activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dej...@apache.org
Subject svn commit: r915384 - in /activemq/trunk: activemq-web-console/src/main/java/org/apache/activemq/web/controller/ activemq-web-console/src/main/java/org/apache/activemq/web/handler/ activemq-web-console/src/main/webapp/ activemq-web-console/src/main/web...
Date Tue, 23 Feb 2010 15:24:30 GMT
Author: dejanb
Date: Tue Feb 23 15:24:30 2010
New Revision: 915384

URL: http://svn.apache.org/viewvc?rev=915384&view=rev
Log:
https://issues.apache.org/activemq/browse/AMQ-2613 - prevent CSRF attacks

Modified:
    activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateDestination.java
    activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateSubscriber.java
    activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/SendMessage.java
    activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
    activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/web.xml
    activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp
    activemq/trunk/activemq-web-console/src/main/webapp/graph.jsp
    activemq/trunk/activemq-web-console/src/main/webapp/message.jsp
    activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp
    activemq/trunk/activemq-web-console/src/main/webapp/scheduled.jsp
    activemq/trunk/activemq-web-console/src/main/webapp/send.jsp
    activemq/trunk/activemq-web-console/src/main/webapp/subscribers.jsp
    activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp
    activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/DestinationFacade.java
    activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/SessionFilter.java

Modified: activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateDestination.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateDestination.java?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateDestination.java
(original)
+++ activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateDestination.java
Tue Feb 23 15:24:30 2010
@@ -39,4 +39,10 @@
         return redirectToBrowseView();
     }
 
+	public String[] getSupportedHttpMethods() {
+		return new String[]{"POST"};
+	}
+    
+    
+
 }

Modified: activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateSubscriber.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateSubscriber.java?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateSubscriber.java
(original)
+++ activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/CreateSubscriber.java
Tue Feb 23 15:24:30 2010
@@ -50,5 +50,9 @@
         getBrokerAdmin().createDurableSubscriber(getClientId(), getSubscriberName(), getValidDestination(),
selector);
         return new ModelAndView("redirect:subscribers.jsp");
     }
+    
+	public String[] getSupportedHttpMethods() {
+		return new String[]{"POST"};
+	}
 
 }

Modified: activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/SendMessage.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/SendMessage.java?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/SendMessage.java
(original)
+++ activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/controller/SendMessage.java
Tue Feb 23 15:24:30 2010
@@ -230,4 +230,8 @@
         // allow JMSX extensions or non JMS properties
         return name.startsWith("JMSX") || !name.startsWith("JMS");
     }
+    
+	public String[] getSupportedHttpMethods() {
+		return new String[]{"POST"};
+	}
 }

Modified: activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
(original)
+++ activemq/trunk/activemq-web-console/src/main/java/org/apache/activemq/web/handler/BindingBeanNameUrlHandlerMapping.java
Tue Feb 23 15:24:30 2010
@@ -16,8 +16,12 @@
  */
 package org.apache.activemq.web.handler;
 
+import java.util.Arrays;
+import java.util.UUID;
+
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.activemq.web.DestinationFacade;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.web.bind.ServletRequestDataBinder;
@@ -41,8 +45,21 @@
             HandlerExecutionChain handlerExecutionChain = (HandlerExecutionChain) object;
             object = handlerExecutionChain.getHandler();
         }
-
+        
         if (object != null) {
+        	// prevent CSRF attacks
+        	if (object instanceof DestinationFacade) {
+        		// check supported methods
+        		if (!Arrays.asList(((DestinationFacade)object).getSupportedHttpMethods()).contains(request.getMethod()))
{
+        			throw new UnsupportedOperationException("Unsupported method " + request.getMethod()
+ " for path " + request.getRequestURI());
+        		}
+        		// check the 'secret'
+        		if (!request.getSession().getAttribute("secret").equals(request.getParameter("secret")))
{
+        			throw new UnsupportedOperationException("Possible CSRF attack");
+        		}
+        	}
+        	
+        	
             ServletRequestDataBinder binder = new ServletRequestDataBinder(object, "request");
             try {
                 binder.bind(request);
@@ -56,6 +73,7 @@
                 throw e;
             }
         }
+        
         return object;
     }
 }

Modified: activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/web.xml?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/web.xml (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/web.xml Tue Feb 23 15:24:30
2010
@@ -50,7 +50,7 @@
 
   <filter-mapping>
     <filter-name>spring</filter-name>
-    <url-pattern>/*</url-pattern>
+    <url-pattern>*.jsp</url-pattern>
   </filter-mapping>
 
   <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
@@ -101,7 +101,7 @@
 
   <filter-mapping>
     <filter-name>session</filter-name>
-    <url-pattern>/*</url-pattern>
+    <url-pattern>*.jsp</url-pattern>
   </filter-mapping>
   <filter-mapping>
     <filter-name>spring-rq</filter-name>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp Tue Feb 23 15:24:30 2010
@@ -49,7 +49,7 @@
 <td><jms:formatTimestamp timestamp="${row.JMSTimestamp}"/></td>
 <td>${row.JMSType}</td>
 <td>
-    <a href="deleteMessage.action?JMSDestination=<c:out value="${row.JMSDestination}"/>&messageId=${row.JMSMessageID}">Delete</a>
+    <a href="deleteMessage.action?JMSDestination=<c:out value="${row.JMSDestination}"/>&messageId=${row.JMSMessageID}&secret=<c:out
value='${sessionScope["secret"]}'/>">Delete</a>
 </td>
 </tr>
 </jms:forEachMessage>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/graph.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/graph.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/graph.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/graph.jsp Tue Feb 23 15:24:30 2010
@@ -51,7 +51,7 @@
 <td>${row.JMSTimestamp}</td>
 <td>${row.JMSType}</td>
 <td>
-    <a href="deleteDestination.action?destination=${row.JMSMessageID}">Delete</a>
+    <a href="deleteDestination.action?destination=${row.JMSMessageID}&secret=<c:out
value='${sessionScope["secret"]}'/>">Delete</a>
 </td>
 </tr>
 </jms:forEachMessage>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/message.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/message.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/message.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/message.jsp Tue Feb 23 15:24:30 2010
@@ -130,10 +130,10 @@
                 </thead>
                 <tbody>
                     <tr>
-                        <td colspan="2"><a href="deleteMessage.action?JMSDestination=<c:out
value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}">Delete</a></td>
+                        <td colspan="2"><a href="deleteMessage.action?JMSDestination=<c:out
value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}&secret=<c:out
value='${sessionScope["secret"]}'/>">Delete</a></td>
                     </tr>
                     <tr class="odd">
-                    <td><a href="javascript:confirmAction('queue', 'copyMessage.action?destination=%target%&JMSDestination=<c:out
value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Copy</a></td>
+                    <td><a href="javascript:confirmAction('queue', 'copyMessage.action?destination=%target%&JMSDestination=<c:out
value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}&JMSDestinationType=queue&secret=<c:out
value='${sessionScope["secret"]}'/>')">Copy</a></td>
                         <td rowspan="2">
                             <select id="queue">
                                 <option value=""> -- Please select --</option>
@@ -147,7 +147,7 @@
                         
                     </tr>
                     <tr class="odd">
-                        <td><a href="javascript:confirmAction('queue', 'moveMessage.action?destination=%target%&JMSDestination=<c:out
value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Move</a></td>
+                        <td><a href="javascript:confirmAction('queue', 'moveMessage.action?destination=%target%&JMSDestination=<c:out
value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}&JMSDestinationType=queue&secret=<c:out
value='${sessionScope["secret"]}'/>')">Move</a></td>
                     </tr>
                 </tbody>
             </table>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp Tue Feb 23 15:24:30 2010
@@ -21,8 +21,9 @@
 <body>
 
 <div>
-<form action="createDestination.action" method="get">
+<form action="createDestination.action" method="post">
     <input type="hidden" name="JMSDestinationType" value="queue"/>
+    <input type="hidden" name="secret" value="<c:out value='${sessionScope["secret"]}'/>"/>
 
     <label name="destination">Queue Name</label>
     <input type="text" name="JMSDestination" value=""/>
@@ -63,8 +64,8 @@
 </td>
 <td>
     <a href="send.jsp?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue">Send
To</a>
-    <a href="purgeDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue">Purge</a>
-    <a href="deleteDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue">Delete</a>
+    <a href="purgeDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue&secret=<c:out
value='${sessionScope["secret"]}'/>">Purge</a>
+    <a href="deleteDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue&secret=<c:out
value='${sessionScope["secret"]}'/>">Delete</a>
 </td>
 </tr>
 </c:forEach>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/scheduled.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/scheduled.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/scheduled.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/scheduled.jsp Tue Feb 23 15:24:30
2010
@@ -45,7 +45,7 @@
 	 	 <td>${row.period}</td>
 	     <td>${row.repeat}</td>
 		<td>
-		    <a href="deleteJob.action?jobId=${row.jobId}">Delete</a>
+		    <a href="deleteJob.action?jobId=${row.jobId}&secret=<c:out value='${sessionScope["secret"]}'/>">Delete</a>
 		</td>
 	    </tr>
 	</c:forEach>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/send.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/send.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/send.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/send.jsp Tue Feb 23 15:24:30 2010
@@ -23,6 +23,7 @@
 <h2>Send a JMS Message</h2>
 
 <form action="sendMessage.action" method="post">
+<input type="hidden" name="secret" value="<c:out value='${sessionScope["secret"]}'/>"/>
 
 <table id="headers" class="autostripe">
 <thead>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/subscribers.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/subscribers.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/subscribers.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/subscribers.jsp Tue Feb 23 15:24:30
2010
@@ -20,8 +20,9 @@
 </head>
 <body>
 
-<form action="createSubscriber.action" method="get">
+<form action="createSubscriber.action" method="post">
     <input type="hidden" name="JMSDestinationType" value="topic"/>
+    <input type="hidden" name="secret" value="<c:out value='${sessionScope["secret"]}'/>"/>
 
 <table id="createSubscribers" class="sortable autostripe">
 <thead>
@@ -102,7 +103,7 @@
 <td>${row.enqueueCounter}</td>
 <td>${row.dequeueCounter}</td>
 <td>
-    <a href="deleteSubscriber.action?clientId=${row.clientId}&subscriberName=${row.subscriptionName}">Delete</a>
+    <a href="deleteSubscriber.action?clientId=${row.clientId}&subscriberName=${row.subscriptionName}&secret=<c:out
value='${sessionScope["secret"]}'/>">Delete</a>
 </td>
 </tr>
 </c:forEach>

Modified: activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp (original)
+++ activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp Tue Feb 23 15:24:30 2010
@@ -23,6 +23,7 @@
 <div>
 <form action="createDestination.action" method="get">
     <input type="hidden" name="JMSDestinationType" value="topic"/>
+    <input type="hidden" name="secret" value="<c:out value='${sessionScope["secret"]}'/>"/>
 
     <label name="destination">Topic Name</label>
     <input type="text" name="JMSDestination" value=""/>
@@ -52,7 +53,7 @@
 <td>${row.dequeueCount}</td>
 <td>
     <a href="send.jsp?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=topic">Send
To</a>
-    <a href="deleteDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=topic">Delete</a>
+    <a href="deleteDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=topic&secret=<c:out
value='${sessionScope["secret"]}'/>">Delete</a>
 </td>
 </tr>
 </c:forEach>

Modified: activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/DestinationFacade.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/DestinationFacade.java?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/DestinationFacade.java
(original)
+++ activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/DestinationFacade.java
Tue Feb 23 15:24:30 2010
@@ -128,4 +128,8 @@
     protected String getPhysicalDestinationName() {
         return createDestination().getPhysicalName();
     }
+    
+    public String[] getSupportedHttpMethods() {
+    	return new String[]{"GET", "POST"};
+    }
 }

Modified: activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/SessionFilter.java
URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/SessionFilter.java?rev=915384&r1=915383&r2=915384&view=diff
==============================================================================
--- activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/SessionFilter.java (original)
+++ activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/SessionFilter.java Tue
Feb 23 15:24:30 2010
@@ -18,6 +18,7 @@
 package org.apache.activemq.web;
 
 import java.io.IOException;
+import java.util.UUID;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -39,7 +40,8 @@
     }
 
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
-        ((HttpServletRequest)request).getSession(true);
+    	// set secret to prevent CSRF attacks
+        ((HttpServletRequest)request).getSession(true).setAttribute("secret", UUID.randomUUID().toString());;
         chain.doFilter(request, response);
     }
 



Mime
View raw message