001/* 002 Licensed to the Apache Software Foundation (ASF) under one 003 or more contributor license agreements. See the NOTICE file 004 distributed with this work for additional information 005 regarding copyright ownership. The ASF licenses this file 006 to you under the Apache License, Version 2.0 (the 007 "License"); you may not use this file except in compliance 008 with the License. You may obtain a copy of the License at 009 010 http://www.apache.org/licenses/LICENSE-2.0 011 012 Unless required by applicable law or agreed to in writing, 013 software distributed under the License is distributed on an 014 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 KIND, either express or implied. See the License for the 016 specific language governing permissions and limitations 017 under the License. 018 */ 019package org.apache.wiki.http.filter; 020 021import org.apache.logging.log4j.LogManager; 022import org.apache.logging.log4j.Logger; 023import org.apache.wiki.api.core.Engine; 024import org.apache.wiki.api.core.Session; 025import org.apache.wiki.api.spi.Wiki; 026 027import javax.servlet.Filter; 028import javax.servlet.FilterChain; 029import javax.servlet.FilterConfig; 030import javax.servlet.ServletException; 031import javax.servlet.ServletRequest; 032import javax.servlet.ServletResponse; 033import javax.servlet.http.HttpServletRequest; 034import javax.servlet.http.HttpServletResponse; 035import java.io.IOException; 036 037 038/** 039 * CSRF protection Filter which uses the synchronizer token pattern – an anti-CSRF token is created and stored in the 040 * user session and in a hidden field on subsequent form submits. At every submit the server checks the token from the 041 * session matches the one submitted from the form. 042 */ 043public class CsrfProtectionFilter implements Filter { 044 045 private static final Logger LOG = LogManager.getLogger( CsrfProtectionFilter.class ); 046 047 public static final String ANTICSRF_PARAM = "X-XSRF-TOKEN"; 048 049 /** {@inheritDoc} */ 050 @Override 051 public void init( final FilterConfig filterConfig ) { 052 } 053 054 /** {@inheritDoc} */ 055 @Override 056 public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain ) throws IOException, ServletException { 057 if( isPost( ( HttpServletRequest ) request ) ) { 058 final Engine engine = Wiki.engine().find( request.getServletContext(), null ); 059 final Session session = Wiki.session().find( engine, ( HttpServletRequest ) request ); 060 if( !requestContainsValidCsrfToken( request, session ) ) { 061 LOG.error( "Incorrect {} param with value '{}' received for {}", 062 ANTICSRF_PARAM, request.getParameter( ANTICSRF_PARAM ), ( ( HttpServletRequest ) request ).getPathInfo() ); 063 ( ( HttpServletResponse ) response ).sendRedirect( "/error/Forbidden.html" ); 064 return; 065 } 066 } 067 chain.doFilter( request, response ); 068 } 069 070 public static boolean isCsrfProtectedPost( final HttpServletRequest request ) { 071 if( isPost( request ) ) { 072 final Engine engine = Wiki.engine().find( request.getServletContext(), null ); 073 final Session session = Wiki.session().find( engine, request ); 074 return requestContainsValidCsrfToken( request, session ); 075 } 076 return false; 077 } 078 079 private static boolean requestContainsValidCsrfToken( final ServletRequest request, final Session session ) { 080 return session.antiCsrfToken().equals( request.getParameter( ANTICSRF_PARAM ) ); 081 } 082 083 static boolean isPost( final HttpServletRequest request ) { 084 return "POST".equalsIgnoreCase( request.getMethod() ); 085 } 086 087 /** {@inheritDoc} */ 088 @Override 089 public void destroy() { 090 } 091 092}