@Override public void doFilter(ServletRequest request, ServletResponse response, final FilterChain chain) throws IOException, ServletException { final HttpServletRequest httpRequest = (HttpServletRequest)request; final HttpServletResponse httpResponse = (HttpServletResponse)response; handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain)); }
/** * Handles an {@link HttpInteraction} by applying the filtering logic. * * @param httpInteraction caller's HTTP interaction * @throws IOException if there is an I/O error * @throws ServletException if the implementation relies on the servlet API * and a servlet API call has failed */ public void handleHttpInteraction(HttpInteraction httpInteraction) throws IOException, ServletException { if (!isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT)) || methodsToIgnore.contains(httpInteraction.getMethod()) || httpInteraction.getHeader(headerName) != null) { httpInteraction.proceed(); } else { httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for CSRF Vulnerability Protection"); } }
@Override public void init(FilterConfig filterConfig) throws ServletException { String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM); if (customHeader != null) { headerName = customHeader; } String customMethodsToIgnore = filterConfig.getInitParameter(CUSTOM_METHODS_TO_IGNORE_PARAM); if (customMethodsToIgnore != null) { parseMethodsToIgnore(customMethodsToIgnore); } else { parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT); } String agents = filterConfig.getInitParameter(BROWSER_USER_AGENT_PARAM); if (agents == null) { agents = BROWSER_USER_AGENTS_DEFAULT; } parseBrowserUserAgents(agents); LOG.info("Adding cross-site request forgery (CSRF) protection, " + "headerName = {}, methodsToIgnore = {}, browserUserAgents = {}", headerName, methodsToIgnore, browserUserAgents); }
/** * Creates the {@link RestCsrfPreventionFilter} for the DataNode. Since the * DataNode HTTP server is not implemented in terms of the servlet API, it * takes some extra effort to obtain an instance of the filter. This method * takes care of configuration and implementing just enough of the servlet API * and related interfaces so that the DataNode can get a fully initialized * instance of the filter. * * @param conf configuration to read * @return initialized filter, or null if CSRF protection not enabled */ private static RestCsrfPreventionFilter createRestCsrfPreventionFilter( Configuration conf) { if (!conf.getBoolean(DFS_WEBHDFS_REST_CSRF_ENABLED_KEY, DFS_WEBHDFS_REST_CSRF_ENABLED_DEFAULT)) { return null; } String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); Map<String, String> restCsrfParams = RestCsrfPreventionFilter .getFilterParams(conf, "dfs.webhdfs.rest-csrf."); RestCsrfPreventionFilter filter = new RestCsrfPreventionFilter(); try { filter.init(new MapBasedFilterConfig(restCsrfClassName, restCsrfParams)); } catch (ServletException e) { throw new IllegalStateException( "Failed to initialize RestCsrfPreventionFilter.", e); } return filter; }
@Override protected void configureServlets() { bind(JAXBContextResolver.class); bind(RMWebServices.class); bind(GenericExceptionHandler.class); Configuration conf = new Configuration(); conf.setClass(YarnConfiguration.RM_SCHEDULER, FifoScheduler.class, ResourceScheduler.class); rm = new MockRM(conf); bind(ResourceManager.class).toInstance(rm); serve("/*").with(GuiceContainer.class); RestCsrfPreventionFilter csrfFilter = new RestCsrfPreventionFilter(); Map<String,String> initParams = new HashMap<>(); // adding GET as protected method to make things a little easier... initParams.put(RestCsrfPreventionFilter.CUSTOM_METHODS_TO_IGNORE_PARAM, "OPTIONS,HEAD,TRACE"); filter("/*").through(csrfFilter, initParams); } };
DFS_WEBHDFS_REST_CSRF_ENABLED_DEFAULT)) { Map<String, String> restCsrfParams = RestCsrfPreventionFilter .getFilterParams(conf, "dfs.webhdfs.rest-csrf."); String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); HttpServer2.defineFilter(httpServer2.getWebAppContext(),
@Override public void init(FilterConfig filterConfig) throws ServletException { String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM); if (customHeader != null) { headerName = customHeader; } String customMethodsToIgnore = filterConfig.getInitParameter(CUSTOM_METHODS_TO_IGNORE_PARAM); if (customMethodsToIgnore != null) { parseMethodsToIgnore(customMethodsToIgnore); } else { parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT); } String agents = filterConfig.getInitParameter(BROWSER_USER_AGENT_PARAM); if (agents == null) { agents = BROWSER_USER_AGENTS_DEFAULT; } parseBrowserUserAgents(agents); LOG.info("Adding cross-site request forgery (CSRF) protection, " + "headerName = {}, methodsToIgnore = {}, browserUserAgents = {}", headerName, methodsToIgnore, browserUserAgents); }
@Override protected void channelRead0(final ChannelHandlerContext ctx, final HttpRequest req) throws Exception { restCsrfPreventionFilter.handleHttpInteraction(new NettyHttpInteraction( ctx, req)); }
/** * Handles an {@link HttpInteraction} by applying the filtering logic. * * @param httpInteraction caller's HTTP interaction * @throws IOException if there is an I/O error * @throws ServletException if the implementation relies on the servlet API * and a servlet API call has failed */ public void handleHttpInteraction(HttpInteraction httpInteraction) throws IOException, ServletException { if (!isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT)) || methodsToIgnore.contains(httpInteraction.getMethod()) || httpInteraction.getHeader(headerName) != null) { httpInteraction.proceed(); } else { httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for CSRF Vulnerability Protection"); } }
@Override public void doFilter(ServletRequest request, ServletResponse response, final FilterChain chain) throws IOException, ServletException { final HttpServletRequest httpRequest = (HttpServletRequest)request; final HttpServletResponse httpResponse = (HttpServletResponse)response; handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain)); }