001/*
002    Licensed to the Apache Software Foundation (ASF) under one
003    or more contributor license agreements.  See the NOTICE file
004    distributed with this work for additional information
005    regarding copyright ownership.  The ASF licenses this file
006    to you under the Apache License, Version 2.0 (the
007    "License"); you may not use this file except in compliance
008    with the License.  You may obtain a copy of the License at
009
010       http://www.apache.org/licenses/LICENSE-2.0
011
012    Unless required by applicable law or agreed to in writing,
013    software distributed under the License is distributed on an
014    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015    KIND, either express or implied.  See the License for the
016    specific language governing permissions and limitations
017    under the License.
018 */
019package org.apache.wiki.http.filter;
020
021import org.apache.logging.log4j.LogManager;
022import org.apache.logging.log4j.Logger;
023import org.apache.wiki.api.core.Engine;
024import org.apache.wiki.api.core.Session;
025import org.apache.wiki.api.spi.Wiki;
026
027import javax.servlet.Filter;
028import javax.servlet.FilterChain;
029import javax.servlet.FilterConfig;
030import javax.servlet.ServletException;
031import javax.servlet.ServletRequest;
032import javax.servlet.ServletResponse;
033import javax.servlet.http.HttpServletRequest;
034import javax.servlet.http.HttpServletResponse;
035import java.io.IOException;
036
037
038/**
039 * CSRF protection Filter which uses the synchronizer token pattern – an anti-CSRF token is created and stored in the
040 * user session and in a hidden field on subsequent form submits. At every submit the server checks the token from the
041 * session matches the one submitted from the form.
042 */
043public class CsrfProtectionFilter implements Filter {
044
045    private static final Logger LOG = LogManager.getLogger( CsrfProtectionFilter.class );
046
047    public static final String ANTICSRF_PARAM = "X-XSRF-TOKEN";
048
049    /** {@inheritDoc} */
050    @Override
051    public void init( final FilterConfig filterConfig ) {
052    }
053
054    /** {@inheritDoc} */
055    @Override
056    public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain ) throws IOException, ServletException {
057        if( isPost( ( HttpServletRequest ) request ) ) {
058            final Engine engine = Wiki.engine().find( request.getServletContext(), null );
059            final Session session = Wiki.session().find( engine, ( HttpServletRequest ) request );
060            if( !requestContainsValidCsrfToken( request, session ) ) {
061                LOG.error( "Incorrect {} param with value '{}' received for {}",
062                           ANTICSRF_PARAM, request.getParameter( ANTICSRF_PARAM ), ( ( HttpServletRequest ) request ).getPathInfo() );
063                ( ( HttpServletResponse ) response ).sendRedirect( "/error/Forbidden.html" );
064                return;
065            }
066        }
067        chain.doFilter( request, response );
068    }
069
070    public static boolean isCsrfProtectedPost( final HttpServletRequest request ) {
071        if( isPost( request ) ) {
072            final Engine engine = Wiki.engine().find( request.getServletContext(), null );
073            final Session session = Wiki.session().find( engine, request );
074            return requestContainsValidCsrfToken( request, session );
075        }
076        return false;
077    }
078
079    private static boolean requestContainsValidCsrfToken( final ServletRequest request, final Session session ) {
080        return session.antiCsrfToken().equals( request.getParameter( ANTICSRF_PARAM ) );
081    }
082
083    static boolean isPost( final HttpServletRequest request ) {
084        return "POST".equalsIgnoreCase( request.getMethod() );
085    }
086
087    /** {@inheritDoc} */
088    @Override
089    public void destroy() {
090    }
091
092}