@Override protected boolean isChecked(IRequestHandler handler) { if (handler instanceof WebSocketRequestHandler || handler instanceof WebSocketMessageBroadcastHandler) { return false; } return super.isChecked(handler); } }
allowHandler(request, sourceUri, page); break; case SUPPRESS : suppressHandler(request, sourceUri, page); break; case ABORT : abortHandler(request, sourceUri, page); break; if (isWhitelistedHost(sourceUri)) whitelistedHandler(request, sourceUri, page); return; if (!isLocalOrigin(request, sourceUri)) allowHandler(request, sourceUri, page); break; case SUPPRESS : suppressHandler(request, sourceUri, page); break; case ABORT : abortHandler(request, sourceUri, page); break; matchingOrigin(request, sourceUri, page);
/** * Checks whether the {@code Origin} HTTP header of the request matches where the request came * from. * * @param containerRequest * the current container request * @param originHeader * the contents of the {@code Origin} HTTP header * @return {@code true} when the origin of the request matches the {@code Origin} HTTP header */ protected boolean isLocalOrigin(HttpServletRequest containerRequest, String originHeader) { // Make comparable strings from Origin and Location String origin = normalizeUri(originHeader); if (origin == null) return false; String request = getTargetUriFromRequest(containerRequest); if (request == null) return false; return origin.equalsIgnoreCase(request); }
@Override public void init(WebApplication webApplication) { CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener(); listener.setConflictingOriginAction(props.getConflictingOriginAction()); listener.setErrorCode(props.getErrorCode()); listener.setErrorMessage(props.getErrorMessage()); listener.setNoOriginAction(props.getNoOriginAction()); for (String acceptedOrigin : props.getAcceptedOrigins()) { listener.addAcceptedOrigin(acceptedOrigin); } webApplication.getRequestCycleListeners().add(listener); wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass()) .withDetail("properties", props) .build()); }
@Override public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler) if (!isEnabled()) handler = unwrap(handler); if (isChecked(handler)) HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest() .getContainerRequest(); String sourceUri = getSourceUri(containerRequest); if (isChecked(targetedPage)) checkRequest(containerRequest, sourceUri, targetedPage); targetedPage.getClass().getName()); allowHandler(containerRequest, sourceUri, targetedPage);
getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener());
@Override public void onBeginRequest(RequestCycle cycle) { if (log.isDebugEnabled()) { HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest() .getContainerRequest(); log.debug("Request Source URI: {}", getSourceUri(containerRequest)); } }
@Override public void init(WebApplication webApplication) { CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener(); listener.setConflictingOriginAction(props.getConflictingOriginAction()); listener.setErrorCode(props.getErrorCode()); listener.setErrorMessage(props.getErrorMessage()); listener.setNoOriginAction(props.getNoOriginAction()); for (String acceptedOrigin : props.getAcceptedOrigins()) { listener.addAcceptedOrigin(acceptedOrigin); } webApplication.getRequestCycleListeners().add(listener); wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass()) .withDetail("properties", props) .build()); }
@Override public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler) if (!isEnabled()) handler = unwrap(handler); if (isChecked(handler)) HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest() .getContainerRequest(); String sourceUri = getSourceUri(containerRequest); if (isChecked(targetedPage)) checkRequest(containerRequest, sourceUri, targetedPage); targetedPage.getClass().getName()); allowHandler(containerRequest, sourceUri, targetedPage);
@Override public void onBeginRequest(RequestCycle cycle) { if (log.isDebugEnabled()) { HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest() .getContainerRequest(); log.debug("Request Source URI: {}", getSourceUri(containerRequest)); } }
allowHandler(request, sourceUri, page); break; case SUPPRESS : suppressHandler(request, sourceUri, page); break; case ABORT : abortHandler(request, sourceUri, page); break; if (isWhitelistedHost(sourceUri)) whitelistedHandler(request, sourceUri, page); return; if (!isLocalOrigin(request, sourceUri)) allowHandler(request, sourceUri, page); break; case SUPPRESS : suppressHandler(request, sourceUri, page); break; case ABORT : abortHandler(request, sourceUri, page); break; matchingOrigin(request, sourceUri, page);
@Override protected boolean isChecked(IRequestHandler handler) { if (handler instanceof WebSocketRequestHandler || handler instanceof WebSocketMessageBroadcastHandler) { return false; } return super.isChecked(handler); } }
/** * Checks whether the {@code Origin} HTTP header of the request matches where the request came * from. * * @param containerRequest * the current container request * @param originHeader * the contents of the {@code Origin} HTTP header * @return {@code true} when the origin of the request matches the {@code Origin} HTTP header */ protected boolean isLocalOrigin(HttpServletRequest containerRequest, String originHeader) { // Make comparable strings from Origin and Location String origin = normalizeUri(originHeader); if (origin == null) return false; String request = getTargetUriFromRequest(containerRequest); if (request == null) return false; return origin.equalsIgnoreCase(request); }