@Override public void doFilter(ServletRequest request, ServletResponse response, final FilterChain chain) throws IOException, ServletException { final HttpServletRequest httpRequest = (HttpServletRequest)request; final HttpServletResponse httpResponse = (HttpServletResponse)response; handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain)); }
@Override public void init(FilterConfig filterConfig) throws ServletException { initializeAllowedMethods(filterConfig); initializeAllowedHeaders(filterConfig); initializeAllowedOrigins(filterConfig); initializeMaxAge(filterConfig); }
/** * Handles an {@link HttpInteraction} by applying the filtering logic. * * @param httpInteraction caller's HTTP interaction * @throws IOException if there is an I/O error * @throws ServletException if the implementation relies on the servlet API * and a servlet API call has failed */ public void handleHttpInteraction(HttpInteraction httpInteraction) throws IOException, ServletException { if (!isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT)) || methodsToIgnore.contains(httpInteraction.getMethod()) || httpInteraction.getHeader(headerName) != null) { httpInteraction.proceed(); } else { httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for CSRF Vulnerability Protection"); } }
private void doCrossFilter(HttpServletRequest req, HttpServletResponse res) { String originsList = encodeHeader(req.getHeader(ORIGIN)); if (!isCrossOrigin(originsList)) { if(LOG.isDebugEnabled()) { LOG.debug("Header origin is null. Returning"); if (!areOriginsAllowed(originsList)) { if(LOG.isDebugEnabled()) { LOG.debug("Header origins '" + originsList + "' not allowed. Returning"); if (!isMethodAllowed(accessControlRequestMethod)) { if(LOG.isDebugEnabled()) { LOG.debug("Access control method '" + accessControlRequestMethod + if (!areHeadersAllowed(accessControlRequestHeaders)) { if(LOG.isDebugEnabled()) { LOG.debug("Access control headers '" + accessControlRequestHeaders + res.setHeader(ACCESS_CONTROL_ALLOW_METHODS, getAllowedMethodsHeader()); res.setHeader(ACCESS_CONTROL_ALLOW_HEADERS, getAllowedHeadersHeader()); res.setHeader(ACCESS_CONTROL_MAX_AGE, maxAge);
@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { doCrossFilter((HttpServletRequest) req, (HttpServletResponse) res); chain.doFilter(req, res); }
private void initializeAllowedHeaders(FilterConfig filterConfig) { String allowedHeadersConfig = filterConfig.getInitParameter(ALLOWED_HEADERS); if (allowedHeadersConfig == null) { allowedHeadersConfig = ALLOWED_HEADERS_DEFAULT; } allowedHeaders.addAll( Arrays.asList(allowedHeadersConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Headers: " + getAllowedHeadersHeader()); }
private void initializeAllowedMethods(FilterConfig filterConfig) { String allowedMethodsConfig = filterConfig.getInitParameter(ALLOWED_METHODS); if (allowedMethodsConfig == null) { allowedMethodsConfig = ALLOWED_METHODS_DEFAULT; } allowedMethods.addAll( Arrays.asList(allowedMethodsConfig.trim().split("\\s*,\\s*"))); LOG.info("Allowed Methods: " + getAllowedMethodsHeader()); }
@Override public void init(FilterConfig filterConfig) throws ServletException { String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM); if (customHeader != null) { headerName = customHeader; } String customMethodsToIgnore = filterConfig.getInitParameter(CUSTOM_METHODS_TO_IGNORE_PARAM); if (customMethodsToIgnore != null) { parseMethodsToIgnore(customMethodsToIgnore); } else { parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT); } String agents = filterConfig.getInitParameter(BROWSER_USER_AGENT_PARAM); if (agents == null) { agents = BROWSER_USER_AGENTS_DEFAULT; } parseBrowserUserAgents(agents); LOG.info("Adding cross-site request forgery (CSRF) protection, " + "headerName = {}, methodsToIgnore = {}, browserUserAgents = {}", headerName, methodsToIgnore, browserUserAgents); }
/** * Creates the {@link RestCsrfPreventionFilter} for the DataNode. Since the * DataNode HTTP server is not implemented in terms of the servlet API, it * takes some extra effort to obtain an instance of the filter. This method * takes care of configuration and implementing just enough of the servlet API * and related interfaces so that the DataNode can get a fully initialized * instance of the filter. * * @param conf configuration to read * @return initialized filter, or null if CSRF protection not enabled */ private static RestCsrfPreventionFilter createRestCsrfPreventionFilter( Configuration conf) { if (!conf.getBoolean(DFS_WEBHDFS_REST_CSRF_ENABLED_KEY, DFS_WEBHDFS_REST_CSRF_ENABLED_DEFAULT)) { return null; } String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); Map<String, String> restCsrfParams = RestCsrfPreventionFilter .getFilterParams(conf, "dfs.webhdfs.rest-csrf."); RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); try { filter.init(new MapBasedFilterConfig(restCsrfClassName, restCsrfParams)); } catch (ServletException e) { throw new IllegalStateException( "Failed to initialize RestCsrfPreventionFilter.", e); } return filter; }
@Override protected void channelRead0(final ChannelHandlerContext ctx, final HttpRequest req) throws Exception { restCsrfPreventionFilter.handleHttpInteraction(new NettyHttpInteraction( ctx, req)); }
@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { ((HttpServletResponse) res).setHeader(X_FRAME_OPTIONS, option); chain.doFilter(req, new XFrameOptionsResponseWrapper((HttpServletResponse) res)); }
DFS_WEBHDFS_REST_CSRF_ENABLED_DEFAULT)) { Map<String, String> restCsrfParams = RestCsrfPreventionFilter .getFilterParams(conf, "dfs.webhdfs.rest-csrf."); String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); HttpServer2.defineFilter(httpServer2.getWebAppContext(),
@Override public void init(FilterConfig filterConfig) throws ServletException { initializeAllowedMethods(filterConfig); initializeAllowedHeaders(filterConfig); initializeAllowedOrigins(filterConfig); initializeMaxAge(filterConfig); }
@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { doCrossFilter((HttpServletRequest) req, (HttpServletResponse) res); chain.doFilter(req, res); }
@Override public void doFilter(ServletRequest request, ServletResponse response, final FilterChain chain) throws IOException, ServletException { final HttpServletRequest httpRequest = (HttpServletRequest)request; final HttpServletResponse httpResponse = (HttpServletResponse)response; handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain)); }
@Override public void init(FilterConfig filterConfig) throws ServletException { initializeAllowedMethods(filterConfig); initializeAllowedHeaders(filterConfig); initializeAllowedOrigins(filterConfig); initializeMaxAge(filterConfig); }
@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { doCrossFilter((HttpServletRequest) req, (HttpServletResponse) res); chain.doFilter(req, res); }
@Override public void init(FilterConfig filterConfig) throws ServletException { initializeAllowedMethods(filterConfig); initializeAllowedHeaders(filterConfig); initializeAllowedOrigins(filterConfig); initializeMaxAge(filterConfig); }
@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { doCrossFilter((HttpServletRequest) req, (HttpServletResponse) res); chain.doFilter(req, res); }
@Override public void init(FilterConfig filterConfig) throws ServletException { initializeAllowedMethods(filterConfig); initializeAllowedHeaders(filterConfig); initializeAllowedOrigins(filterConfig); initializeMaxAge(filterConfig); }