incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cziege...@apache.org
Subject svn commit: r1146709 - in /sling/trunk/contrib/extensions/security: ./ src/ src/main/ src/main/java/ src/main/java/org/ src/main/java/org/apache/ src/main/java/org/apache/sling/ src/main/java/org/apache/sling/security/ src/main/java/org/apache/sling/se...
Date Thu, 14 Jul 2011 13:42:36 GMT
Author: cziegeler
Date: Thu Jul 14 13:42:34 2011
New Revision: 1146709

URL: http://svn.apache.org/viewvc?rev=1146709&view=rev
Log:
SLING-2141 - Add a way to check the referrer for modification requests

Added:
    sling/trunk/contrib/extensions/security/
    sling/trunk/contrib/extensions/security/pom.xml   (with props)
    sling/trunk/contrib/extensions/security/src/
    sling/trunk/contrib/extensions/security/src/main/
    sling/trunk/contrib/extensions/security/src/main/java/
    sling/trunk/contrib/extensions/security/src/main/java/org/
    sling/trunk/contrib/extensions/security/src/main/java/org/apache/
    sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/
    sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/
    sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/
    sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
  (with props)
    sling/trunk/contrib/extensions/security/src/main/resources/
    sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/
    sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/
    sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties
  (with props)

Added: sling/trunk/contrib/extensions/security/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/pom.xml?rev=1146709&view=auto
==============================================================================
--- sling/trunk/contrib/extensions/security/pom.xml (added)
+++ sling/trunk/contrib/extensions/security/pom.xml Thu Jul 14 13:42:34 2011
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.sling</groupId>
+        <artifactId>sling</artifactId>
+        <version>10</version>
+    </parent>
+
+    <artifactId>org.apache.sling.security</artifactId>
+    <version>0.5.0-SNAPSHOT</version>
+    <packaging>bundle</packaging>
+
+    <name>Apache Sling Security</name>
+    <description>
+        The Apache Sling Security module.
+    </description>
+
+    <scm>
+        <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection>
+        <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection>
+        <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url>
+    </scm>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-scr-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.sling</groupId>
+                <artifactId>maven-sling-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+                <extensions>true</extensions>
+                <configuration>
+                    <instructions>
+                        <Bundle-Category>sling</Bundle-Category>
+                        <Private-Package>
+                            org.apache.sling.security.impl
+                        </Private-Package>
+                    </instructions>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.osgi</artifactId>
+            <version>2.0.6</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.scr.annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.compendium</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+    </dependencies>
+</project>

Propchange: sling/trunk/contrib/extensions/security/pom.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: sling/trunk/contrib/extensions/security/pom.xml
------------------------------------------------------------------------------
    svn:keywords = Id

Propchange: sling/trunk/contrib/extensions/security/pom.xml
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java?rev=1146709&view=auto
==============================================================================
--- sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
(added)
+++ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
Thu Jul 14 13:42:34 2011
@@ -0,0 +1,159 @@
+/*
+ * Copyright 1997-2011 Day Management AG
+ * Barfuesserplatz 6, 4001 Basel, Switzerland
+ * All Rights Reserved.
+ *
+ * This software is the confidential and proprietary information of
+ * Day Management AG, ("Confidential Information"). You shall not
+ * disclose such Confidential Information and shall use it only in
+ * accordance with the terms of the license agreement you entered into
+ * with Day.
+ */
+package org.apache.sling.security.impl;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.felix.scr.annotations.Property;
+import org.apache.felix.scr.annotations.PropertyUnbounded;
+import org.apache.felix.scr.annotations.sling.SlingFilter;
+import org.apache.felix.scr.annotations.sling.SlingFilterScope;
+import org.apache.sling.commons.osgi.OsgiUtil;
+import org.osgi.service.component.ComponentContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@SlingFilter(order=-100000,scope=SlingFilterScope.REQUEST,metatype=true,
+        description="%referrer.description",
+        label="%referrer.name")
+public class ReferrerFilter implements Filter {
+
+    private static final boolean DEFAULT_ALLOW_EMPTY = true;
+
+    @Property(boolValue=DEFAULT_ALLOW_EMPTY)
+    private static final String PROP_ALLOW_EMPTY = "allow.empty";
+
+    @Property(unbounded=PropertyUnbounded.ARRAY)
+    private static final String PROP_HOSTS = "allow.hosts";
+
+    private boolean allowEmpty;
+
+    private String[] allowHosts;
+
+    /**
+     * Activate
+     */
+    protected void activate(final ComponentContext ctx) {
+        this.allowEmpty = OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY);
+        this.allowHosts = OsgiUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS));
+        if ( this.allowHosts != null ) {
+            if ( this.allowHosts.length == 0 ) {
+                this.allowHosts = null;
+            } else if ( this.allowHosts.length == 1 && this.allowHosts[0].trim().length()
== 0 ) {
+                this.allowHosts = null;
+            }
+        }
+    }
+
+    /** Logger. */
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    private boolean isModification(final HttpServletRequest req) {
+        final String method = req.getMethod();
+        if ("POST".equals(method)) {
+            return true;
+        } else if ("PUT".equals(method)) {
+            return true;
+        } else if ("DELETE".equals(method)) {
+            return true;
+        }
+        return false;
+    }
+
+    public void doFilter(final ServletRequest req,
+                         final ServletResponse res,
+                         final FilterChain chain)
+    throws IOException, ServletException {
+        if ( req instanceof HttpServletRequest && res instanceof HttpServletResponse
) {
+            final HttpServletRequest request = (HttpServletRequest)req;
+
+            // is this a modification request
+            if ( this.isModification(request) ) {
+                if ( !this.isValidRequest(request) ) {
+                    final HttpServletResponse response = (HttpServletResponse)res;
+                    // we use 500
+                    response.sendError(500);
+                    return;
+                }
+            }
+        }
+        chain.doFilter(req, res);
+    }
+
+    private boolean isValidRequest(final HttpServletRequest request) {
+        final String referrer = request.getHeader("referer");
+        // check for missing/empty referrer
+        if ( referrer == null || referrer.trim().length() == 0 ) {
+            if ( !this.allowEmpty ) {
+                this.logger.info("Rejected empty referrer header for {} request to {}", request.getMethod(),
request.getRequestURI());
+            }
+            return this.allowEmpty;
+        }
+        // check for relative referrer - which is always allowed
+        if ( referrer.indexOf(":/") == - 1 ) {
+            return true;
+        }
+        final URI uri;
+        try {
+            uri = new URI(referrer);
+        } catch (URISyntaxException e) {
+            // if this is invalid we just return invalid
+            this.logger.info("Rejected illegal referrer header for {} request to {} : {}",
+                    new Object[] {request.getMethod(), request.getRequestURI(), referrer});
+            return false;
+        }
+        final String host = uri.getHost();
+        final boolean valid;
+        if ( this.allowHosts == null ) {
+            valid = host.equals(request.getServerName());
+        } else {
+            boolean flag = false;
+            for(final String allowHost : this.allowHosts) {
+                if ( host.equals(allowHost) ) {
+                    flag = true;
+                    break;
+                }
+            }
+            valid = flag;
+        }
+        if ( !valid) {
+            this.logger.info("Rejected referrer header for {} request to {} : {}",
+                    new Object[] {request.getMethod(), request.getRequestURI(), referrer});
+        }
+        return valid;
+    }
+
+    /**
+     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+     */
+    public void init(FilterConfig arg0) throws ServletException {
+        // nothing to do
+    }
+
+    /**
+     * @see javax.servlet.Filter#destroy()
+     */
+    public void destroy() {
+        // nothing to do
+    }
+}

Propchange: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
------------------------------------------------------------------------------
    svn:keywords = author date id revision rev url

Propchange: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties?rev=1146709&view=auto
==============================================================================
--- sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties
(added)
+++ sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties
Thu Jul 14 13:42:34 2011
@@ -0,0 +1,35 @@
+#
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+#
+
+#
+# This file contains localization strings for configuration labels and
+# descriptions as used in the metatype.xml descriptor generated by the
+# the SCR plugin
+
+#
+# Referrer Filter
+referrer.name = Apache Sling Referrer Filter
+referrer.description = Request filter checking the referrer of modification requests.  
+
+allow.empty.name = Allow Empty
+allow.empty.description = Allow an empty or missing referrer
+
+allow.hosts.name = Allow Hosts
+allow.hosts.description = List of allowed hosts for the referrer. IF this is empty only the
server\
+ host is allowed.

Propchange: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties
------------------------------------------------------------------------------
    svn:keywords = Id

Propchange: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties
------------------------------------------------------------------------------
    svn:mime-type = text/plain



Mime
View raw message