You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by ga...@apache.org on 2012/05/24 23:10:03 UTC
svn commit: r1342432 - in /geronimo/server/branches/3.0-beta/plugins/console:
console-filter/src/main/java/org/apache/geronimo/console/filter/
console-portal-driver/src/main/java/org/apache/geronimo/console/filter/
console-portal-driver/src/main/webapp...
Author: gawor
Date: Thu May 24 21:10:02 2012
New Revision: 1342432
URL: http://svn.apache.org/viewvc?rev=1342432&view=rev
Log:
GERONIMO-6348: A bit more generic work-around for the XSRFFilter issue with IE 8
Modified:
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/SubstituteResponseWrapper.java
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java
geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/SubstituteResponseWrapper.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/SubstituteResponseWrapper.java?rev=1342432&r1=1342431&r2=1342432&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/SubstituteResponseWrapper.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/SubstituteResponseWrapper.java Thu May 24 21:10:02 2012
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
@@ -36,12 +37,13 @@ public class SubstituteResponseWrapper e
private SubstituteResponseOutputStream stream = null;
private SubstitutePrintWriter writer = null;
+ private HttpServletRequest request;
private String substitute = null;
- public SubstituteResponseWrapper(HttpServletResponse response,
- String substitute) {
+ public SubstituteResponseWrapper(HttpServletRequest request, HttpServletResponse response, String substitute) {
super(response);
this.substitute = substitute;
+ this.request = request;
}
private boolean substituteRequired() {
@@ -54,10 +56,34 @@ public class SubstituteResponseWrapper e
}
return false;
}
-
+
+ private void disableClientCache() {
+ // check if we need to disable cache
+ if (shouldDisableClientCache()) {
+ setHeader("Cache-Control", "No-cache,no-store");
+ setDateHeader("Expires", 1);
+ }
+ }
+
+ private boolean shouldDisableClientCache() {
+ // We disable cache for IE8 and its compatibility mode. See GERONIMO-6348.
+ if ("GET".equalsIgnoreCase(request.getMethod())) {
+ String userAgent = request.getHeader("user-agent");
+ if (userAgent != null) {
+ int pos = userAgent.indexOf("MSIE ");
+ if (pos != -1) {
+ char version = userAgent.charAt(pos + 5);
+ return version == '8' || version == '7';
+ }
+ }
+ }
+ return false;
+ }
+
@Override
public void flushBuffer() throws IOException {
if (substituteRequired()) {
+ disableClientCache();
if (writer != null) {
writer.flush();
} else if (stream != null) {
@@ -77,6 +103,7 @@ public class SubstituteResponseWrapper e
throw new IllegalStateException(
"getWriter() has already been called on this response.");
} else if (stream == null) {
+ disableClientCache();
stream = new SubstituteResponseOutputStream(substitute,
getCharacterEncoding(), super.getOutputStream());
}
@@ -92,6 +119,7 @@ public class SubstituteResponseWrapper e
throw new IllegalStateException(
"getStream() has already been called on this response.");
} else if (writer == null) {
+ disableClientCache();
writer = new SubstitutePrintWriter(new SubstituteWriter(
substitute, getCharacterEncoding(), super
.getOutputStream()));
@@ -106,6 +134,7 @@ public class SubstituteResponseWrapper e
super.reset();
// If no exception from the wrapped response, let's reset too
if (substituteRequired()) {
+ disableClientCache();
if (stream != null) {
stream.reset();
} else if (writer != null) {
@@ -118,8 +147,9 @@ public class SubstituteResponseWrapper e
public void resetBuffer() {
log.debug("Resetting buffer...");
super.resetBuffer();
+ // If no exception from the wrapped response, let's reset too
if (substituteRequired()) {
- // If no exception from the wrapped response, let's reset too
+ disableClientCache();
if (stream != null) {
stream.reset();
} else if (writer != null) {
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java?rev=1342432&r1=1342431&r2=1342432&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java Thu May 24 21:10:02 2012
@@ -136,7 +136,7 @@ public class XSRFHandler
}
else if (!reqId.equals(uniqueId)) {
// The unique Ids didn't match
- log.warn("Found invalid HttpServletRequest parameter, please try to log out and then log in again!");
+ log.warn("Blocked due to invalid HttpServletRequest parameter.");
// TODO - Should we invalidate the session?
return true;
}
@@ -150,12 +150,6 @@ public class XSRFHandler
}
return false;
}
-
- public boolean isWorkaroundPattern(HttpServletRequest hreq){
- boolean isIE8 = hreq.getHeader("user-agent").indexOf("MSIE 8.0") != -1;
- boolean isGETMethod = hreq.getMethod().equalsIgnoreCase("GET");
- return isIE8 && isGETMethod;
- }
/**
* When HttpSessions are invalidated, remove them form our map
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java?rev=1342432&r1=1342431&r2=1342432&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java Thu May 24 21:10:02 2012
@@ -52,8 +52,6 @@ public class XSSXSRFFilter implements Fi
private XSRFHandler xsrf = new XSRFHandler();
private boolean enableXSS = true;
private boolean enableXSRF = true;
- private boolean allowWorkaround = false;
-
/* (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
@@ -74,11 +72,6 @@ public class XSSXSRFFilter implements Fi
if (ignoreResources != null) {
xsrf.setIgnorePaths(ignoreResources);
}
-
- String parmAllowWorkaround = config.getInitParameter("allowWorkaround");
- if (parmAllowWorkaround != null && (parmAllowWorkaround.equalsIgnoreCase("true"))) {
- allowWorkaround = true;
- }
}
/* (non-Javadoc)
@@ -121,13 +114,8 @@ public class XSSXSRFFilter implements Fi
errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid POST content.";
}
else if (enableXSRF && xsrf.isInvalidSession(hreq)) {
- if (allowWorkaround && xsrf.isWorkaroundPattern(hreq)) {
- // Workaround for GERONIMO-6348 IE 8 issue
- hreq.setAttribute("isWorkaroundPattern", "true");
- } else {
- // Block simple XSRF attacks on our forms
- errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content.";
- }
+ // Block simple XSRF attacks on our forms
+ errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content.";
}
// if we found a problem, return a HTTP 400 error code and message
if (errStr != null) {
@@ -144,7 +132,7 @@ public class XSSXSRFFilter implements Fi
String replacement = xsrf.getReplacement(hreq);
ServletResponse whres = response;
if (replacement != null ) {
- whres = new SubstituteResponseWrapper((HttpServletResponse)response, replacement);
+ whres = new SubstituteResponseWrapper(hreq, (HttpServletResponse)response, replacement);
}
chain.doFilter(hreq, whres);
}
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java?rev=1342432&r1=1342431&r2=1342432&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/java/org/apache/geronimo/console/filter/RedirectByHashFilter.java Thu May 24 21:10:02 2012
@@ -53,7 +53,6 @@ public class RedirectByHashFilter implem
private static final String NOXSS_HASH_OF_PAGE_TO_REDIRECT = "noxssPage";
private static final String NOXSS_SHOW_TREE = "noxssShowTree";
private static final String HASH_OF_CURRENT_PORTAL_PAGE = "hashOfCurrentPortalPage";
- private String welcomeURI;
public void destroy() {
}
@@ -94,8 +93,6 @@ public class RedirectByHashFilter implem
}
String hashOfPageToRedirect = request.getParameter(NOXSS_HASH_OF_PAGE_TO_REDIRECT);
- // Workaround for GERONIMO-6348 IE 8 issue
- String redirectURI = (String)request.getAttribute("isWorkaroundPattern");
//Redirect index page url that contain noxssPage=xxxxxx to the real destination.
if (hashOfPageToRedirect != null && request.getParameter(NOXSS_SHOW_TREE) != null) {
@@ -113,19 +110,6 @@ public class RedirectByHashFilter implem
return;
//httpServletResponse.sendRedirect(pageToRedirect);
- }
- // Workaround for GERONIMO-6348 IE 8 issue
- else if(redirectURI != null) {
- String pageToRedirect = "";
- String pageToRedirectURI = hashToRedirectURL.get(request.getAttribute(HASH_OF_CURRENT_PORTAL_PAGE));
- if (pageToRedirectURI.equals(welcomeURI)) {
- pageToRedirect = pageToRedirectURI + "?"+NOXSS_SHOW_TREE+"=true";
- } else {
- pageToRedirect = pageToRedirectURI;
- }
- log.debug("Redirecting to:" + pageToRedirect+" according to hash:"+hashOfPageToRedirect);
- request.getRequestDispatcher(pageToRedirect).forward(request, response);
- return;
} else {
log.debug("no redirect for:" + ((HttpServletRequest)request).getRequestURL());
@@ -135,14 +119,8 @@ public class RedirectByHashFilter implem
}
- public void init(FilterConfig filterConfig) throws ServletException {
- if (filterConfig.getInitParameter("WelcomeURI") != null) {
- this.welcomeURI = filterConfig.getInitParameter("WelcomeURI");
- } else {
- log.info("Set default welcome URI to /portal/0/Welcome.");
- this.welcomeURI = "/portal/0/Welcome";
- }
-
+ public void init(FilterConfig arg0) throws ServletException {
+ // TODO Auto-generated method stub
}
}
Modified: geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml?rev=1342432&r1=1342431&r2=1342432&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml Thu May 24 21:10:02 2012
@@ -39,10 +39,6 @@ limitations under the License.
<param-name>xsrf.ignorePaths</param-name>
<param-value>/dojo/dojo/resources/blank.html</param-value>
</init-param>
- <init-param>
- <param-name>allowWorkaround</param-name>
- <param-value>true</param-value>
- </init-param>
</filter>
<filter-mapping>
<filter-name>XSSXSRFFilter</filter-name>
@@ -78,10 +74,6 @@ limitations under the License.
<filter>
<filter-name>RedirectByHashFilter</filter-name>
<filter-class>org.apache.geronimo.console.filter.RedirectByHashFilter</filter-class>
- <init-param>
- <param-name>WelcomeURI</param-name>
- <param-value>/portal/0/Welcome</param-value>
- </init-param>
</filter>
<filter-mapping>