geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ga...@apache.org
Subject svn commit: r1336818 - in /geronimo/server/branches/3.0-beta/plugins/console: console-filter/src/main/java/org/apache/geronimo/console/filter/ console-portal-driver/src/main/webapp/WEB-INF/
Date Thu, 10 May 2012 18:12:05 GMT
Author: gawor
Date: Thu May 10 18:12:05 2012
New Revision: 1336818

URL: http://svn.apache.org/viewvc?rev=1336818&view=rev
Log:
GERONIMO-6348: Ability to configure XSRF filter with resource paths that should be ignored
during XSRF check.

Modified:
    geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
    geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
    geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml

Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java?rev=1336818&r1=1336817&r2=1336818&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
Thu May 10 18:12:05 2012
@@ -21,8 +21,11 @@ import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Random;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
 import javax.servlet.http.HttpServletRequest;
@@ -51,6 +54,7 @@ public class XSRFHandler
     private static final String NOXSS_HASH_OF_PAGE_TO_REDIRECT = "noxssPage";
 
     private Map<String, String> sessionMap = new ConcurrentHashMap<String, String>();
+    private Set<String> ignoredPaths = new HashSet<String>();
     private String xsrfJS;
 
     private Random random = new Random();
@@ -63,6 +67,18 @@ public class XSRFHandler
         log.debug("loaded xsrf file");
     }
 
+    /**
+     * A comma separated list of resource paths that will be ignored during XSRF check.
+     * 
+     * @param resourceList
+     */
+    public void setIgnorePaths(String pathList) {
+        String values[] = pathList.split(",");
+        for (String value : values) {
+            ignoredPaths.add(value.trim());
+        }
+    }
+    
     //----- Session handler routines -----
 
     /**
@@ -85,21 +101,21 @@ public class XSRFHandler
             return false;
         }
 
+        if (isIgnoredPath(hreq)) {
+            log.debug("Skipped XSRF checking for requestURI=" + hreq.getRequestURI());
+            return false;
+        }
+        
         if ((hreq.getQueryString() != null && hreq.getQueryString().length() >
0)
                 || (hreq.getParameterNames().hasMoreElements())) {
             
-            
             if (hreq.getParameterMap().keySet().size() == 1 && hreq.getParameter(NOXSS_SHOW_TREE)
!= null) {
-
                 return false;
-
             }
             
             if (hreq.getParameterMap().keySet().size() == 2 && hreq.getParameter(NOXSS_SHOW_TREE)
!= null
                     && hreq.getParameter(NOXSS_HASH_OF_PAGE_TO_REDIRECT)!=null) {
-
                 return false;
-
             }
             
             String sesId = (String)hses.getAttribute(XSRF_UNIQUEID);
@@ -204,6 +220,17 @@ public class XSRFHandler
             sessionMap.remove(sesId);        
         }
     }
+    
+    private boolean isIgnoredPath(HttpServletRequest hreq) {
+        if (!ignoredPaths.isEmpty() && "GET".equals(hreq.getMethod())) {
+            String path = hreq.getServletPath();
+            if (hreq.getPathInfo() != null) {
+                path = path + hreq.getPathInfo();
+            }
+            return ignoredPaths.contains(path);
+        }
+        return false;
+    }
 
     //----- Response handler routines -----
     /**
@@ -234,31 +261,30 @@ public class XSRFHandler
      * @return String containing the JavaScript content, else null
      */
     private String getFile(String filename) {
-        StringBuilder sb = new StringBuilder();
         InputStream is = getClass().getResourceAsStream(filename);
         if (is != null) {
+            StringBuilder sb = new StringBuilder();
+            InputStreamReader reader = null;
             try {
+                reader = new InputStreamReader(is, "UTF-8");
+                char[] buffer = new char[1024];
                 int i = 0;
-                while ((i = is.read()) > 0) {
-                    sb.append((char) i);
+                while ((i = reader.read(buffer)) > 0) {
+                    sb.append(buffer, 0, i);
                 }
-            }
-            catch (IOException ioe) {
+            } catch (IOException ioe) {
                 log.error("Could not read resource=" + filename, ioe);
-            }
-            finally {
-                try {
-                    is.close();
-                }
-                catch (IOException ioe) {
+            } finally {
+                if (reader != null) {
+                    try { reader.close(); } catch (IOException ignored) {}
                 }
+                try { is.close(); } catch (IOException ignored) {}
             }
-        }
-        else {
+            return sb.toString();
+        } else {
             log.error("Could not load required resource=" + filename);
             return null;
         }
-        return sb.toString();
     }
 
 }

Modified: geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java?rev=1336818&r1=1336817&r2=1336818&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
Thu May 10 18:12:05 2012
@@ -59,13 +59,19 @@ public class XSSXSRFFilter implements Fi
     public void init(FilterConfig config) throws ServletException {
         log.debug("init() called");
         String parmEnableXSS = config.getInitParameter("enableXSS");
-        String parmEnableXSRF = config.getInitParameter("enableXSRF");
-        if ((parmEnableXSS != null) && (parmEnableXSS.equals("false"))) {
+        if ((parmEnableXSS != null) && (parmEnableXSS.equalsIgnoreCase("false")))
{
             this.enableXSS = false;
         }
-        if ((parmEnableXSRF != null) && (parmEnableXSRF.equals("false"))) {
+        
+        String parmEnableXSRF = config.getInitParameter("enableXSRF");
+        if ((parmEnableXSRF != null) && (parmEnableXSRF.equalsIgnoreCase("false")))
{
             this.enableXSRF = false;
         }
+        
+        String ignoreResources = config.getInitParameter("xsrf.ignorePaths");
+        if (ignoreResources != null) {
+            xsrf.setIgnorePaths(ignoreResources);
+        }
     }
 
     /* (non-Javadoc)
@@ -93,6 +99,7 @@ public class XSSXSRFFilter implements Fi
             HttpServletRequest hreq = (HttpServletRequest)request;
             hreq.setCharacterEncoding("UTF-8");
             String errStr = null;
+            
             //--------------------------------------------------------------
             // Check the URI and QueryString for simple XSS attacks
             // Validate any FORM submission with our XSRF protection code
@@ -100,15 +107,15 @@ public class XSSXSRFFilter implements Fi
             // check the URI/Params first, as they get logged during the XSRF checks
             if (enableXSS && xss.isInvalidURI(hreq)) {
                 // Block simple XSS attacks in GET request URIs
-                errStr = new String("XSSXSRFFilter blocked HttpServletRequest due to invalid
URI content.");
+                errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid URI content.";
             }
             else if (enableXSS && xss.isInvalidParameters(hreq)) {
                 // Block simple XSS attacks in POST parameters
-                errStr = new String("XSSXSRFFilter blocked HttpServletRequest due to invalid
POST content.");
+                errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid POST content.";
             }
             else if (enableXSRF && xsrf.isInvalidSession(hreq)) {
                 // Block simple XSRF attacks on our forms
-                errStr = new String("XSSXSRFFilter blocked HttpServletRequest due to invalid
FORM content.");   
+                errStr = "XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content.";
  
             }
             // if we found a problem, return a HTTP 400 error code and message
             if (errStr != null) {

Modified: geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml?rev=1336818&r1=1336817&r2=1336818&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
(original)
+++ geronimo/server/branches/3.0-beta/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
Thu May 10 18:12:05 2012
@@ -35,6 +35,10 @@ limitations under the License.
   <filter>
     <filter-name>XSSXSRFFilter</filter-name>
     <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+    <init-param>
+       <param-name>xsrf.ignorePaths</param-name>
+       <param-value>/dojo/dojo/resources/blank.html</param-value>
+    </init-param>
   </filter>
   <filter-mapping>
     <filter-name>XSSXSRFFilter</filter-name>



Mime
View raw message