Author: angela
Date: Fri Aug 5 08:28:57 2011
New Revision: 1154123
URL: http://svn.apache.org/viewvc?rev=1154123&view=rev
Log:
2.2: Merging Revision 1152258 (JCR-3036)
Added:
jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
- copied unchanged from r1152258, jackrabbit/trunk/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/util/
- copied from r1152258, jackrabbit/trunk/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/util/
jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/util/CSRFUtilTest.java
- copied unchanged from r1152258, jackrabbit/trunk/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/util/CSRFUtilTest.java
jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/util/TestAll.java
- copied unchanged from r1152258, jackrabbit/trunk/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/util/TestAll.java
Modified:
jackrabbit/branches/2.2/ (props changed)
jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/jcr/JCRWebdavServerServlet.java
jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java
jackrabbit/branches/2.2/jackrabbit-standalone/src/main/resources/WEB-INF/web.xml
jackrabbit/branches/2.2/jackrabbit-webapp/src/main/webapp/WEB-INF/web.xml
jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
Propchange: jackrabbit/branches/2.2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Aug 5 08:28:57 2011
@@ -2,4 +2,4 @@
/jackrabbit/sandbox/JCR-1456:774917-886178
/jackrabbit/sandbox/JCR-2170:812417-816332
/jackrabbit/sandbox/tripod-JCR-2209:795441-795863
-/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064670,1065599,1065622,1066059,1066071,1069831,1071562,1071573,1071680,1074140,1079314,1079317,1080186,1080540,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-1098964,1099033,1099172,1100286,1104027,1128175,1130192,1130228,113
2993,1136353,1136360,1138511,1141141,1141717,1143738,1144332,1144338,1144695
+/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064670,1065599,1065622,1066059,1066071,1069831,1071562,1071573,1071680,1074140,1079314,1079317,1080186,1080540,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-1098964,1099033,1099172,1100286,1104027,1128175,1130192,1130228,113
2993,1136353,1136360,1138511,1141141,1141717,1143738,1144332,1144338,1144695,1152258
Modified: jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/jcr/JCRWebdavServerServlet.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/jcr/JCRWebdavServerServlet.java?rev=1154123&r1=1154122&r2=1154123&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/jcr/JCRWebdavServerServlet.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/jcr/JCRWebdavServerServlet.java
Fri Aug 5 08:28:57 2011
@@ -60,20 +60,6 @@ public abstract class JCRWebdavServerSer
public static final String INIT_PARAM_RESOURCE_PATH_PREFIX = "resource-path-prefix";
/**
- * Name of the optional init parameter that defines the value of the
- * 'WWW-Authenticate' header.<p/>
- * If the parameter is omitted the default value
- * {@link #DEFAULT_AUTHENTICATE_HEADER "Basic Realm=Jackrabbit Webdav Server"}
- * is used.
- *
- * @see #getAuthenticateHeaderValue()
- */
- public static final String INIT_PARAM_AUTHENTICATE_HEADER = "authenticate-header";
-
- /** the 'missing-auth-mapping' init parameter */
- public final static String INIT_PARAM_MISSING_AUTH_MAPPING = "missing-auth-mapping";
-
- /**
* Servlet context attribute used to store the path prefix instead of
* having a static field with this servlet. The latter causes problems
* when running multiple
@@ -81,7 +67,6 @@ public abstract class JCRWebdavServerSer
public static final String CTX_ATTR_RESOURCE_PATH_PREFIX = "jackrabbit.webdav.jcr.resourcepath";
private String pathPrefix;
- private String authenticate_header;
private JCRWebdavServer server;
private DavResourceFactory resourceFactory;
@@ -107,12 +92,6 @@ public abstract class JCRWebdavServerSer
getServletContext().setAttribute(CTX_ATTR_RESOURCE_PATH_PREFIX, pathPrefix);
log.debug(INIT_PARAM_RESOURCE_PATH_PREFIX + " = " + pathPrefix);
- authenticate_header = getInitParameter(INIT_PARAM_AUTHENTICATE_HEADER);
- if (authenticate_header == null) {
- authenticate_header = DEFAULT_AUTHENTICATE_HEADER;
- }
- log.debug(INIT_PARAM_AUTHENTICATE_HEADER + " = " + authenticate_header);
-
txMgr = new TxLockManagerImpl();
subscriptionMgr = new SubscriptionManagerImpl();
txMgr.addTransactionListener((SubscriptionManagerImpl) subscriptionMgr);
@@ -232,18 +211,6 @@ public abstract class JCRWebdavServerSer
}
/**
- * Returns the init param of the servlet configuration or
- * {@link #DEFAULT_AUTHENTICATE_HEADER} as default value.
- *
- * @return corresponding init parameter or {@link #DEFAULT_AUTHENTICATE_HEADER}.
- * @see #INIT_PARAM_AUTHENTICATE_HEADER
- */
- @Override
- public String getAuthenticateHeaderValue() {
- return authenticate_header;
- }
-
- /**
* Modified variant needed for JCR move and copy that isn't compliant to
* WebDAV. The latter requires both methods to fail if the destination already
* exists and Overwrite is set to F (false); in JCR however this depends on
Modified: jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java?rev=1154123&r1=1154122&r2=1154123&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/webdav/simple/SimpleWebdavServlet.java
Fri Aug 5 08:28:57 2011
@@ -66,20 +66,6 @@ public abstract class SimpleWebdavServle
public static final String INIT_PARAM_RESOURCE_PATH_PREFIX = "resource-path-prefix";
/**
- * Name of the optional init parameter that defines the value of the
- * 'WWW-Authenticate' header.<p/>
- * If the parameter is omitted the default value
- * {@link #DEFAULT_AUTHENTICATE_HEADER "Basic Realm=Jackrabbit Webdav Server"}
- * is used.
- *
- * @see #getAuthenticateHeaderValue()
- */
- public static final String INIT_PARAM_AUTHENTICATE_HEADER = "authenticate-header";
-
- /** the 'missing-auth-mapping' init parameter */
- public final static String INIT_PARAM_MISSING_AUTH_MAPPING = "missing-auth-mapping";
-
- /**
* Name of the init parameter that specify a separate configuration used
* for filtering the resources displayed.
*/
@@ -105,11 +91,6 @@ public abstract class SimpleWebdavServle
private String resourcePathPrefix;
/**
- * Header value as specified in the {@link #INIT_PARAM_AUTHENTICATE_HEADER} parameter.
- */
- private String authenticate_header;
-
- /**
* Map used to remember any webdav lock created without being reflected
* in the underlying repository.
* This is needed because some clients rely on a successful locking
@@ -162,12 +143,6 @@ public abstract class SimpleWebdavServle
getServletContext().setAttribute(CTX_ATTR_RESOURCE_PATH_PREFIX, resourcePathPrefix);
log.info(INIT_PARAM_RESOURCE_PATH_PREFIX + " = '" + resourcePathPrefix + "'");
- authenticate_header = getInitParameter(INIT_PARAM_AUTHENTICATE_HEADER);
- if (authenticate_header == null) {
- authenticate_header = DEFAULT_AUTHENTICATE_HEADER;
- }
- log.info("WWW-Authenticate header = '" + authenticate_header + "'");
-
config = new ResourceConfig(getDetector());
String configParam = getInitParameter(INIT_PARAM_RESOURCE_CONFIG);
if (configParam != null) {
@@ -387,20 +362,6 @@ public abstract class SimpleWebdavServle
}
/**
- * Returns the header value retrieved from the {@link #INIT_PARAM_AUTHENTICATE_HEADER}
- * init parameter. If the parameter is missing, the value defaults to
- * {@link #DEFAULT_AUTHENTICATE_HEADER}.
- *
- * @return the header value retrieved from the corresponding init parameter
- * or {@link #DEFAULT_AUTHENTICATE_HEADER}.
- * @see AbstractWebdavServlet#getAuthenticateHeaderValue()
- */
- @Override
- public String getAuthenticateHeaderValue() {
- return authenticate_header;
- }
-
- /**
* Returns the resource configuration to be applied
*
* @return the resource configuration.
Modified: jackrabbit/branches/2.2/jackrabbit-standalone/src/main/resources/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-standalone/src/main/resources/WEB-INF/web.xml?rev=1154123&r1=1154122&r2=1154123&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-standalone/src/main/resources/WEB-INF/web.xml (original)
+++ jackrabbit/branches/2.2/jackrabbit-standalone/src/main/resources/WEB-INF/web.xml Fri Aug
5 08:28:57 2011
@@ -44,7 +44,6 @@
The webdav servlet that connects HTTP request to the repository.
</description>
<servlet-class>org.apache.jackrabbit.j2ee.SimpleWebdavServlet</servlet-class>
-
<init-param>
<param-name>resource-path-prefix</param-name>
<param-value>/repository</param-value>
@@ -59,6 +58,22 @@
Defines various dav-resource configuration parameters.
</description>
</init-param>
+ <!--
+ Optional parameter to define the behaviour of the referrer-based CSRF protection
+ -->
+ <!--
+ <init-param>
+ <param-name>csrf-protection</param-name>
+ <param-value>host1.domain.com,host2.domain.org</param-value>
+ <description>
+ Defines the behaviour of the referrer based CSRF protection
+ 1) If omitted or left empty the (default) behaviour is to allow only requests
with
+ an empty referrer header or a referrer host equal to the server host
+ 2) May also contain a comma separated list of additional allowed referrer
hosts
+ 3) If set to 'disabled' no referrer checking will be performed at all
+ </description>
+ </init-param>
+ -->
<load-on-startup>3</load-on-startup>
</servlet>
@@ -128,6 +143,22 @@
<description>JcrRemotingServlet: Optional mapping from node type names
to default depth.</description>
</init-param>
-->
+ <!--
+ Optional parameter to define the behaviour of the referrer-based CSRF protection
+ -->
+ <!--
+ <init-param>
+ <param-name>csrf-protection</param-name>
+ <param-value>host1.domain.com,host2.domain.org</param-value>
+ <description>
+ Defines the behaviour of the referrer based CSRF protection
+ 1) If omitted or left empty the (default) behaviour is to allow only requests
with
+ an empty referrer header or a referrer host equal to the server host
+ 2) May also contain a comma separated list of additional allowed referrer
hosts
+ 3) If set to 'disabled' no referrer checking will be performed at all
+ </description>
+ </init-param>
+ -->
<load-on-startup>5</load-on-startup>
</servlet>
Modified: jackrabbit/branches/2.2/jackrabbit-webapp/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webapp/src/main/webapp/WEB-INF/web.xml?rev=1154123&r1=1154122&r2=1154123&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-webapp/src/main/webapp/WEB-INF/web.xml (original)
+++ jackrabbit/branches/2.2/jackrabbit-webapp/src/main/webapp/WEB-INF/web.xml Fri Aug 5 08:28:57
2011
@@ -147,7 +147,7 @@
<description>
If this is set, the RepositoryAccessServlet expects a Repository in the ServletContext
attribute having this name. This allows servlets of this module to be used with
repositories
- intialized by the jackrabbit-jcr-servlet module utilities.
+ initialized by the jackrabbit-jcr-servlet module utilities.
</description>
</init-param>
-->
@@ -210,7 +210,7 @@
<description>
Defines how a missing authorization header should be handled.
1) If this init-param is missing, a 401 response is generated.
- This is suiteable for clients (eg. webdav clients) for which
+ This is suitable for clients (eg. webdav clients) for which
sending a proper authorization header is not possible if the
server never sent a 401.
2) If this init-param is present with an empty value,
@@ -237,7 +237,7 @@
-->
<!--
Parameter used to configure behaviour of webdav resources such as:
- - destinction between collections and non-collections
+ - distinction between collections and non-collections
- resource filtering
-->
<init-param>
@@ -247,6 +247,22 @@
Defines various dav-resource configuration parameters.
</description>
</init-param>
+ <!--
+ Optional parameter to define the behaviour of the referrer-based CSRF protection
+ -->
+ <!--
+ <init-param>
+ <param-name>csrf-protection</param-name>
+ <param-value>host1.domain.com,host2.domain.org</param-value>
+ <description>
+ Defines the behaviour of the referrer based CSRF protection
+ 1) If omitted or left empty the (default) behaviour is to allow only requests
with
+ an empty referrer header or a referrer host equal to the server host
+ 2) May also contain a comma separated list of additional allowed referrer
hosts
+ 3) If set to 'disabled' no referrer checking will be performed at all
+ </description>
+ </init-param>
+ -->
<load-on-startup>4</load-on-startup>
</servlet>
@@ -265,7 +281,7 @@
<description>
Defines how a missing authorization header should be handled.
1) If this init-param is missing, a 401 response is generated.
- This is suiteable for clients (eg. webdav clients) for which
+ This is suitable for clients (eg. webdav clients) for which
sending a proper authorization header is not possible if the
server never sent a 401.
2) If this init-param is present with an empty value,
@@ -316,7 +332,22 @@
<param-value>/WEB-INF/batchread.properties</param-value>
<description>JcrRemotingServlet: Optional mapping from node type names
to default depth.</description>
</init-param>
- <load-on-startup>5</load-on-startup>
+ <!--
+ Optional parameter to define the behaviour of the referrer-based CSRF protection
+ -->
+ <!--
+ <init-param>
+ <param-name>csrf-protection</param-name>
+ <param-value>host1.domain.com,host2.domain.org</param-value>
+ <description>
+ Defines the behaviour of the referrer based CSRF protection
+ 1) If omitted or left empty the (default) behaviour is to allow only requests
with
+ an empty referrer header or a referrer host equal to the server host
+ 2) May also contain a comma separated list of additional allowed referrer
hosts
+ 3) If set to 'disabled' no referrer checking will be performed at all
+ </description>
+ </init-param>
+ --> <load-on-startup>5</load-on-startup>
</servlet>
<!-- ====================================================================== -->
Modified: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java?rev=1154123&r1=1154122&r2=1154123&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
Fri Aug 5 08:28:57 2011
@@ -62,6 +62,7 @@ import org.apache.jackrabbit.webdav.secu
import org.apache.jackrabbit.webdav.security.AclResource;
import org.apache.jackrabbit.webdav.transaction.TransactionInfo;
import org.apache.jackrabbit.webdav.transaction.TransactionResource;
+import org.apache.jackrabbit.webdav.util.CSRFUtil;
import org.apache.jackrabbit.webdav.version.ActivityResource;
import org.apache.jackrabbit.webdav.version.DeltaVConstants;
import org.apache.jackrabbit.webdav.version.DeltaVResource;
@@ -101,6 +102,20 @@ abstract public class AbstractWebdavServ
*/
private static Logger log = LoggerFactory.getLogger(AbstractWebdavServlet.class);
+ /** the 'missing-auth-mapping' init parameter */
+ public final static String INIT_PARAM_MISSING_AUTH_MAPPING = "missing-auth-mapping";
+
+ /**
+ * Name of the optional init parameter that defines the value of the
+ * 'WWW-Authenticate' header.<p/>
+ * If the parameter is omitted the default value
+ * {@link #DEFAULT_AUTHENTICATE_HEADER "Basic Realm=Jackrabbit Webdav Server"}
+ * is used.
+ *
+ * @see #getAuthenticateHeaderValue()
+ */
+ public static final String INIT_PARAM_AUTHENTICATE_HEADER = "authenticate-header";
+
/**
* Default value for the 'WWW-Authenticate' header, that is set, if request
* results in a {@link DavServletResponse#SC_UNAUTHORIZED 401 (Unauthorized)}
@@ -111,6 +126,43 @@ abstract public class AbstractWebdavServ
public static final String DEFAULT_AUTHENTICATE_HEADER = "Basic realm=\"Jackrabbit Webdav
Server\"";
/**
+ * Name of the parameter that specifies the configuration of the CSRF protection.
+ * May contain a comma-separated list of allowed referrer hosts.
+ * If the parameter is omitted or left empty the behaviour is to only allow requests
which have an empty referrer
+ * or a referrer host equal to the server host.
+ * If the parameter is set to 'disabled' no referrer checks will be performed at all.
+ */
+ public static final String INIT_PARAM_CSRF_PROTECTION = "csrf-protection";
+
+
+ /**
+ * Header value as specified in the {@link #INIT_PARAM_AUTHENTICATE_HEADER} parameter.
+ */
+ private String authenticate_header;
+
+ /**
+ * CSRF protection utility
+ */
+ private CSRFUtil csrfUtil;
+
+ @Override
+ public void init() throws ServletException {
+ super.init();
+
+ // authenticate header
+ authenticate_header = getInitParameter(INIT_PARAM_AUTHENTICATE_HEADER);
+ if (authenticate_header == null) {
+ authenticate_header = DEFAULT_AUTHENTICATE_HEADER;
+ }
+ log.info(INIT_PARAM_AUTHENTICATE_HEADER + " = " + authenticate_header);
+
+ // read csrf protection params
+ String csrfParam = getInitParameter(INIT_PARAM_CSRF_PROTECTION);
+ csrfUtil = new CSRFUtil(csrfParam);
+ log.info(INIT_PARAM_CSRF_PROTECTION + " = " + csrfParam);
+ }
+
+ /**
* Checks if the precondition for this request and resource is valid.
*
* @param request
@@ -163,11 +215,15 @@ abstract public class AbstractWebdavServ
/**
* Returns the value of the 'WWW-Authenticate' header, that is returned in
- * case of 401 error.
+ * case of 401 error: the value is retrireved from the corresponding init
+ * param or defaults to {@link #DEFAULT_AUTHENTICATE_HEADER}.
*
- * @return value of the 'WWW-Authenticate' header
+ * @return corresponding init parameter or {@link #DEFAULT_AUTHENTICATE_HEADER}.
+ * @see #INIT_PARAM_AUTHENTICATE_HEADER
*/
- abstract public String getAuthenticateHeaderValue();
+ public String getAuthenticateHeaderValue() {
+ return authenticate_header;
+ }
/**
* Service the given request.
@@ -192,10 +248,16 @@ abstract public class AbstractWebdavServ
return;
}
+ // perform referrer host checks if CSRF protection is enabled
+ if (!csrfUtil.isValidRequest(webdavRequest)) {
+ webdavResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+
// check matching if=header for lock-token relevant operations
DavResource resource = getResourceFactory().createResource(webdavRequest.getRequestLocator(),
webdavRequest, webdavResponse);
if (!isPreconditionValid(webdavRequest, resource)) {
- webdavResponse.sendError(DavServletResponse.SC_PRECONDITION_FAILED);
+ webdavResponse.sendError(HttpServletResponse.SC_PRECONDITION_FAILED);
return;
}
if (!execute(webdavRequest, webdavResponse, methodCode, resource)) {
|