You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by xi...@apache.org on 2012/05/24 19:01:28 UTC
svn commit: r1342343 - in /geronimo/server/branches/3.0-beta/plugins/console:
console-filter/src/main/java/org/apache/geronimo/console/filter/
console-portal-driver/src/main/java/org/apache/geronimo/console/filter/
console-portal-driver/src/main/webapp...
Author: xiaming
Date: Thu May 24 17:01:28 2012
New Revision: 1342343
URL: http://svn.apache.org/viewvc?rev=1342343&view=rev
Log:
GERONIMO-6348 A workaround for IE 8 specific XSRFFilter issue
Modified:
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java
geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java?rev=1342343&r1=1342342&r2=1342343&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java Thu May 24 17:01:28 2012
@@ -136,7 +136,7 @@ public class XSRFHandler
}
else if (!reqId.equals(uniqueId)) {
// The unique Ids didn't match
- log.warn("Blocked due to invalid HttpServletRequest parameter.");
+ log.warn("Found invalid HttpServletRequest parameter, please try to log out and then log in again!");
// TODO - Should we invalidate the session?
return true;
}
@@ -150,6 +150,12 @@ public class XSRFHandler
}
return false;
}
+
+ public boolean isWorkaroundPattern(HttpServletRequest hreq){
+ boolean isIE8 = hreq.getHeader("user-agent").indexOf("MSIE 8.0") != -1;
+ boolean isGETMethod = hreq.getMethod().equalsIgnoreCase("GET");
+ return isIE8 && isGETMethod;
+ }
/**
* When HttpSessions are invalidated, remove them form our map
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java?rev=1342343&r1=1342342&r2=1342343&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java Thu May 24 17:01:28 2012
@@ -52,6 +52,8 @@ public class XSSXSRFFilter implements Fi
private XSRFHandler xsrf = new XSRFHandler();
private boolean enableXSS = true;
private boolean enableXSRF = true;
+ private boolean allowWorkaround = false;
+
/* (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
@@ -72,6 +74,11 @@ public class XSSXSRFFilter implements Fi
if (ignoreResources != null) {
xsrf.setIgnorePaths(ignoreResources);
}
+
+ String parmAllowWorkaround = config.getInitParameter("allowWorkaround");
+ if (parmAllowWorkaround != null && (parmAllowWorkaround.equalsIgnoreCase("true"))) {
+ allowWorkaround = true;
+ }
}
/* (non-Javadoc)
@@ -114,8 +121,13 @@ public class XSSXSRFFilter implements Fi
errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid POST content.";
}
else if (enableXSRF && xsrf.isInvalidSession(hreq)) {
- // Block simple XSRF attacks on our forms
- errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content.";
+ if (allowWorkaround && xsrf.isWorkaroundPattern(hreq)) {
+ // Workaround for GERONIMO-6348 IE 8 issue
+ hreq.setAttribute("isWorkaroundPattern", "true");
+ } else {
+ // Block simple XSRF attacks on our forms
+ errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content.";
+ }
}
// if we found a problem, return a HTTP 400 error code and message
if (errStr != null) {
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java?rev=1342343&r1=1342342&r2=1342343&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java Thu May 24 17:01:28 2012
@@ -53,6 +53,7 @@ public class RedirectByHashFilter implem
private static final String NOXSS_HASH_OF_PAGE_TO_REDIRECT = "noxssPage";
private static final String NOXSS_SHOW_TREE = "noxssShowTree";
private static final String HASH_OF_CURRENT_PORTAL_PAGE = "hashOfCurrentPortalPage";
+ private String welcomeURI;
public void destroy() {
}
@@ -93,6 +94,8 @@ public class RedirectByHashFilter implem
}
String hashOfPageToRedirect = request.getParameter(NOXSS_HASH_OF_PAGE_TO_REDIRECT);
+ // Workaround for GERONIMO-6348 IE 8 issue
+ String redirectURI = (String)request.getAttribute("isWorkaroundPattern");
//Redirect index page url that contain noxssPage=xxxxxx to the real destination.
if (hashOfPageToRedirect != null && request.getParameter(NOXSS_SHOW_TREE) != null) {
@@ -110,6 +113,19 @@ public class RedirectByHashFilter implem
return;
//httpServletResponse.sendRedirect(pageToRedirect);
+ }
+ // Workaround for GERONIMO-6348 IE 8 issue
+ else if(redirectURI != null) {
+ String pageToRedirect = "";
+ String pageToRedirectURI = hashToRedirectURL.get(request.getAttribute(HASH_OF_CURRENT_PORTAL_PAGE));
+ if (pageToRedirectURI.equals(welcomeURI)) {
+ pageToRedirect = pageToRedirectURI + "?"+NOXSS_SHOW_TREE+"=true";
+ } else {
+ pageToRedirect = pageToRedirectURI;
+ }
+ log.debug("Redirecting to:" + pageToRedirect+" according to hash:"+hashOfPageToRedirect);
+ request.getRequestDispatcher(pageToRedirect).forward(request, response);
+ return;
} else {
log.debug("no redirect for:" + ((HttpServletRequest)request).getRequestURL());
@@ -119,8 +135,14 @@ public class RedirectByHashFilter implem
}
- public void init(FilterConfig arg0) throws ServletException {
- // TODO Auto-generated method stub
+ public void init(FilterConfig filterConfig) throws ServletException {
+ if (filterConfig.getInitParameter("WelcomeURI") != null) {
+ this.welcomeURI = filterConfig.getInitParameter("WelcomeURI");
+ } else {
+ log.info("Set default welcome URI to /portal/0/Welcome.");
+ this.welcomeURI = "/portal/0/Welcome";
+ }
+
}
}
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml?rev=1342343&r1=1342342&r2=1342343&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml Thu May 24 17:01:28 2012
@@ -37,7 +37,11 @@ limitations under the License.
<filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
<init-param>
<param-name>xsrf.ignorePaths</param-name>
- <param-value>/dojo/dojo/resources/blank.html,/portal/0/Welcome</param-value>
+ <param-value>/dojo/dojo/resources/blank.html</param-value>
+ </init-param>
+ <init-param>
+ <param-name>allowWorkaround</param-name>
+ <param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
@@ -74,6 +78,10 @@ limitations under the License.
<filter>
<filter-name>RedirectByHashFilter</filter-name>
<filter-class>org.apache.geronimo.console.filter.RedirectByHashFilter</filter-class>
+ <init-param>
+ <param-name>WelcomeURI</param-name>
+ <param-value>/portal/0/Welcome</param-value>
+ </init-param>
</filter>
<filter-mapping>