|
Version 4.10.0 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
Object hirondelle.web4j.security.CsrfFilter
public class CsrfFilter
Protect your application from a Cross Site Request Forgery (CSRF).
Please see the package overview for important information regarding CSRF attacks, and security in general.
This filter maintains various items needed to protect against CSRF attacks. It acts both as a pre-processor and as a post-processor. The behavior of this class is controlled by detecting two important events:
FORM_SOURCE_ID_KEY
.
This value is difficult to guess.
PREVIOUS_FORM_SOURCE_ID_KEY
. The 'old' form-source id is simply the form-source id
used in the immediately preceding session for the same user.
FORM_SOURCE_DAO_KEY
.
The above behavior of this class upon user login requires interaction with your database.
It's configured in web.xml using two items :
FormSourceIdRead and FormSourceIdWrite. These two items are
SqlId
references.
They tell this class which SQL statements to use when reading and writing form-source ids
to the database. As usual, these SqlId
items must be declared somewhere in your
application as public static final fields, and the corresponding SQL statements
must appear somewhere in an .sql file.
(Please see these items in the example application for an illustration : web.xml, UserDAO, and csrf.sql.)
<FORM>
tags with method='POST'.
<FORM>
tag, add a hidden parameter in the following style :
<input type='hidden' name='web4j_key_for_form_source_id' value='151jdk65654dasdf545sadf6a5s4f'>
FORM_SOURCE_ID_KEY
,
and the value of that hidden parameter is the random token created during the pre-processing stage.
ApplicationFirewallImpl
. It is the
firewall which performs the actual test to make sure the POSTed form came from your web app.
This filter will only affect the response if its content-type is text/html or null. It will not affect any other type of response.
Field Summary | |
---|---|
static String |
FORM_SOURCE_DAO_KEY
Key for item stored in session scope. |
static String |
FORM_SOURCE_ID_KEY
Key for item stored in session scope, and also name of hidden request parameter added to POSTed forms. |
static String |
PREVIOUS_FORM_SOURCE_ID_KEY
Key for item stored in session scope. |
Constructor Summary | |
---|---|
CsrfFilter()
|
Method Summary | |
---|---|
void |
addCsrfToken(HttpServletRequest aRequest)
Add a CSRF token to an existing session that has no user login. |
void |
destroy()
This implementation does nothing. |
void |
doFilter(ServletRequest aRequest,
ServletResponse aResponse,
FilterChain aChain)
Protect against CSRF attacks. |
void |
init(FilterConfig aFilterConfig)
Read in filter configuration. |
Methods inherited from class Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String FORM_SOURCE_ID_KEY
Value - "web4j_key_for_form_source_id".
The value of this item is generated randomly for each new user login, and contains a
simple token that is hard to guess. Each POSTed form will be required by ApplicationFirewallImpl
to include a hidden parameter of this name, and the value of such hidden parameters
are matched to the corresponding item stored in session scope under the same key. These checks verify that
POSTed forms have come from a trusted source.
public static final String PREVIOUS_FORM_SOURCE_ID_KEY
Value - "web4j_key_for_previous_form_source_id".
The value of this item is retrieved from the database for each new user login, and
represents the form-source id for the user's immediately preceding session.
When a match of form-source id against FORM_SOURCE_ID_KEY
fails, then a second
match is attempted against this item.
Please see the package description for an explanation of why this is necessary.
public static final String FORM_SOURCE_DAO_KEY
Value - "web4j_key_for_form_source_dao".
This item points to an HttpSessionBindingListener
object placed in each new session.
When the session ends, that object will be unbound from the session, and will save the user's current form-source id
to the database, for future use.
Constructor Detail |
---|
public CsrfFilter()
Method Detail |
---|
public void init(FilterConfig aFilterConfig)
Reads in SqlId
references used to read and write the user's form-source id.
See class comment and package-level description for further information.
init
in interface Filter
public void destroy()
destroy
in interface Filter
public void doFilter(ServletRequest aRequest, ServletResponse aResponse, FilterChain aChain) throws IOException, ServletException
See class comment and package-level description for further information.
doFilter
in interface Filter
IOException
ServletException
public void addCsrfToken(HttpServletRequest aRequest) throws ServletException
This method is called only when a session created by an Action, instead of the usual login mechanism.
See ActionImpl.createSessionAndCsrfToken()
for important information.
ServletException
|
Version 4.10.0 | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |