Google Git
Sign in
apache / archiva-web-content / 1b7e811f9aa411dd1b001fe82a147012e4cce823 / . / redback / core / 3.0.0-SNAPSHOT / apidocs / src-html / org / apache / archiva / redback / rest / services / interceptors / RequestValidationInterceptor.html
blob: 94a412764a1e4d9886dc152bdcde8312d6e891fe [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<title>Source code</title>
<link rel="stylesheet" type="text/css" href="../../../../../../../../stylesheet.css" title="Style">
</head>
<body>
<main role="main">
<div class="sourceContainer">
<pre><span class="sourceLineNo">001</span><a id="line.1">package org.apache.archiva.redback.rest.services.interceptors;</a>
<span class="sourceLineNo">002</span><a id="line.2">/*</a>
<span class="sourceLineNo">003</span><a id="line.3"> * Licensed to the Apache Software Foundation (ASF) under one</a>
<span class="sourceLineNo">004</span><a id="line.4"> * or more contributor license agreements. See the NOTICE file</a>
<span class="sourceLineNo">005</span><a id="line.5"> * distributed with this work for additional information</a>
<span class="sourceLineNo">006</span><a id="line.6"> * regarding copyright ownership. The ASF licenses this file</a>
<span class="sourceLineNo">007</span><a id="line.7"> * to you under the Apache License, Version 2.0 (the</a>
<span class="sourceLineNo">008</span><a id="line.8"> * "License"); you may not use this file except in compliance</a>
<span class="sourceLineNo">009</span><a id="line.9"> * with the License. You may obtain a copy of the License at</a>
<span class="sourceLineNo">010</span><a id="line.10"> *</a>
<span class="sourceLineNo">011</span><a id="line.11"> * http://www.apache.org/licenses/LICENSE-2.0</a>
<span class="sourceLineNo">012</span><a id="line.12"> *</a>
<span class="sourceLineNo">013</span><a id="line.13"> * Unless required by applicable law or agreed to in writing,</a>
<span class="sourceLineNo">014</span><a id="line.14"> * software distributed under the License is distributed on an</a>
<span class="sourceLineNo">015</span><a id="line.15"> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY</a>
<span class="sourceLineNo">016</span><a id="line.16"> * KIND, either express or implied. See the License for the</a>
<span class="sourceLineNo">017</span><a id="line.17"> * specific language governing permissions and limitations</a>
<span class="sourceLineNo">018</span><a id="line.18"> * under the License.</a>
<span class="sourceLineNo">019</span><a id="line.19"> */</a>
<span class="sourceLineNo">020</span><a id="line.20"></a>
<span class="sourceLineNo">021</span><a id="line.21"></a>
<span class="sourceLineNo">022</span><a id="line.22">import org.apache.archiva.redback.authentication.AuthenticationResult;</a>
<span class="sourceLineNo">023</span><a id="line.23">import org.apache.archiva.redback.authentication.InvalidTokenException;</a>
<span class="sourceLineNo">024</span><a id="line.24">import org.apache.archiva.redback.authentication.TokenData;</a>
<span class="sourceLineNo">025</span><a id="line.25">import org.apache.archiva.redback.authentication.TokenManager;</a>
<span class="sourceLineNo">026</span><a id="line.26">import org.apache.archiva.redback.authorization.RedbackAuthorization;</a>
<span class="sourceLineNo">027</span><a id="line.27">import org.apache.archiva.redback.configuration.UserConfiguration;</a>
<span class="sourceLineNo">028</span><a id="line.28">import org.apache.archiva.redback.configuration.UserConfigurationKeys;</a>
<span class="sourceLineNo">029</span><a id="line.29">import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;</a>
<span class="sourceLineNo">030</span><a id="line.30">import org.apache.archiva.redback.users.User;</a>
<span class="sourceLineNo">031</span><a id="line.31">import org.apache.commons.lang3.StringUtils;</a>
<span class="sourceLineNo">032</span><a id="line.32">import org.slf4j.Logger;</a>
<span class="sourceLineNo">033</span><a id="line.33">import org.slf4j.LoggerFactory;</a>
<span class="sourceLineNo">034</span><a id="line.34">import org.springframework.stereotype.Service;</a>
<span class="sourceLineNo">035</span><a id="line.35"></a>
<span class="sourceLineNo">036</span><a id="line.36">import javax.annotation.PostConstruct;</a>
<span class="sourceLineNo">037</span><a id="line.37">import javax.annotation.Priority;</a>
<span class="sourceLineNo">038</span><a id="line.38">import javax.inject.Inject;</a>
<span class="sourceLineNo">039</span><a id="line.39">import javax.inject.Named;</a>
<span class="sourceLineNo">040</span><a id="line.40">import javax.servlet.http.HttpServletRequest;</a>
<span class="sourceLineNo">041</span><a id="line.41">import javax.ws.rs.container.ContainerRequestContext;</a>
<span class="sourceLineNo">042</span><a id="line.42">import javax.ws.rs.container.ContainerRequestFilter;</a>
<span class="sourceLineNo">043</span><a id="line.43">import javax.ws.rs.container.ContainerResponseContext;</a>
<span class="sourceLineNo">044</span><a id="line.44">import javax.ws.rs.container.ContainerResponseFilter;</a>
<span class="sourceLineNo">045</span><a id="line.45">import javax.ws.rs.container.ResourceInfo;</a>
<span class="sourceLineNo">046</span><a id="line.46">import javax.ws.rs.core.Context;</a>
<span class="sourceLineNo">047</span><a id="line.47">import javax.ws.rs.core.Response;</a>
<span class="sourceLineNo">048</span><a id="line.48">import javax.ws.rs.ext.Provider;</a>
<span class="sourceLineNo">049</span><a id="line.49">import java.io.IOException;</a>
<span class="sourceLineNo">050</span><a id="line.50">import java.net.MalformedURLException;</a>
<span class="sourceLineNo">051</span><a id="line.51">import java.net.URL;</a>
<span class="sourceLineNo">052</span><a id="line.52">import java.util.ArrayList;</a>
<span class="sourceLineNo">053</span><a id="line.53">import java.util.List;</a>
<span class="sourceLineNo">054</span><a id="line.54"></a>
<span class="sourceLineNo">055</span><a id="line.55">/**</a>
<span class="sourceLineNo">056</span><a id="line.56"> * Created by Martin Stockhammer on 19.01.17.</a>
<span class="sourceLineNo">057</span><a id="line.57"> * &lt;p&gt;</a>
<span class="sourceLineNo">058</span><a id="line.58"> * This interceptor tries to check if requests come from a valid origin and</a>
<span class="sourceLineNo">059</span><a id="line.59"> * are not generated by another site on behalf of the real client.</a>
<span class="sourceLineNo">060</span><a id="line.60"> * &lt;p&gt;</a>
<span class="sourceLineNo">061</span><a id="line.61"> * We are using some of the techniques mentioned in</a>
<span class="sourceLineNo">062</span><a id="line.62"> * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet</a>
<span class="sourceLineNo">063</span><a id="line.63"> * &lt;p&gt;</a>
<span class="sourceLineNo">064</span><a id="line.64"> * Try to find Origin and Referer of the request.</a>
<span class="sourceLineNo">065</span><a id="line.65"> * Match them to the target address, that may be either statically configured or is determined</a>
<span class="sourceLineNo">066</span><a id="line.66"> * by the Host/X-Forwarded-For Header.</a>
<span class="sourceLineNo">067</span><a id="line.67"> */</a>
<span class="sourceLineNo">068</span><a id="line.68">@Provider</a>
<span class="sourceLineNo">069</span><a id="line.69">@Service( "requestValidationInterceptor#rest" )</a>
<span class="sourceLineNo">070</span><a id="line.70">@Priority( Priorities.PRECHECK )</a>
<span class="sourceLineNo">071</span><a id="line.71">public class RequestValidationInterceptor</a>
<span class="sourceLineNo">072</span><a id="line.72"> extends AbstractInterceptor</a>
<span class="sourceLineNo">073</span><a id="line.73"> implements ContainerRequestFilter, ContainerResponseFilter</a>
<span class="sourceLineNo">074</span><a id="line.74">{</a>
<span class="sourceLineNo">075</span><a id="line.75"></a>
<span class="sourceLineNo">076</span><a id="line.76"></a>
<span class="sourceLineNo">077</span><a id="line.77"> private static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";</a>
<span class="sourceLineNo">078</span><a id="line.78"></a>
<span class="sourceLineNo">079</span><a id="line.79"> private static final String X_FORWARDED_HOST = "X-Forwarded-Host";</a>
<span class="sourceLineNo">080</span><a id="line.80"></a>
<span class="sourceLineNo">081</span><a id="line.81"> private static final String X_XSRF_TOKEN = "X-XSRF-TOKEN";</a>
<span class="sourceLineNo">082</span><a id="line.82"></a>
<span class="sourceLineNo">083</span><a id="line.83"> private static final String ORIGIN = "Origin";</a>
<span class="sourceLineNo">084</span><a id="line.84"></a>
<span class="sourceLineNo">085</span><a id="line.85"> private static final String REFERER = "Referer";</a>
<span class="sourceLineNo">086</span><a id="line.86"></a>
<span class="sourceLineNo">087</span><a id="line.87"> private static final int DEFAULT_HTTP = 80;</a>
<span class="sourceLineNo">088</span><a id="line.88"></a>
<span class="sourceLineNo">089</span><a id="line.89"> private static final int DEFAULT_HTTPS = 443;</a>
<span class="sourceLineNo">090</span><a id="line.90"></a>
<span class="sourceLineNo">091</span><a id="line.91"> private final Logger log = LoggerFactory.getLogger( getClass() );</a>
<span class="sourceLineNo">092</span><a id="line.92"></a>
<span class="sourceLineNo">093</span><a id="line.93"> private boolean enabled = true;</a>
<span class="sourceLineNo">094</span><a id="line.94"></a>
<span class="sourceLineNo">095</span><a id="line.95"> private boolean checkToken = true;</a>
<span class="sourceLineNo">096</span><a id="line.96"></a>
<span class="sourceLineNo">097</span><a id="line.97"> private boolean useStaticUrl = false;</a>
<span class="sourceLineNo">098</span><a id="line.98"></a>
<span class="sourceLineNo">099</span><a id="line.99"> private boolean denyAbsentHeaders = true;</a>
<span class="sourceLineNo">100</span><a id="line.100"></a>
<span class="sourceLineNo">101</span><a id="line.101"> private List&lt;URL&gt; baseUrl = new ArrayList&lt;URL&gt;();</a>
<span class="sourceLineNo">102</span><a id="line.102"></a>
<span class="sourceLineNo">103</span><a id="line.103"> private HttpServletRequest httpRequest = null;</a>
<span class="sourceLineNo">104</span><a id="line.104"></a>
<span class="sourceLineNo">105</span><a id="line.105"> @Inject</a>
<span class="sourceLineNo">106</span><a id="line.106"> @Named( value = "httpAuthenticator#basic" )</a>
<span class="sourceLineNo">107</span><a id="line.107"> private HttpBasicAuthentication httpAuthenticator;</a>
<span class="sourceLineNo">108</span><a id="line.108"></a>
<span class="sourceLineNo">109</span><a id="line.109"> @Inject</a>
<span class="sourceLineNo">110</span><a id="line.110"> @Named( value = "tokenManager#default" )</a>
<span class="sourceLineNo">111</span><a id="line.111"> TokenManager tokenManager;</a>
<span class="sourceLineNo">112</span><a id="line.112"></a>
<span class="sourceLineNo">113</span><a id="line.113"> @Context</a>
<span class="sourceLineNo">114</span><a id="line.114"> private ResourceInfo resourceInfo;</a>
<span class="sourceLineNo">115</span><a id="line.115"></a>
<span class="sourceLineNo">116</span><a id="line.116"> private UserConfiguration config;</a>
<span class="sourceLineNo">117</span><a id="line.117"></a>
<span class="sourceLineNo">118</span><a id="line.118"> @Override</a>
<span class="sourceLineNo">119</span><a id="line.119"> public void filter( ContainerRequestContext requestContext, ContainerResponseContext responseContext ) throws IOException</a>
<span class="sourceLineNo">120</span><a id="line.120"> {</a>
<span class="sourceLineNo">121</span><a id="line.121"> responseContext.getHeaders().add(</a>
<span class="sourceLineNo">122</span><a id="line.122"> "Access-Control-Allow-Origin", "http://localhost:4200");</a>
<span class="sourceLineNo">123</span><a id="line.123"> responseContext.getHeaders().add(</a>
<span class="sourceLineNo">124</span><a id="line.124"> "Access-Control-Allow-Credentials", "true");</a>
<span class="sourceLineNo">125</span><a id="line.125"> responseContext.getHeaders().add(</a>
<span class="sourceLineNo">126</span><a id="line.126"> "Access-Control-Allow-Headers",</a>
<span class="sourceLineNo">127</span><a id="line.127"> "origin, content-type, accept, authorization");</a>
<span class="sourceLineNo">128</span><a id="line.128"> responseContext.getHeaders().add(</a>
<span class="sourceLineNo">129</span><a id="line.129"> "Access-Control-Allow-Methods",</a>
<span class="sourceLineNo">130</span><a id="line.130"> "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH");</a>
<span class="sourceLineNo">131</span><a id="line.131"> }</a>
<span class="sourceLineNo">132</span><a id="line.132"></a>
<span class="sourceLineNo">133</span><a id="line.133"> private class HeaderValidationInfo</a>
<span class="sourceLineNo">134</span><a id="line.134"> {</a>
<span class="sourceLineNo">135</span><a id="line.135"></a>
<span class="sourceLineNo">136</span><a id="line.136"> final static int UNKNOWN = -1;</a>
<span class="sourceLineNo">137</span><a id="line.137"></a>
<span class="sourceLineNo">138</span><a id="line.138"> final static int OK = 0;</a>
<span class="sourceLineNo">139</span><a id="line.139"></a>
<span class="sourceLineNo">140</span><a id="line.140"> final static int F_REFERER_HOST = 1;</a>
<span class="sourceLineNo">141</span><a id="line.141"></a>
<span class="sourceLineNo">142</span><a id="line.142"> final static int F_REFERER_PORT = 2;</a>
<span class="sourceLineNo">143</span><a id="line.143"></a>
<span class="sourceLineNo">144</span><a id="line.144"> final static int F_ORIGIN_HOST = 8;</a>
<span class="sourceLineNo">145</span><a id="line.145"></a>
<span class="sourceLineNo">146</span><a id="line.146"> final static int F_ORIGIN_PORT = 16;</a>
<span class="sourceLineNo">147</span><a id="line.147"></a>
<span class="sourceLineNo">148</span><a id="line.148"> final static int F_ORIGIN_PROTOCOL = 32;</a>
<span class="sourceLineNo">149</span><a id="line.149"></a>
<span class="sourceLineNo">150</span><a id="line.150"> boolean headerFound = false;</a>
<span class="sourceLineNo">151</span><a id="line.151"></a>
<span class="sourceLineNo">152</span><a id="line.152"> URL targetUrl;</a>
<span class="sourceLineNo">153</span><a id="line.153"></a>
<span class="sourceLineNo">154</span><a id="line.154"> URL originUrl;</a>
<span class="sourceLineNo">155</span><a id="line.155"></a>
<span class="sourceLineNo">156</span><a id="line.156"> URL refererUrl;</a>
<span class="sourceLineNo">157</span><a id="line.157"></a>
<span class="sourceLineNo">158</span><a id="line.158"> String targetHost;</a>
<span class="sourceLineNo">159</span><a id="line.159"></a>
<span class="sourceLineNo">160</span><a id="line.160"> String originHost;</a>
<span class="sourceLineNo">161</span><a id="line.161"></a>
<span class="sourceLineNo">162</span><a id="line.162"> String refererHost;</a>
<span class="sourceLineNo">163</span><a id="line.163"></a>
<span class="sourceLineNo">164</span><a id="line.164"> int targetPort;</a>
<span class="sourceLineNo">165</span><a id="line.165"></a>
<span class="sourceLineNo">166</span><a id="line.166"> int originPort;</a>
<span class="sourceLineNo">167</span><a id="line.167"></a>
<span class="sourceLineNo">168</span><a id="line.168"> int refererPort;</a>
<span class="sourceLineNo">169</span><a id="line.169"></a>
<span class="sourceLineNo">170</span><a id="line.170"> int status = UNKNOWN;</a>
<span class="sourceLineNo">171</span><a id="line.171"></a>
<span class="sourceLineNo">172</span><a id="line.172"> public HeaderValidationInfo( URL targetUrl )</a>
<span class="sourceLineNo">173</span><a id="line.173"> {</a>
<span class="sourceLineNo">174</span><a id="line.174"> setTargetUrl( targetUrl );</a>
<span class="sourceLineNo">175</span><a id="line.175"> }</a>
<span class="sourceLineNo">176</span><a id="line.176"></a>
<span class="sourceLineNo">177</span><a id="line.177"> public URL getTargetUrl()</a>
<span class="sourceLineNo">178</span><a id="line.178"> {</a>
<span class="sourceLineNo">179</span><a id="line.179"> return targetUrl;</a>
<span class="sourceLineNo">180</span><a id="line.180"> }</a>
<span class="sourceLineNo">181</span><a id="line.181"></a>
<span class="sourceLineNo">182</span><a id="line.182"> public void setTargetUrl( URL targetUrl )</a>
<span class="sourceLineNo">183</span><a id="line.183"> {</a>
<span class="sourceLineNo">184</span><a id="line.184"> this.targetUrl = targetUrl;</a>
<span class="sourceLineNo">185</span><a id="line.185"> this.targetHost = getHost( targetUrl );</a>
<span class="sourceLineNo">186</span><a id="line.186"> this.targetPort = getPort( targetUrl );</a>
<span class="sourceLineNo">187</span><a id="line.187"> }</a>
<span class="sourceLineNo">188</span><a id="line.188"></a>
<span class="sourceLineNo">189</span><a id="line.189"> public URL getOriginUrl()</a>
<span class="sourceLineNo">190</span><a id="line.190"> {</a>
<span class="sourceLineNo">191</span><a id="line.191"> return originUrl;</a>
<span class="sourceLineNo">192</span><a id="line.192"> }</a>
<span class="sourceLineNo">193</span><a id="line.193"></a>
<span class="sourceLineNo">194</span><a id="line.194"> public void setOriginUrl( URL originUrl )</a>
<span class="sourceLineNo">195</span><a id="line.195"> {</a>
<span class="sourceLineNo">196</span><a id="line.196"> this.originUrl = originUrl;</a>
<span class="sourceLineNo">197</span><a id="line.197"> this.originHost = getHost( originUrl );</a>
<span class="sourceLineNo">198</span><a id="line.198"> this.originPort = getPort( originUrl );</a>
<span class="sourceLineNo">199</span><a id="line.199"> checkOrigin();</a>
<span class="sourceLineNo">200</span><a id="line.200"> this.headerFound = true;</a>
<span class="sourceLineNo">201</span><a id="line.201"> }</a>
<span class="sourceLineNo">202</span><a id="line.202"></a>
<span class="sourceLineNo">203</span><a id="line.203"> public URL getRefererUrl()</a>
<span class="sourceLineNo">204</span><a id="line.204"> {</a>
<span class="sourceLineNo">205</span><a id="line.205"> return refererUrl;</a>
<span class="sourceLineNo">206</span><a id="line.206"> }</a>
<span class="sourceLineNo">207</span><a id="line.207"></a>
<span class="sourceLineNo">208</span><a id="line.208"> public void setRefererUrl( URL refererUrl )</a>
<span class="sourceLineNo">209</span><a id="line.209"> {</a>
<span class="sourceLineNo">210</span><a id="line.210"> this.refererUrl = refererUrl;</a>
<span class="sourceLineNo">211</span><a id="line.211"> this.refererHost = getHost( refererUrl );</a>
<span class="sourceLineNo">212</span><a id="line.212"> this.refererPort = getPort( refererUrl );</a>
<span class="sourceLineNo">213</span><a id="line.213"> checkReferer();</a>
<span class="sourceLineNo">214</span><a id="line.214"> this.headerFound = true;</a>
<span class="sourceLineNo">215</span><a id="line.215"> }</a>
<span class="sourceLineNo">216</span><a id="line.216"></a>
<span class="sourceLineNo">217</span><a id="line.217"> public String getTargetHost()</a>
<span class="sourceLineNo">218</span><a id="line.218"> {</a>
<span class="sourceLineNo">219</span><a id="line.219"> return targetHost;</a>
<span class="sourceLineNo">220</span><a id="line.220"> }</a>
<span class="sourceLineNo">221</span><a id="line.221"></a>
<span class="sourceLineNo">222</span><a id="line.222"> public void setTargetHost( String targetHost )</a>
<span class="sourceLineNo">223</span><a id="line.223"> {</a>
<span class="sourceLineNo">224</span><a id="line.224"> this.targetHost = targetHost;</a>
<span class="sourceLineNo">225</span><a id="line.225"> }</a>
<span class="sourceLineNo">226</span><a id="line.226"></a>
<span class="sourceLineNo">227</span><a id="line.227"> public String getOriginHost()</a>
<span class="sourceLineNo">228</span><a id="line.228"> {</a>
<span class="sourceLineNo">229</span><a id="line.229"> return originHost;</a>
<span class="sourceLineNo">230</span><a id="line.230"> }</a>
<span class="sourceLineNo">231</span><a id="line.231"></a>
<span class="sourceLineNo">232</span><a id="line.232"> public void setOriginHost( String originHost )</a>
<span class="sourceLineNo">233</span><a id="line.233"> {</a>
<span class="sourceLineNo">234</span><a id="line.234"> this.originHost = originHost;</a>
<span class="sourceLineNo">235</span><a id="line.235"> }</a>
<span class="sourceLineNo">236</span><a id="line.236"></a>
<span class="sourceLineNo">237</span><a id="line.237"> public String getRefererHost()</a>
<span class="sourceLineNo">238</span><a id="line.238"> {</a>
<span class="sourceLineNo">239</span><a id="line.239"> return refererHost;</a>
<span class="sourceLineNo">240</span><a id="line.240"> }</a>
<span class="sourceLineNo">241</span><a id="line.241"></a>
<span class="sourceLineNo">242</span><a id="line.242"> public void setRefererHost( String refererHost )</a>
<span class="sourceLineNo">243</span><a id="line.243"> {</a>
<span class="sourceLineNo">244</span><a id="line.244"> this.refererHost = refererHost;</a>
<span class="sourceLineNo">245</span><a id="line.245"> }</a>
<span class="sourceLineNo">246</span><a id="line.246"></a>
<span class="sourceLineNo">247</span><a id="line.247"> public int getTargetPort()</a>
<span class="sourceLineNo">248</span><a id="line.248"> {</a>
<span class="sourceLineNo">249</span><a id="line.249"> return targetPort;</a>
<span class="sourceLineNo">250</span><a id="line.250"> }</a>
<span class="sourceLineNo">251</span><a id="line.251"></a>
<span class="sourceLineNo">252</span><a id="line.252"> public void setTargetPort( int targetPort )</a>
<span class="sourceLineNo">253</span><a id="line.253"> {</a>
<span class="sourceLineNo">254</span><a id="line.254"> this.targetPort = targetPort;</a>
<span class="sourceLineNo">255</span><a id="line.255"> }</a>
<span class="sourceLineNo">256</span><a id="line.256"></a>
<span class="sourceLineNo">257</span><a id="line.257"> public int getOriginPort()</a>
<span class="sourceLineNo">258</span><a id="line.258"> {</a>
<span class="sourceLineNo">259</span><a id="line.259"> return originPort;</a>
<span class="sourceLineNo">260</span><a id="line.260"> }</a>
<span class="sourceLineNo">261</span><a id="line.261"></a>
<span class="sourceLineNo">262</span><a id="line.262"> public void setOriginPort( int originPort )</a>
<span class="sourceLineNo">263</span><a id="line.263"> {</a>
<span class="sourceLineNo">264</span><a id="line.264"> this.originPort = originPort;</a>
<span class="sourceLineNo">265</span><a id="line.265"> }</a>
<span class="sourceLineNo">266</span><a id="line.266"></a>
<span class="sourceLineNo">267</span><a id="line.267"> public int getRefererPort()</a>
<span class="sourceLineNo">268</span><a id="line.268"> {</a>
<span class="sourceLineNo">269</span><a id="line.269"> return refererPort;</a>
<span class="sourceLineNo">270</span><a id="line.270"> }</a>
<span class="sourceLineNo">271</span><a id="line.271"></a>
<span class="sourceLineNo">272</span><a id="line.272"> public void setRefererPort( int refererPort )</a>
<span class="sourceLineNo">273</span><a id="line.273"> {</a>
<span class="sourceLineNo">274</span><a id="line.274"> this.refererPort = refererPort;</a>
<span class="sourceLineNo">275</span><a id="line.275"> }</a>
<span class="sourceLineNo">276</span><a id="line.276"></a>
<span class="sourceLineNo">277</span><a id="line.277"> public void setStatus( int status )</a>
<span class="sourceLineNo">278</span><a id="line.278"> {</a>
<span class="sourceLineNo">279</span><a id="line.279"> this.status |= status;</a>
<span class="sourceLineNo">280</span><a id="line.280"> }</a>
<span class="sourceLineNo">281</span><a id="line.281"></a>
<span class="sourceLineNo">282</span><a id="line.282"> public int getStatus()</a>
<span class="sourceLineNo">283</span><a id="line.283"> {</a>
<span class="sourceLineNo">284</span><a id="line.284"> return this.status;</a>
<span class="sourceLineNo">285</span><a id="line.285"> }</a>
<span class="sourceLineNo">286</span><a id="line.286"></a>
<span class="sourceLineNo">287</span><a id="line.287"> // Origin check for Protocol, Host, Port</a>
<span class="sourceLineNo">288</span><a id="line.288"> public void checkOrigin()</a>
<span class="sourceLineNo">289</span><a id="line.289"> {</a>
<span class="sourceLineNo">290</span><a id="line.290"> if ( this.getStatus() == UNKNOWN )</a>
<span class="sourceLineNo">291</span><a id="line.291"> {</a>
<span class="sourceLineNo">292</span><a id="line.292"> this.status = OK;</a>
<span class="sourceLineNo">293</span><a id="line.293"> }</a>
<span class="sourceLineNo">294</span><a id="line.294"> if ( !targetUrl.getProtocol().equals( originUrl.getProtocol() ) )</a>
<span class="sourceLineNo">295</span><a id="line.295"> {</a>
<span class="sourceLineNo">296</span><a id="line.296"> setStatus( F_ORIGIN_PROTOCOL );</a>
<span class="sourceLineNo">297</span><a id="line.297"> }</a>
<span class="sourceLineNo">298</span><a id="line.298"> if ( !targetHost.equals( originHost ) )</a>
<span class="sourceLineNo">299</span><a id="line.299"> {</a>
<span class="sourceLineNo">300</span><a id="line.300"> setStatus( F_ORIGIN_HOST );</a>
<span class="sourceLineNo">301</span><a id="line.301"> }</a>
<span class="sourceLineNo">302</span><a id="line.302"> if ( targetPort != originPort )</a>
<span class="sourceLineNo">303</span><a id="line.303"> {</a>
<span class="sourceLineNo">304</span><a id="line.304"> setStatus( F_ORIGIN_PORT );</a>
<span class="sourceLineNo">305</span><a id="line.305"> }</a>
<span class="sourceLineNo">306</span><a id="line.306"> }</a>
<span class="sourceLineNo">307</span><a id="line.307"></a>
<span class="sourceLineNo">308</span><a id="line.308"> // Referer check only for Host, Port</a>
<span class="sourceLineNo">309</span><a id="line.309"> public void checkReferer()</a>
<span class="sourceLineNo">310</span><a id="line.310"> {</a>
<span class="sourceLineNo">311</span><a id="line.311"> if ( this.getStatus() == UNKNOWN )</a>
<span class="sourceLineNo">312</span><a id="line.312"> {</a>
<span class="sourceLineNo">313</span><a id="line.313"> this.status = OK;</a>
<span class="sourceLineNo">314</span><a id="line.314"> }</a>
<span class="sourceLineNo">315</span><a id="line.315"> if ( !targetHost.equals( refererHost ) )</a>
<span class="sourceLineNo">316</span><a id="line.316"> {</a>
<span class="sourceLineNo">317</span><a id="line.317"> setStatus( F_REFERER_HOST );</a>
<span class="sourceLineNo">318</span><a id="line.318"> }</a>
<span class="sourceLineNo">319</span><a id="line.319"> if ( targetPort != refererPort )</a>
<span class="sourceLineNo">320</span><a id="line.320"> {</a>
<span class="sourceLineNo">321</span><a id="line.321"> setStatus( F_REFERER_PORT );</a>
<span class="sourceLineNo">322</span><a id="line.322"> }</a>
<span class="sourceLineNo">323</span><a id="line.323"> }</a>
<span class="sourceLineNo">324</span><a id="line.324"></a>
<span class="sourceLineNo">325</span><a id="line.325"> public boolean hasOriginError()</a>
<span class="sourceLineNo">326</span><a id="line.326"> {</a>
<span class="sourceLineNo">327</span><a id="line.327"> return ( status &amp; ( F_ORIGIN_PROTOCOL | F_ORIGIN_HOST | F_ORIGIN_PORT ) ) &gt; 0;</a>
<span class="sourceLineNo">328</span><a id="line.328"> }</a>
<span class="sourceLineNo">329</span><a id="line.329"></a>
<span class="sourceLineNo">330</span><a id="line.330"> public boolean hasRefererError()</a>
<span class="sourceLineNo">331</span><a id="line.331"> {</a>
<span class="sourceLineNo">332</span><a id="line.332"> return ( status &amp; ( F_REFERER_HOST | F_REFERER_PORT ) ) &gt; 0;</a>
<span class="sourceLineNo">333</span><a id="line.333"> }</a>
<span class="sourceLineNo">334</span><a id="line.334"></a>
<span class="sourceLineNo">335</span><a id="line.335"> @Override</a>
<span class="sourceLineNo">336</span><a id="line.336"> public String toString()</a>
<span class="sourceLineNo">337</span><a id="line.337"> {</a>
<span class="sourceLineNo">338</span><a id="line.338"> return "Stat=" + status + ", target=" + targetUrl + ", origin=" + originUrl + ", referer=" + refererUrl;</a>
<span class="sourceLineNo">339</span><a id="line.339"> }</a>
<span class="sourceLineNo">340</span><a id="line.340"> }</a>
<span class="sourceLineNo">341</span><a id="line.341"></a>
<span class="sourceLineNo">342</span><a id="line.342"> @Inject</a>
<span class="sourceLineNo">343</span><a id="line.343"> public RequestValidationInterceptor( @Named( value = "userConfiguration#default" ) UserConfiguration config )</a>
<span class="sourceLineNo">344</span><a id="line.344"> {</a>
<span class="sourceLineNo">345</span><a id="line.345"> this.config = config;</a>
<span class="sourceLineNo">346</span><a id="line.346"> }</a>
<span class="sourceLineNo">347</span><a id="line.347"></a>
<span class="sourceLineNo">348</span><a id="line.348"> @PostConstruct</a>
<span class="sourceLineNo">349</span><a id="line.349"> public void init()</a>
<span class="sourceLineNo">350</span><a id="line.350"> {</a>
<span class="sourceLineNo">351</span><a id="line.351"> List&lt;String&gt; baseUrlList = config.getList( UserConfigurationKeys.REST_BASE_URL );</a>
<span class="sourceLineNo">352</span><a id="line.352"> if ( baseUrlList != null )</a>
<span class="sourceLineNo">353</span><a id="line.353"> {</a>
<span class="sourceLineNo">354</span><a id="line.354"> for ( String baseUrlStr : baseUrlList )</a>
<span class="sourceLineNo">355</span><a id="line.355"> {</a>
<span class="sourceLineNo">356</span><a id="line.356"> if ( !"".equals( baseUrlStr.trim() ) )</a>
<span class="sourceLineNo">357</span><a id="line.357"> {</a>
<span class="sourceLineNo">358</span><a id="line.358"> try</a>
<span class="sourceLineNo">359</span><a id="line.359"> {</a>
<span class="sourceLineNo">360</span><a id="line.360"> baseUrl.add( new URL( baseUrlStr ) );</a>
<span class="sourceLineNo">361</span><a id="line.361"> useStaticUrl = true;</a>
<span class="sourceLineNo">362</span><a id="line.362"> }</a>
<span class="sourceLineNo">363</span><a id="line.363"> catch ( MalformedURLException ex )</a>
<span class="sourceLineNo">364</span><a id="line.364"> {</a>
<span class="sourceLineNo">365</span><a id="line.365"> log.error( "Configured baseUrl (rest.baseUrl={}) is invalid. Message: {}", baseUrlStr,</a>
<span class="sourceLineNo">366</span><a id="line.366"> ex.getMessage() );</a>
<span class="sourceLineNo">367</span><a id="line.367"> }</a>
<span class="sourceLineNo">368</span><a id="line.368"> }</a>
<span class="sourceLineNo">369</span><a id="line.369"> }</a>
<span class="sourceLineNo">370</span><a id="line.370"> }</a>
<span class="sourceLineNo">371</span><a id="line.371"> denyAbsentHeaders = config.getBoolean( UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY, true );</a>
<span class="sourceLineNo">372</span><a id="line.372"> enabled = config.getBoolean( UserConfigurationKeys.REST_CSRF_ENABLED, true );</a>
<span class="sourceLineNo">373</span><a id="line.373"> if ( !enabled )</a>
<span class="sourceLineNo">374</span><a id="line.374"> {</a>
<span class="sourceLineNo">375</span><a id="line.375"> log.info( "CSRF Filter is disabled by configuration" );</a>
<span class="sourceLineNo">376</span><a id="line.376"> }</a>
<span class="sourceLineNo">377</span><a id="line.377"> else</a>
<span class="sourceLineNo">378</span><a id="line.378"> {</a>
<span class="sourceLineNo">379</span><a id="line.379"> log.info( "CSRF Filter is enable" );</a>
<span class="sourceLineNo">380</span><a id="line.380"> }</a>
<span class="sourceLineNo">381</span><a id="line.381"> checkToken = !config.getBoolean( UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, false );</a>
<span class="sourceLineNo">382</span><a id="line.382"> if ( !checkToken )</a>
<span class="sourceLineNo">383</span><a id="line.383"> {</a>
<span class="sourceLineNo">384</span><a id="line.384"> log.info( "CSRF Token validation is disabled by configuration" );</a>
<span class="sourceLineNo">385</span><a id="line.385"> }</a>
<span class="sourceLineNo">386</span><a id="line.386"> else</a>
<span class="sourceLineNo">387</span><a id="line.387"> {</a>
<span class="sourceLineNo">388</span><a id="line.388"> log.info( "CSRF Token validation is enable" );</a>
<span class="sourceLineNo">389</span><a id="line.389"> }</a>
<span class="sourceLineNo">390</span><a id="line.390"> }</a>
<span class="sourceLineNo">391</span><a id="line.391"></a>
<span class="sourceLineNo">392</span><a id="line.392"> @Override</a>
<span class="sourceLineNo">393</span><a id="line.393"> public void filter( ContainerRequestContext containerRequestContext )</a>
<span class="sourceLineNo">394</span><a id="line.394"> throws IOException</a>
<span class="sourceLineNo">395</span><a id="line.395"> {</a>
<span class="sourceLineNo">396</span><a id="line.396"></a>
<span class="sourceLineNo">397</span><a id="line.397"> if ( enabled )</a>
<span class="sourceLineNo">398</span><a id="line.398"> {</a>
<span class="sourceLineNo">399</span><a id="line.399"></a>
<span class="sourceLineNo">400</span><a id="line.400"> final String requestPath = containerRequestContext.getUriInfo( ).getPath( );</a>
<span class="sourceLineNo">401</span><a id="line.401"> if (ignoreAuth( requestPath )) {</a>
<span class="sourceLineNo">402</span><a id="line.402"> return;</a>
<span class="sourceLineNo">403</span><a id="line.403"> }</a>
<span class="sourceLineNo">404</span><a id="line.404"></a>
<span class="sourceLineNo">405</span><a id="line.405"> HttpServletRequest request = getRequest();</a>
<span class="sourceLineNo">406</span><a id="line.406"> List&lt;URL&gt; targetUrls = getTargetUrl( request );</a>
<span class="sourceLineNo">407</span><a id="line.407"> if ( targetUrls == null )</a>
<span class="sourceLineNo">408</span><a id="line.408"> {</a>
<span class="sourceLineNo">409</span><a id="line.409"> log.error( "Could not verify target URL." );</a>
<span class="sourceLineNo">410</span><a id="line.410"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">411</span><a id="line.411"> return;</a>
<span class="sourceLineNo">412</span><a id="line.412"> }</a>
<span class="sourceLineNo">413</span><a id="line.413"> List&lt;HeaderValidationInfo&gt; validationInfos = new ArrayList&lt;HeaderValidationInfo&gt;();</a>
<span class="sourceLineNo">414</span><a id="line.414"> boolean targetMatch = false;</a>
<span class="sourceLineNo">415</span><a id="line.415"> boolean noHeader = true;</a>
<span class="sourceLineNo">416</span><a id="line.416"> for ( URL targetUrl : targetUrls )</a>
<span class="sourceLineNo">417</span><a id="line.417"> {</a>
<span class="sourceLineNo">418</span><a id="line.418"> log.trace( "Checking against target URL: {}", targetUrl );</a>
<span class="sourceLineNo">419</span><a id="line.419"> HeaderValidationInfo info = checkSourceRequestHeader( new HeaderValidationInfo( targetUrl ), request );</a>
<span class="sourceLineNo">420</span><a id="line.420"> // We need only one match</a>
<span class="sourceLineNo">421</span><a id="line.421"> noHeader = noHeader &amp;&amp; info.getStatus() == info.UNKNOWN;</a>
<span class="sourceLineNo">422</span><a id="line.422"> if ( info.getStatus() == info.OK )</a>
<span class="sourceLineNo">423</span><a id="line.423"> {</a>
<span class="sourceLineNo">424</span><a id="line.424"> targetMatch = true;</a>
<span class="sourceLineNo">425</span><a id="line.425"> break;</a>
<span class="sourceLineNo">426</span><a id="line.426"> }</a>
<span class="sourceLineNo">427</span><a id="line.427"> else</a>
<span class="sourceLineNo">428</span><a id="line.428"> {</a>
<span class="sourceLineNo">429</span><a id="line.429"> validationInfos.add( info );</a>
<span class="sourceLineNo">430</span><a id="line.430"> }</a>
<span class="sourceLineNo">431</span><a id="line.431"> }</a>
<span class="sourceLineNo">432</span><a id="line.432"> if ( noHeader &amp;&amp; denyAbsentHeaders )</a>
<span class="sourceLineNo">433</span><a id="line.433"> {</a>
<span class="sourceLineNo">434</span><a id="line.434"> log.warn( "Request denied. No Origin or Referer header found and {}=true",</a>
<span class="sourceLineNo">435</span><a id="line.435"> UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY );</a>
<span class="sourceLineNo">436</span><a id="line.436"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">437</span><a id="line.437"> return;</a>
<span class="sourceLineNo">438</span><a id="line.438"> }</a>
<span class="sourceLineNo">439</span><a id="line.439"> if ( !targetMatch )</a>
<span class="sourceLineNo">440</span><a id="line.440"> {</a>
<span class="sourceLineNo">441</span><a id="line.441"> log.warn( "HTTP Header check failed. Assuming CSRF attack." );</a>
<span class="sourceLineNo">442</span><a id="line.442"> for ( HeaderValidationInfo info : validationInfos )</a>
<span class="sourceLineNo">443</span><a id="line.443"> {</a>
<span class="sourceLineNo">444</span><a id="line.444"> if ( info.hasOriginError() )</a>
<span class="sourceLineNo">445</span><a id="line.445"> {</a>
<span class="sourceLineNo">446</span><a id="line.446"> log.warn(</a>
<span class="sourceLineNo">447</span><a id="line.447"> "Origin Header does not match: originUrl={}, targetUrl={}. Matches: Host={}, Port={}, Protocol={}",</a>
<span class="sourceLineNo">448</span><a id="line.448"> info.originUrl, info.targetUrl, ( info.getStatus() &amp; info.F_ORIGIN_HOST ) == 0,</a>
<span class="sourceLineNo">449</span><a id="line.449"> ( info.getStatus() &amp; info.F_ORIGIN_PORT ) == 0,</a>
<span class="sourceLineNo">450</span><a id="line.450"> ( info.getStatus() &amp; info.F_ORIGIN_PROTOCOL ) == 0 );</a>
<span class="sourceLineNo">451</span><a id="line.451"> }</a>
<span class="sourceLineNo">452</span><a id="line.452"> if ( info.hasRefererError() )</a>
<span class="sourceLineNo">453</span><a id="line.453"> {</a>
<span class="sourceLineNo">454</span><a id="line.454"> log.warn(</a>
<span class="sourceLineNo">455</span><a id="line.455"> "Referer Header does not match: refererUrl={}, targetUrl={}. Matches: Host={}, Port={}",</a>
<span class="sourceLineNo">456</span><a id="line.456"> info.refererUrl, info.targetUrl, ( info.getStatus() &amp; info.F_REFERER_HOST ) == 0,</a>
<span class="sourceLineNo">457</span><a id="line.457"> ( info.getStatus() &amp; info.F_REFERER_PORT ) == 0 );</a>
<span class="sourceLineNo">458</span><a id="line.458"> }</a>
<span class="sourceLineNo">459</span><a id="line.459"> }</a>
<span class="sourceLineNo">460</span><a id="line.460"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">461</span><a id="line.461"> return;</a>
<span class="sourceLineNo">462</span><a id="line.462"> }</a>
<span class="sourceLineNo">463</span><a id="line.463"> if ( checkToken )</a>
<span class="sourceLineNo">464</span><a id="line.464"> {</a>
<span class="sourceLineNo">465</span><a id="line.465"> checkValidationToken( containerRequestContext, request );</a>
<span class="sourceLineNo">466</span><a id="line.466"> }</a>
<span class="sourceLineNo">467</span><a id="line.467"> }</a>
<span class="sourceLineNo">468</span><a id="line.468"> }</a>
<span class="sourceLineNo">469</span><a id="line.469"></a>
<span class="sourceLineNo">470</span><a id="line.470"> /**</a>
<span class="sourceLineNo">471</span><a id="line.471"> * Checks the request for a validation token header. It takes the encrypted token, decrypts it</a>
<span class="sourceLineNo">472</span><a id="line.472"> * and compares the user information from the token to the logged in user.</a>
<span class="sourceLineNo">473</span><a id="line.473"> *</a>
<span class="sourceLineNo">474</span><a id="line.474"> * @param containerRequestContext</a>
<span class="sourceLineNo">475</span><a id="line.475"> * @param request</a>
<span class="sourceLineNo">476</span><a id="line.476"> */</a>
<span class="sourceLineNo">477</span><a id="line.477"> private void checkValidationToken( ContainerRequestContext containerRequestContext, HttpServletRequest request )</a>
<span class="sourceLineNo">478</span><a id="line.478"> {</a>
<span class="sourceLineNo">479</span><a id="line.479"> RedbackAuthorization redbackAuthorization = getRedbackAuthorization( resourceInfo );</a>
<span class="sourceLineNo">480</span><a id="line.480"> // We check only services that are restricted</a>
<span class="sourceLineNo">481</span><a id="line.481"> if ( !redbackAuthorization.noRestriction() )</a>
<span class="sourceLineNo">482</span><a id="line.482"> {</a>
<span class="sourceLineNo">483</span><a id="line.483"> String tokenString = request.getHeader( X_XSRF_TOKEN );</a>
<span class="sourceLineNo">484</span><a id="line.484"> if ( tokenString == null || tokenString.length() == 0 )</a>
<span class="sourceLineNo">485</span><a id="line.485"> {</a>
<span class="sourceLineNo">486</span><a id="line.486"> log.warn( "No validation token header found: {}", X_XSRF_TOKEN );</a>
<span class="sourceLineNo">487</span><a id="line.487"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">488</span><a id="line.488"> return;</a>
<span class="sourceLineNo">489</span><a id="line.489"> }</a>
<span class="sourceLineNo">490</span><a id="line.490"></a>
<span class="sourceLineNo">491</span><a id="line.491"> try</a>
<span class="sourceLineNo">492</span><a id="line.492"> {</a>
<span class="sourceLineNo">493</span><a id="line.493"> TokenData td = tokenManager.decryptToken( tokenString );</a>
<span class="sourceLineNo">494</span><a id="line.494"> AuthenticationResult auth = getAuthenticationResult( containerRequestContext, httpAuthenticator, request );</a>
<span class="sourceLineNo">495</span><a id="line.495"> if ( auth == null )</a>
<span class="sourceLineNo">496</span><a id="line.496"> {</a>
<span class="sourceLineNo">497</span><a id="line.497"> log.error( "Not authentication data found" );</a>
<span class="sourceLineNo">498</span><a id="line.498"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">499</span><a id="line.499"> return;</a>
<span class="sourceLineNo">500</span><a id="line.500"> }</a>
<span class="sourceLineNo">501</span><a id="line.501"> User loggedIn = auth.getUser();</a>
<span class="sourceLineNo">502</span><a id="line.502"> if ( loggedIn == null )</a>
<span class="sourceLineNo">503</span><a id="line.503"> {</a>
<span class="sourceLineNo">504</span><a id="line.504"> log.error( "User not logged in" );</a>
<span class="sourceLineNo">505</span><a id="line.505"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">506</span><a id="line.506"> return;</a>
<span class="sourceLineNo">507</span><a id="line.507"> }</a>
<span class="sourceLineNo">508</span><a id="line.508"> String username = loggedIn.getUsername();</a>
<span class="sourceLineNo">509</span><a id="line.509"> if ( !td.isValid() || !td.getUser().equals( username ) )</a>
<span class="sourceLineNo">510</span><a id="line.510"> {</a>
<span class="sourceLineNo">511</span><a id="line.511"> log.error( "Invalid data in validation token header {} for user {}: isValid={}, username={}",</a>
<span class="sourceLineNo">512</span><a id="line.512"> X_XSRF_TOKEN, username, td.isValid(), td.getUser() );</a>
<span class="sourceLineNo">513</span><a id="line.513"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">514</span><a id="line.514"> }</a>
<span class="sourceLineNo">515</span><a id="line.515"> }</a>
<span class="sourceLineNo">516</span><a id="line.516"> catch ( InvalidTokenException e )</a>
<span class="sourceLineNo">517</span><a id="line.517"> {</a>
<span class="sourceLineNo">518</span><a id="line.518"> log.error( "Token validation failed {}", e.getMessage() );</a>
<span class="sourceLineNo">519</span><a id="line.519"> containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );</a>
<span class="sourceLineNo">520</span><a id="line.520"> }</a>
<span class="sourceLineNo">521</span><a id="line.521"> }</a>
<span class="sourceLineNo">522</span><a id="line.522"> log.debug( "Token validated" );</a>
<span class="sourceLineNo">523</span><a id="line.523"> }</a>
<span class="sourceLineNo">524</span><a id="line.524"></a>
<span class="sourceLineNo">525</span><a id="line.525"> private HttpServletRequest getRequest()</a>
<span class="sourceLineNo">526</span><a id="line.526"> {</a>
<span class="sourceLineNo">527</span><a id="line.527"> if ( httpRequest != null )</a>
<span class="sourceLineNo">528</span><a id="line.528"> {</a>
<span class="sourceLineNo">529</span><a id="line.529"> return httpRequest;</a>
<span class="sourceLineNo">530</span><a id="line.530"> }</a>
<span class="sourceLineNo">531</span><a id="line.531"> else</a>
<span class="sourceLineNo">532</span><a id="line.532"> {</a>
<span class="sourceLineNo">533</span><a id="line.533"> return getHttpServletRequest( );</a>
<span class="sourceLineNo">534</span><a id="line.534"> }</a>
<span class="sourceLineNo">535</span><a id="line.535"> }</a>
<span class="sourceLineNo">536</span><a id="line.536"></a>
<span class="sourceLineNo">537</span><a id="line.537"> private List&lt;URL&gt; getTargetUrl( HttpServletRequest request )</a>
<span class="sourceLineNo">538</span><a id="line.538"> {</a>
<span class="sourceLineNo">539</span><a id="line.539"> if ( useStaticUrl )</a>
<span class="sourceLineNo">540</span><a id="line.540"> {</a>
<span class="sourceLineNo">541</span><a id="line.541"> return baseUrl;</a>
<span class="sourceLineNo">542</span><a id="line.542"> }</a>
<span class="sourceLineNo">543</span><a id="line.543"> else</a>
<span class="sourceLineNo">544</span><a id="line.544"> {</a>
<span class="sourceLineNo">545</span><a id="line.545"> List&lt;URL&gt; urls = new ArrayList&lt;URL&gt;();</a>
<span class="sourceLineNo">546</span><a id="line.546"> URL requestUrl;</a>
<span class="sourceLineNo">547</span><a id="line.547"> try</a>
<span class="sourceLineNo">548</span><a id="line.548"> {</a>
<span class="sourceLineNo">549</span><a id="line.549"> requestUrl = new URL( request.getRequestURL().toString() );</a>
<span class="sourceLineNo">550</span><a id="line.550"> urls.add( requestUrl );</a>
<span class="sourceLineNo">551</span><a id="line.551"> }</a>
<span class="sourceLineNo">552</span><a id="line.552"> catch ( MalformedURLException ex )</a>
<span class="sourceLineNo">553</span><a id="line.553"> {</a>
<span class="sourceLineNo">554</span><a id="line.554"> log.error( "Bad Request URL {}, Message: {}", request.getRequestURL(), ex.getMessage() );</a>
<span class="sourceLineNo">555</span><a id="line.555"> return null;</a>
<span class="sourceLineNo">556</span><a id="line.556"> }</a>
<span class="sourceLineNo">557</span><a id="line.557"> String xforwarded = request.getHeader( X_FORWARDED_HOST );</a>
<span class="sourceLineNo">558</span><a id="line.558"> String xforwardedProto = request.getHeader( X_FORWARDED_PROTO );</a>
<span class="sourceLineNo">559</span><a id="line.559"> if ( xforwardedProto == null )</a>
<span class="sourceLineNo">560</span><a id="line.560"> {</a>
<span class="sourceLineNo">561</span><a id="line.561"> xforwardedProto = requestUrl.getProtocol();</a>
<span class="sourceLineNo">562</span><a id="line.562"> }</a>
<span class="sourceLineNo">563</span><a id="line.563"></a>
<span class="sourceLineNo">564</span><a id="line.564"> if ( xforwarded != null &amp;&amp; !StringUtils.isEmpty( xforwarded ) )</a>
<span class="sourceLineNo">565</span><a id="line.565"> {</a>
<span class="sourceLineNo">566</span><a id="line.566"> // X-Forwarded-Host header may contain multiple hosts if there is</a>
<span class="sourceLineNo">567</span><a id="line.567"> // more than one proxy between the client and the server</a>
<span class="sourceLineNo">568</span><a id="line.568"> String[] forwardedList = xforwarded.split( "\\s*,\\s*" );</a>
<span class="sourceLineNo">569</span><a id="line.569"> for ( String hostname : forwardedList )</a>
<span class="sourceLineNo">570</span><a id="line.570"> {</a>
<span class="sourceLineNo">571</span><a id="line.571"> try</a>
<span class="sourceLineNo">572</span><a id="line.572"> {</a>
<span class="sourceLineNo">573</span><a id="line.573"> urls.add( new URL( xforwardedProto + "://" + hostname ) );</a>
<span class="sourceLineNo">574</span><a id="line.574"> }</a>
<span class="sourceLineNo">575</span><a id="line.575"> catch ( MalformedURLException ex )</a>
<span class="sourceLineNo">576</span><a id="line.576"> {</a>
<span class="sourceLineNo">577</span><a id="line.577"> log.warn( "X-Forwarded-Host Header is malformed: {}", ex.getMessage() );</a>
<span class="sourceLineNo">578</span><a id="line.578"> }</a>
<span class="sourceLineNo">579</span><a id="line.579"> }</a>
<span class="sourceLineNo">580</span><a id="line.580"> }</a>
<span class="sourceLineNo">581</span><a id="line.581"> return urls;</a>
<span class="sourceLineNo">582</span><a id="line.582"> }</a>
<span class="sourceLineNo">583</span><a id="line.583"> }</a>
<span class="sourceLineNo">584</span><a id="line.584"></a>
<span class="sourceLineNo">585</span><a id="line.585"> private int getPort( final URL url )</a>
<span class="sourceLineNo">586</span><a id="line.586"> {</a>
<span class="sourceLineNo">587</span><a id="line.587"> return url.getPort() &gt; 0</a>
<span class="sourceLineNo">588</span><a id="line.588"> ? url.getPort()</a>
<span class="sourceLineNo">589</span><a id="line.589"> : ( "https".equals( url.getProtocol() ) ? DEFAULT_HTTPS : DEFAULT_HTTP );</a>
<span class="sourceLineNo">590</span><a id="line.590"> }</a>
<span class="sourceLineNo">591</span><a id="line.591"></a>
<span class="sourceLineNo">592</span><a id="line.592"> private String getHost( final URL url )</a>
<span class="sourceLineNo">593</span><a id="line.593"> {</a>
<span class="sourceLineNo">594</span><a id="line.594"> return url.getHost().trim().toLowerCase();</a>
<span class="sourceLineNo">595</span><a id="line.595"> }</a>
<span class="sourceLineNo">596</span><a id="line.596"></a>
<span class="sourceLineNo">597</span><a id="line.597"> /**</a>
<span class="sourceLineNo">598</span><a id="line.598"> * Checks the validation headers. First the Origin header is checked, if this fails</a>
<span class="sourceLineNo">599</span><a id="line.599"> * or is absent, the referer header is checked.</a>
<span class="sourceLineNo">600</span><a id="line.600"> *</a>
<span class="sourceLineNo">601</span><a id="line.601"> * @param info The info object that must be populated with the targetURL</a>
<span class="sourceLineNo">602</span><a id="line.602"> * @param request The HTTP request object</a>
<span class="sourceLineNo">603</span><a id="line.603"> * @return A info object with updated status information</a>
<span class="sourceLineNo">604</span><a id="line.604"> */</a>
<span class="sourceLineNo">605</span><a id="line.605"> private HeaderValidationInfo checkSourceRequestHeader( final HeaderValidationInfo info,</a>
<span class="sourceLineNo">606</span><a id="line.606"> final HttpServletRequest request )</a>
<span class="sourceLineNo">607</span><a id="line.607"> {</a>
<span class="sourceLineNo">608</span><a id="line.608"> String origin = request.getHeader( ORIGIN );</a>
<span class="sourceLineNo">609</span><a id="line.609"> if ( origin != null )</a>
<span class="sourceLineNo">610</span><a id="line.610"> {</a>
<span class="sourceLineNo">611</span><a id="line.611"> try</a>
<span class="sourceLineNo">612</span><a id="line.612"> {</a>
<span class="sourceLineNo">613</span><a id="line.613"> info.setOriginUrl( new URL( origin ) );</a>
<span class="sourceLineNo">614</span><a id="line.614"> }</a>
<span class="sourceLineNo">615</span><a id="line.615"> catch ( MalformedURLException e )</a>
<span class="sourceLineNo">616</span><a id="line.616"> {</a>
<span class="sourceLineNo">617</span><a id="line.617"> log.warn( "Bad origin header found: {}", origin );</a>
<span class="sourceLineNo">618</span><a id="line.618"> }</a>
<span class="sourceLineNo">619</span><a id="line.619"> }</a>
<span class="sourceLineNo">620</span><a id="line.620"> // Check referer if Origin header dos not match or is not available</a>
<span class="sourceLineNo">621</span><a id="line.621"> if ( info.getStatus() != info.OK )</a>
<span class="sourceLineNo">622</span><a id="line.622"> {</a>
<span class="sourceLineNo">623</span><a id="line.623"> String referer = request.getHeader( REFERER );</a>
<span class="sourceLineNo">624</span><a id="line.624"> if ( referer != null )</a>
<span class="sourceLineNo">625</span><a id="line.625"> {</a>
<span class="sourceLineNo">626</span><a id="line.626"> try</a>
<span class="sourceLineNo">627</span><a id="line.627"> {</a>
<span class="sourceLineNo">628</span><a id="line.628"> info.setRefererUrl( new URL( referer ) );</a>
<span class="sourceLineNo">629</span><a id="line.629"> }</a>
<span class="sourceLineNo">630</span><a id="line.630"> catch ( MalformedURLException ex )</a>
<span class="sourceLineNo">631</span><a id="line.631"> {</a>
<span class="sourceLineNo">632</span><a id="line.632"> log.warn( "Bad URL in Referer HTTP-Header: {}, Message: {}", referer, ex.getMessage() );</a>
<span class="sourceLineNo">633</span><a id="line.633"> }</a>
<span class="sourceLineNo">634</span><a id="line.634"> }</a>
<span class="sourceLineNo">635</span><a id="line.635"> }</a>
<span class="sourceLineNo">636</span><a id="line.636"> return info;</a>
<span class="sourceLineNo">637</span><a id="line.637"> }</a>
<span class="sourceLineNo">638</span><a id="line.638"></a>
<span class="sourceLineNo">639</span><a id="line.639"> public void setHttpRequest( HttpServletRequest request )</a>
<span class="sourceLineNo">640</span><a id="line.640"> {</a>
<span class="sourceLineNo">641</span><a id="line.641"> this.httpRequest = request;</a>
<span class="sourceLineNo">642</span><a id="line.642"> }</a>
<span class="sourceLineNo">643</span><a id="line.643"></a>
<span class="sourceLineNo">644</span><a id="line.644">}</a>
</pre>
</div>
</main>
</body>
</html>