info.magnolia.cms.security
Class CsrfSecurityFilter
java.lang.Object
info.magnolia.cms.filters.AbstractMgnlFilter
info.magnolia.cms.security.CsrfSecurityFilter
- All Implemented Interfaces:
- MgnlFilter, javax.servlet.Filter
public class CsrfSecurityFilter
- extends AbstractMgnlFilter
Ensure that the request is not a CSRF attack.
This filter passes if:
- The referrer header is not blank.
- The host of header referrer request domain matches the actual requested host.
To provide flexibility, two of the key checks are performed with voters in the filters bypasses node.
The default bypasses configured are:
- Bypass any request url that doesn't start with '/.magnolia'.
- Bypass all non-authenticated requests.
To add more bypasses (i.e. to 'white-list' specific referrer domains or uris) use for example:
- See Also:
- Cross-Site
Request Forgery (CSRF) Prevention Cheat Sheet
Method Summary |
void |
doFilter(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain)
|
protected void |
handlePossibleCsrf(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String url)
Actions to take when a CSRF attack is detected. |
Methods inherited from class info.magnolia.cms.filters.AbstractMgnlFilter |
acceptsEncoding, acceptsGzipEncoding, addAndVerifyHeader, addBypass, addMapping, bypasses, destroy, doFilter, getBypasses, getDispatching, getMapping, getMappings, getName, headerContains, init, isEnabled, mapsTo, matches, matchesDispatching, setBypasses, setDispatching, setEnabled, setMappings, setName |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
REFERRER
public static final String REFERRER
- See Also:
- Constant Field Values
CsrfSecurityFilter
public CsrfSecurityFilter()
doFilter
public void doFilter(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Specified by:
doFilter
in class AbstractMgnlFilter
- Throws:
IOException
javax.servlet.ServletException
handlePossibleCsrf
protected void handlePossibleCsrf(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
String url)
- Actions to take when a CSRF attack is detected.
Log a message and set response to
HttpServletResponse.SC_BAD_REQUEST
.
Copyright © 2003-2014 Magnolia International Ltd.. All Rights Reserved.