUrl(URL targetUrl) {
+ public void setTargetUrl( URL targetUrl )
+ {
this.targetUrl = targetUrl;
- this.targetHost=getHost(targetUrl);
- this.targetPort=getPort(targetUrl);
+ this.targetHost = getHost( targetUrl );
+ this.targetPort = getPort( targetUrl );
}
- public URL getOriginUrl() {
+ public URL getOriginUrl()
+ {
return originUrl;
}
- public void setOriginUrl(URL originUrl) {
- this.originUrl=originUrl;
- this.originHost=getHost(originUrl);
- this.originPort=getPort(originUrl);
+ public void setOriginUrl( URL originUrl )
+ {
+ this.originUrl = originUrl;
+ this.originHost = getHost( originUrl );
+ this.originPort = getPort( originUrl );
checkOrigin();
- this.headerFound=true;
+ this.headerFound = true;
}
- public URL getRefererUrl() {
+ public URL getRefererUrl()
+ {
return refererUrl;
}
- public void setRefererUrl(URL refererUrl) {
- this.refererUrl=refererUrl;
- this.refererHost=getHost(refererUrl);
- this.refererPort=getPort(refererUrl);
+ public void setRefererUrl( URL refererUrl )
+ {
+ this.refererUrl = refererUrl;
+ this.refererHost = getHost( refererUrl );
+ this.refererPort = getPort( refererUrl );
checkReferer();
- this.headerFound=true;
+ this.headerFound = true;
}
- public String getTargetHost() {
+ public String getTargetHost()
+ {
return targetHost;
}
- public void setTargetHost(String targetHost) {
+ public void setTargetHost( String targetHost )
+ {
this.targetHost = targetHost;
}
- public String getOriginHost() {
+ public String getOriginHost()
+ {
return originHost;
}
- public void setOriginHost(String originHost) {
+ public void setOriginHost( String originHost )
+ {
this.originHost = originHost;
}
- public String getRefererHost() {
+ public String getRefererHost()
+ {
return refererHost;
}
- public void setRefererHost(String refererHost) {
+ public void setRefererHost( String refererHost )
+ {
this.refererHost = refererHost;
}
- public int getTargetPort() {
+ public int getTargetPort()
+ {
return targetPort;
}
- public void setTargetPort(int targetPort) {
+ public void setTargetPort( int targetPort )
+ {
this.targetPort = targetPort;
}
- public int getOriginPort() {
+ public int getOriginPort()
+ {
return originPort;
}
- public void setOriginPort(int originPort) {
+ public void setOriginPort( int originPort )
+ {
this.originPort = originPort;
}
- public int getRefererPort() {
+ public int getRefererPort()
+ {
return refererPort;
}
- public void setRefererPort(int refererPort) {
+ public void setRefererPort( int refererPort )
+ {
this.refererPort = refererPort;
}
- public void setStatus(int status) {
+ public void setStatus( int status )
+ {
this.status |= status;
}
- public int getStatus() {
+ public int getStatus()
+ {
return this.status;
}
// Origin check for Protocol, Host, Port
- public void checkOrigin() {
- if (this.getStatus()==UNKNOWN) {
- this.status=OK;
+ public void checkOrigin()
+ {
+ if ( this.getStatus() == UNKNOWN )
+ {
+ this.status = OK;
}
- if (!targetUrl.getProtocol().equals(originUrl.getProtocol())) {
- setStatus(F_ORIGIN_PROTOCOL);
+ if ( !targetUrl.getProtocol().equals( originUrl.getProtocol() ) )
+ {
+ setStatus( F_ORIGIN_PROTOCOL );
}
- if (!targetHost.equals(originHost)) {
- setStatus(F_ORIGIN_HOST);
+ if ( !targetHost.equals( originHost ) )
+ {
+ setStatus( F_ORIGIN_HOST );
}
- if (targetPort!=originPort) {
- setStatus(F_ORIGIN_PORT);
+ if ( targetPort != originPort )
+ {
+ setStatus( F_ORIGIN_PORT );
}
}
// Referer check only for Host, Port
- public void checkReferer() {
- if (this.getStatus()==UNKNOWN) {
- this.status=OK;
+ public void checkReferer()
+ {
+ if ( this.getStatus() == UNKNOWN )
+ {
+ this.status = OK;
}
- if (!targetHost.equals(refererHost)) {
- setStatus(F_REFERER_HOST);
+ if ( !targetHost.equals( refererHost ) )
+ {
+ setStatus( F_REFERER_HOST );
}
- if (targetPort!=refererPort) {
- setStatus(F_REFERER_PORT);
+ if ( targetPort != refererPort )
+ {
+ setStatus( F_REFERER_PORT );
}
}
- public boolean hasOriginError() {
- return (status & (F_ORIGIN_PROTOCOL | F_ORIGIN_HOST | F_ORIGIN_PORT)) > 0;
+ public boolean hasOriginError()
+ {
+ return ( status & ( F_ORIGIN_PROTOCOL | F_ORIGIN_HOST | F_ORIGIN_PORT ) ) > 0;
}
- public boolean hasRefererError() {
- return (status & (F_REFERER_HOST | F_REFERER_PORT )) > 0;
+ public boolean hasRefererError()
+ {
+ return ( status & ( F_REFERER_HOST | F_REFERER_PORT ) ) > 0;
}
@Override
- public String toString() {
- return "Stat="+status+", target="+targetUrl+", origin="+originUrl+", referer="+refererUrl;
+ public String toString()
+ {
+ return "Stat=" + status + ", target=" + targetUrl + ", origin=" + originUrl + ", referer=" + refererUrl;
}
}
@Inject
- public RequestValidationInterceptor(
- @Named(value = "userConfiguration#default") UserConfiguration config) {
+ public RequestValidationInterceptor( @Named( value = "userConfiguration#default" ) UserConfiguration config )
+ {
this.config = config;
}
@PostConstruct
- public void init() {
- List<String> baseUrlList = config.getList(UserConfigurationKeys.REST_BASE_URL);
- if (baseUrlList!=null) {
- for (String baseUrlStr : baseUrlList) {
- if (!"".equals(baseUrlStr.trim())) {
- try {
- baseUrl.add(new URL(baseUrlStr));
+ public void init()
+ {
+ List<String> baseUrlList = config.getList( UserConfigurationKeys.REST_BASE_URL );
+ if ( baseUrlList != null )
+ {
+ for ( String baseUrlStr : baseUrlList )
+ {
+ if ( !"".equals( baseUrlStr.trim() ) )
+ {
+ try
+ {
+ baseUrl.add( new URL( baseUrlStr ) );
useStaticUrl = true;
- } catch (MalformedURLException ex) {
- log.error("Configured baseUrl (rest.baseUrl={}) is invalid. Message: {}", baseUrlStr, ex.getMessage());
+ }
+ catch ( MalformedURLException ex )
+ {
+ log.error( "Configured baseUrl (rest.baseUrl={}) is invalid. Message: {}", baseUrlStr,
+ ex.getMessage() );
}
}
}
}
- denyAbsentHeaders = config.getBoolean(UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY,true);
- enabled = config.getBoolean(UserConfigurationKeys.REST_CSRF_ENABLED,true);
- if (!enabled) {
- log.info("CSRF Filter is disabled by configuration");
- } else {
- log.info("CSRF Filter is enable");
+ denyAbsentHeaders = config.getBoolean( UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY, true );
+ enabled = config.getBoolean( UserConfigurationKeys.REST_CSRF_ENABLED, true );
+ if ( !enabled )
+ {
+ log.info( "CSRF Filter is disabled by configuration" );
+ }
+ else
+ {
+ log.info( "CSRF Filter is enable" );
}
- checkToken = !config.getBoolean(UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, false);
- if (!checkToken) {
- log.info("CSRF Token validation is disabled by configuration");
- } else {
- log.info("CSRF Token validation is enable");
+ checkToken = !config.getBoolean( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, false );
+ if ( !checkToken )
+ {
+ log.info( "CSRF Token validation is disabled by configuration" );
+ }
+ else
+ {
+ log.info( "CSRF Token validation is enable" );
}
}
@Override
- public void filter(ContainerRequestContext containerRequestContext) throws IOException {
- if (enabled) {
+ public void filter( ContainerRequestContext containerRequestContext )
+ throws IOException
+ {
+ if ( enabled )
+ {
HttpServletRequest request = getRequest();
- List<URL> targetUrls = getTargetUrl(request);
- if (targetUrls == null) {
- log.error("Could not verify target URL.");
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ List<URL> targetUrls = getTargetUrl( request );
+ if ( targetUrls == null )
+ {
+ log.error( "Could not verify target URL." );
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
List<HeaderValidationInfo> validationInfos = new ArrayList<HeaderValidationInfo>();
- boolean targetMatch=false;
+ boolean targetMatch = false;
boolean noHeader = true;
- for(URL targetUrl : targetUrls) {
- log.trace("Checking against target URL: {}", targetUrl);
- HeaderValidationInfo info = checkSourceRequestHeader(new HeaderValidationInfo(targetUrl), request);
+ for ( URL targetUrl : targetUrls )
+ {
+ log.trace( "Checking against target URL: {}", targetUrl );
+ HeaderValidationInfo info = checkSourceRequestHeader( new HeaderValidationInfo( targetUrl ), request );
// We need only one match
- noHeader = noHeader && info.getStatus()==info.UNKNOWN;
- if (info.getStatus()==info.OK) {
- targetMatch=true;
+ noHeader = noHeader && info.getStatus() == info.UNKNOWN;
+ if ( info.getStatus() == info.OK )
+ {
+ targetMatch = true;
break;
- } else {
- validationInfos.add(info);
+ }
+ else
+ {
+ validationInfos.add( info );
}
}
- if (noHeader && denyAbsentHeaders) {
- log.warn("Request denied. No Origin or Referer header found and {}=true", UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY);
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ if ( noHeader && denyAbsentHeaders )
+ {
+ log.warn( "Request denied. No Origin or Referer header found and {}=true",
+ UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY );
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
- if (!targetMatch) {
- log.warn("HTTP Header check failed. Assuming CSRF attack.");
- for(HeaderValidationInfo info : validationInfos) {
- if (info.hasOriginError()) {
- log.warn("Origin Header does not match: originUrl={}, targetUrl={}. Matches: Host={}, Port={}, Protocol={}",
- info.originUrl, info.targetUrl, (info.getStatus()&info.F_ORIGIN_HOST)==0,
- (info.getStatus()&info.F_ORIGIN_PORT)==0, (info.getStatus()&info.F_ORIGIN_PROTOCOL)==0);
+ if ( !targetMatch )
+ {
+ log.warn( "HTTP Header check failed. Assuming CSRF attack." );
+ for ( HeaderValidationInfo info : validationInfos )
+ {
+ if ( info.hasOriginError() )
+ {
+ log.warn(
+ "Origin Header does not match: originUrl={}, targetUrl={}. Matches: Host={}, Port={}, Protocol={}",
+ info.originUrl, info.targetUrl, ( info.getStatus() & info.F_ORIGIN_HOST ) == 0,
+ ( info.getStatus() & info.F_ORIGIN_PORT ) == 0,
+ ( info.getStatus() & info.F_ORIGIN_PROTOCOL ) == 0 );
}
- if (info.hasRefererError()) {
- log.warn("Referer Header does not match: refererUrl={}, targetUrl={}. Matches: Host={}, Port={}",
- info.refererUrl, info.targetUrl, (info.getStatus()&info.F_REFERER_HOST)==0,
- (info.getStatus()&info.F_REFERER_PORT)==0);
+ if ( info.hasRefererError() )
+ {
+ log.warn(
+ "Referer Header does not match: refererUrl={}, targetUrl={}. Matches: Host={}, Port={}",
+ info.refererUrl, info.targetUrl, ( info.getStatus() & info.F_REFERER_HOST ) == 0,
+ ( info.getStatus() & info.F_REFERER_PORT ) == 0 );
}
}
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
- if (checkToken) {
- checkValidationToken(containerRequestContext, request);
+ if ( checkToken )
+ {
+ checkValidationToken( containerRequestContext, request );
}
}
}
@@ -356,89 +447,118 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
* @param containerRequestContext
* @param request
*/
- private void checkValidationToken(ContainerRequestContext containerRequestContext, HttpServletRequest request) {
+ private void checkValidationToken( ContainerRequestContext containerRequestContext, HttpServletRequest request )
+ {
Message message = JAXRSUtils.getCurrentMessage();
- RedbackAuthorization redbackAuthorization = getRedbackAuthorization(message);
+ RedbackAuthorization redbackAuthorization = getRedbackAuthorization( message );
// We check only services that are restricted
- if (!redbackAuthorization.noRestriction()) {
- String tokenString = request.getHeader(X_XSRF_TOKEN);
- if (tokenString==null || tokenString.length()==0) {
- log.warn("No validation token header found: {}",X_XSRF_TOKEN);
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ if ( !redbackAuthorization.noRestriction() )
+ {
+ String tokenString = request.getHeader( X_XSRF_TOKEN );
+ if ( tokenString == null || tokenString.length() == 0 )
+ {
+ log.warn( "No validation token header found: {}", X_XSRF_TOKEN );
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
- try {
- TokenData td = tokenManager.decryptToken(tokenString);
- AuthenticationResult auth = getAuthenticationResult(message, request);
- if (auth==null) {
- log.error("Not authentication data found");
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ try
+ {
+ TokenData td = tokenManager.decryptToken( tokenString );
+ AuthenticationResult auth = getAuthenticationResult( message, request );
+ if ( auth == null )
+ {
+ log.error( "Not authentication data found" );
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
User loggedIn = auth.getUser();
- if (loggedIn==null) {
- log.error("User not logged in");
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ if ( loggedIn == null )
+ {
+ log.error( "User not logged in" );
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
String username = loggedIn.getUsername();
- if (!td.isValid() || !td.getUser().equals(username)) {
- log.error("Invalid data in validation token header {} for user {}: isValid={}, username={}",
- X_XSRF_TOKEN, username, td.isValid(), td.getUser());
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ if ( !td.isValid() || !td.getUser().equals( username ) )
+ {
+ log.error( "Invalid data in validation token header {} for user {}: isValid={}, username={}",
+ X_XSRF_TOKEN, username, td.isValid(), td.getUser() );
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
}
- } catch (InvalidTokenException e) {
- log.error("Token validation failed {}", e.getMessage());
- containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+ }
+ catch ( InvalidTokenException e )
+ {
+ log.error( "Token validation failed {}", e.getMessage() );
+ containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
}
}
- log.debug("Token validated");
+ log.debug( "Token validated" );
}
- private HttpServletRequest getRequest() {
- if (httpRequest!=null) {
+ private HttpServletRequest getRequest()
+ {
+ if ( httpRequest != null )
+ {
return httpRequest;
- } else {
+ }
+ else
+ {
Message message = JAXRSUtils.getCurrentMessage();
- return getHttpServletRequest(message);
+ return getHttpServletRequest( message );
}
}
- private List<URL> getTargetUrl(HttpServletRequest request) {
- if (useStaticUrl) {
+ private List<URL> getTargetUrl( HttpServletRequest request )
+ {
+ if ( useStaticUrl )
+ {
return baseUrl;
- } else {
+ }
+ else
+ {
List<URL> urls = new ArrayList<URL>();
URL requestUrl;
- try {
- requestUrl = new URL(request.getRequestURL().toString());
- urls.add(requestUrl);
- } catch (MalformedURLException ex) {
- log.error("Bad Request URL {}, Message: {}", request.getRequestURL(), ex.getMessage());
+ try
+ {
+ requestUrl = new URL( request.getRequestURL().toString() );
+ urls.add( requestUrl );
+ }
+ catch ( MalformedURLException ex )
+ {
+ log.error( "Bad Request URL {}, Message: {}", request.getRequestURL(), ex.getMessage() );
return null;
}
- String xforwarded = request.getHeader(X_FORWARDED_HOST);
- String xforwardedProto = request.getHeader(X_FORWARDED_PROTO);
- if (xforwardedProto==null) {
- xforwardedProto=requestUrl.getProtocol();
+ String xforwarded = request.getHeader( X_FORWARDED_HOST );
+ String xforwardedProto = request.getHeader( X_FORWARDED_PROTO );
+ if ( xforwardedProto == null )
+ {
+ xforwardedProto = requestUrl.getProtocol();
}
- if (xforwarded!=null) {
- try {
- urls.add(new URL(xforwardedProto+"://"+xforwarded));
- } catch (MalformedURLException ex) {
- log.warn("X-Forwarded-Host Header is malformed: {}", ex.getMessage());
+ if ( xforwarded != null )
+ {
+ try
+ {
+ urls.add( new URL( xforwardedProto + "://" + xforwarded ) );
+ }
+ catch ( MalformedURLException ex )
+ {
+ log.warn( "X-Forwarded-Host Header is malformed: {}", ex.getMessage() );
}
}
return urls;
}
}
- private int getPort(final URL url) {
- return url.getPort() > 0 ? url.getPort() : ("https".equals(url.getProtocol()) ? DEFAULT_HTTPS : DEFAULT_HTTP);
+ private int getPort( final URL url )
+ {
+ return url.getPort() > 0
+ ? url.getPort()
+ : ( "https".equals( url.getProtocol() ) ? DEFAULT_HTTPS : DEFAULT_HTTP );
}
- private String getHost(final URL url) {
+ private String getHost( final URL url )
+ {
return url.getHost().trim().toLowerCase();
}
@@ -446,47 +566,60 @@ public class RequestValidationInterceptor extends AbstractInterceptor implements
* Checks the validation headers. First the Origin header is checked, if this fails
* or is absent, the referer header is checked.
*
- * @param info The info object that must be populated with the targetURL
+ * @param info The info object that must be populated with the targetURL
* @param request The HTTP request object
* @return A info object with updated status information
*/
- private HeaderValidationInfo checkSourceRequestHeader(final HeaderValidationInfo info, final HttpServletRequest request) {
- String origin = request.getHeader(ORIGIN);
- if (origin!=null) {
- try {
- info.setOriginUrl(new URL(origin));
- } catch (MalformedURLException e) {
- log.warn("Bad origin header found: {}", origin);
+ private HeaderValidationInfo checkSourceRequestHeader( final HeaderValidationInfo info,
+ final HttpServletRequest request )
+ {
+ String origin = request.getHeader( ORIGIN );
+ if ( origin != null )
+ {
+ try
+ {
+ info.setOriginUrl( new URL( origin ) );
+ }
+ catch ( MalformedURLException e )
+ {
+ log.warn( "Bad origin header found: {}", origin );
}
}
// Check referer if Origin header dos not match or is not available
- if (info.getStatus()!=info.OK) {
- String referer = request.getHeader(REFERER);
- if (referer != null) {
- try {
- info.setRefererUrl(new URL(referer));
- } catch (MalformedURLException ex) {
- log.warn("Bad URL in Referer HTTP-Header: {}, Message: {}", referer, ex.getMessage());
+ if ( info.getStatus() != info.OK )
+ {
+ String referer = request.getHeader( REFERER );
+ if ( referer != null )
+ {
+ try
+ {
+ info.setRefererUrl( new URL( referer ) );
+ }
+ catch ( MalformedURLException ex )
+ {
+ log.warn( "Bad URL in Referer HTTP-Header: {}, Message: {}", referer, ex.getMessage() );
}
}
}
return info;
}
- public void setHttpRequest(HttpServletRequest request) {
+ public void setHttpRequest( HttpServletRequest request )
+ {
this.httpRequest = request;
}
- private AuthenticationResult getAuthenticationResult(Message message, HttpServletRequest request) {
- AuthenticationResult authenticationResult = message.get(AuthenticationResult.class);
+ private AuthenticationResult getAuthenticationResult( Message message, HttpServletRequest request )
+ {
+ AuthenticationResult authenticationResult = message.get( AuthenticationResult.class );
- log.debug("authenticationResult from message: {}", authenticationResult);
+ log.debug( "authenticationResult from message: {}", authenticationResult );
if ( authenticationResult == null )
{
try
{
authenticationResult =
- httpAuthenticator.getAuthenticationResult( request, getHttpServletResponse( message ) );
+ httpAuthenticator.getAuthenticationResult( request, getHttpServletResponse( message ) );
log.debug( "authenticationResult from request: {}", authenticationResult );
}