CsrfSecurityFilter (Magnolia Main Project (Parent) 5.3.2 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

info.magnolia.cms.security
Class CsrfSecurityFilter

java.lang.Object
  info.magnolia.cms.filters.AbstractMgnlFilter
      info.magnolia.cms.security.CsrfSecurityFilter

All Implemented Interfaces:: MgnlFilter, javax.servlet.Filter

public class CsrfSecurityFilter
extends AbstractMgnlFilter
extends AbstractMgnlFilter

Ensure that the request is not a CSRF attack.

This filter passes if:

The referrer header is not blank.
The host of header referrer request domain matches the actual requested host.

To provide flexibility, two of the key checks are performed with voters in the filters bypasses node. The default bypasses configured are:

Bypass any request url that doesn't start with '/.magnolia'.
Bypass all non-authenticated requests.

To add more bypasses (i.e. to 'white-list' specific referrer domains or uris) use for example:

See Also:: Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

Field Summary
`static String`	`REFERRER`

Constructor Summary
`CsrfSecurityFilter()`

Method Summary
`void`	`doFilter(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)`
`protected void`	`handlePossibleCsrf(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String url)` Actions to take when a CSRF attack is detected.

Methods inherited from class info.magnolia.cms.filters.AbstractMgnlFilter
`acceptsEncoding, acceptsGzipEncoding, addAndVerifyHeader, addBypass, addMapping, bypasses, destroy, doFilter, getBypasses, getDispatching, getMapping, getMappings, getName, headerContains, init, isEnabled, mapsTo, matches, matchesDispatching, setBypasses, setDispatching, setEnabled, setMappings, setName`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

REFERRER

public static final String REFERRER

See Also:: Constant Field Values

Constructor Detail

CsrfSecurityFilter

public CsrfSecurityFilter()

Method Detail

doFilter

public void doFilter(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Specified by:: doFilter in class AbstractMgnlFilter

Throws:: IOException; javax.servlet.ServletException

handlePossibleCsrf

protected void handlePossibleCsrf(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  String url)

Actions to take when a CSRF attack is detected. Log a message and set response to HttpServletResponse.SC_BAD_REQUEST.