CsrfPreventionFilter (camunda BPM - webapp

java.lang.Object
- org.camunda.bpm.webapp.impl.security.filter.CsrfPreventionFilter

All Implemented Interfaces:: javax.servlet.Filter

public class CsrfPreventionFilter
extends Object
implements javax.servlet.Filter

Provides basic CSRF protection implementing a Same Origin Standard Header verification (step 1) and a Synchronization Token with a cookie-stored token on the front-end.

 Positive scenario:
           Client                            Server
              |                                 |
              | GET Fetch Request              \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair generation
              |/Response to Fetch Request       |
              |---------------------------------|
 JSESSIONID   |\                                |
 X-CSRF-Token |                                 |
 pair cached  | POST Request with valid token  \| JSESSIONID
              | header                          |
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/ Response to POST Request       |
              |---------------------------------|
              |\                                |

 Negative scenario:
           Client                            Server
              |                                 |
              | POST Request without token      | JSESSIONID
              | header                         \| X-CSRF-Token
              |---------------------------------| pair validation
              |                                /|
              |/Request is rejected             |
              |---------------------------------|
              |\                                |

           Client                            Server
              |                                 |
              | POST Request with invalid token\| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/Request is rejected             |
              |---------------------------------|
              |\                                |

Parts of this code were ported from the CsrfPreventionFilter class of Apache Tomcat. Furthermore, the RestCsrfPreventionFilter class from the same codebase was used as a guideline.

Author:: Nikola Koevski

Constructor Summary

Constructors
Constructor and Description

CsrfPreventionFilter()

Constructors
Constructor and Description
`CsrfPreventionFilter()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`destroy()`
`void`	`doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain)`
`protected boolean`	`doSameOriginStandardHeadersVerification(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Validates if the Origin/Referer header matches the provided target origin.
`protected boolean`	`doTokenValidation(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Validates the provided CSRF token value from the request with the session CSRF token value.
`protected String`	`generateCSRFToken()` Generate a one-time token for authenticating subsequent requests.
`int`	`getDenyStatus()`
`String`	`getRandomClass()`
`URL`	`getTargetOrigin()`
`void`	`init(javax.servlet.FilterConfig filterConfig)`
`protected boolean`	`isNonModifyingRequest(javax.servlet.http.HttpServletRequest request)` Determine if the request a non-modifying request.
`protected void`	`setCSRFToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)` Generates a new CSRF Token which is persisted in the session.
`void`	`setDenyStatus(int denyStatus)` Sets the response status code that is used to reject denied request.
`void`	`setEntryPoints(String entryPoints)` Entry points are URLs that will not be tested for the presence of a valid token.
`void`	`setRandomClass(String randomClass)` Sets the name of the class to use to generate tokens.
`void`	`setTargetOrigin(String targetOrigin)` Target origin is the application expected deployment domain, i.e.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - CsrfPreventionFilter
```
public CsrfPreventionFilter()
```
- Method Detail
  - init
```
public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
```
    Specified by:
    
    init in interface javax.servlet.Filter
    
    Throws:
    
    javax.servlet.ServletException
  - doFilter
```
public void doFilter(javax.servlet.ServletRequest servletRequest,
                     javax.servlet.ServletResponse servletResponse,
                     javax.servlet.FilterChain filterChain)
              throws IOException,
                     javax.servlet.ServletException
```
    Specified by:
    
    doFilter in interface javax.servlet.Filter
    
    Throws:
    
    IOException
    
    javax.servlet.ServletException
  - doTokenValidation
```
protected boolean doTokenValidation(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response)
                             throws IOException
```
    Validates the provided CSRF token value from the request with the session CSRF token value.
    
    Parameters:
    
    request -
    
    response -
    
    Returns:
    
    true if the token is valid
    
    Throws:
    
    IOException
  - doSameOriginStandardHeadersVerification
```
protected boolean doSameOriginStandardHeadersVerification(javax.servlet.http.HttpServletRequest request,
                                                          javax.servlet.http.HttpServletResponse response)
                                                   throws IOException
```
    Validates if the Origin/Referer header matches the provided target origin.
    
    Parameters:
    
    request -
    
    response -
    
    Returns:
    
    true if the values match
    
    Throws:
    
    IOException
  - setCSRFToken
```
protected void setCSRFToken(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)
```
    Generates a new CSRF Token which is persisted in the session. How the token is forwarded to the client and how it will be persisted there is not covered by this method.
    
    Parameters:
    
    request -
  - getTargetOrigin
```
public URL getTargetOrigin()
```
  - setTargetOrigin
```
public void setTargetOrigin(String targetOrigin)
                     throws MalformedURLException
```
    Target origin is the application expected deployment domain, i.e. the domain name through which the webapps are accessed. If nothing is set, the "Same Origin with Standard Headers" verification is not performed.
    
    Parameters:
    
    targetOrigin - The application's domain name together with the protocol and port (ex. http://example.com:8080)
    
    Throws:
    
    MalformedURLException
  - setEntryPoints
```
public void setEntryPoints(String entryPoints)
```
    Entry points are URLs that will not be tested for the presence of a valid token. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.
    
    Parameters:
    
    entryPoints - Comma separated list of URLs to be configured as entry points.
  - getDenyStatus
```
public int getDenyStatus()
```
    Returns:
    
    the response status code that is used to reject a denied request.
  - setDenyStatus
```
public void setDenyStatus(int denyStatus)
```
    Sets the response status code that is used to reject denied request. If none is set, the default value of 403 will be used.
    
    Parameters:
    
    denyStatus - HTTP status code
  - getRandomClass
```
public String getRandomClass()
```
  - setRandomClass
```
public void setRandomClass(String randomClass)
```
    Sets the name of the class to use to generate tokens. The class must be an instance of `java.util.Random`. If not set, the default value of `java.security.SecureRandom` will be used.
    
    Parameters:
    
    randomClass - The name of the class
  - destroy
```
public void destroy()
```
    Specified by:
    
    destroy in interface javax.servlet.Filter
  - isNonModifyingRequest
```
protected boolean isNonModifyingRequest(javax.servlet.http.HttpServletRequest request)
```
    Determine if the request a non-modifying request. A non-modifying request is one that is either a 'HTTP GET/OPTIONS/HEAD' request, or is allowed explicitly through the 'entryPoints' parameter in the web.xml
    
    Returns:
    
    true if the request is a non-modifying request
  - generateCSRFToken
```
protected String generateCSRFToken()
```
    Generate a one-time token for authenticating subsequent requests.
    
    Returns:
    
    the generated token

Class CsrfPreventionFilter

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

CsrfPreventionFilter

Method Detail

init

doFilter

doTokenValidation

doSameOriginStandardHeadersVerification

setCSRFToken

getTargetOrigin

setTargetOrigin

setEntryPoints

getDenyStatus

setDenyStatus

getRandomClass

setRandomClass

destroy

isNonModifyingRequest

generateCSRFToken