Module org.apache.wicket.core
Package org.apache.wicket.protocol.http
Class ResourceIsolationRequestCycleListener
java.lang.Object
org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener
- All Implemented Interfaces:
IRequestCycleListener
- Direct Known Subclasses:
WebSocketAwareResourceIsolationRequestCycleListener
This
RequestCycle
listener ensures resource isolation, adding a layer of protection for
modern browsers that prevent Cross-Site Request Forgery attacks.
It uses the FetchMetadataResourceIsolationPolicy
and
OriginResourceIsolationPolicy
by default and can be customized with additional
IResourceIsolationPolicy
s.
URL paths that are intended to be used cross-site can be excempted from these policies.
Learn more about Fetch Metadata and resource isolation at https://web.dev/fetch-metadata/
- Author:
- Santiago Diaz - saldiaz@google.com, Ecenaz Jen Ozmen - ecenazo@google.com
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
The action to perform when the outcome of the resource isolation policy is DISALLOWED or UNKNOWN. -
Field Summary
-
Constructor Summary
ConstructorDescriptionCreate a new listener with the given policies. -
Method Summary
Modifier and TypeMethodDescriptionprotected void
abortHandler
(jakarta.servlet.http.HttpServletRequest request, IRequestablePage page) Abort the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ABORT
.void
addExemptedPaths
(String... exemptions) protected void
allowHandler
(jakarta.servlet.http.HttpServletRequest request, IRequestablePage page) Allow the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ALLOW
.protected boolean
isChecked
(IRequestablePage targetedPage) Override to limit whether the request to the specific page should be checked for a possible CSRF attack.protected boolean
isChecked
(IRequestHandler handler) Override to change the request handler types that are checked.protected boolean
Dynamic override for enabling/disabling the CSRF detection.void
onBeginRequest
(RequestCycle cycle) Called when the request cycle object is beginning its responsevoid
onEndRequest
(RequestCycle cycle) Allow isolation policy to add headers.void
onRequestHandlerResolved
(RequestCycle cycle, IRequestHandler handler) Called when anIRequestHandler
is resolved and will be executed.Sets the action when a request is disallowed by a resource isolation policy.setErrorCode
(int errorCode) Modifies the HTTP error code in the exception when a disallowed request is detected.setErrorMessage
(String errorMessage) Modifies the HTTP message in the exception when a disallowed request is detected.Sets the action when none of the resource isolation policies can come to an outcome.protected void
suppressHandler
(jakarta.servlet.http.HttpServletRequest request, IRequestablePage page) Suppress the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.SUPPRESS
.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.apache.wicket.request.cycle.IRequestCycleListener
onDetach, onException, onExceptionRequestHandlerResolved, onRequestHandlerExecuted, onRequestHandlerScheduled, onUrlMapped
-
Field Details
-
ERROR_MESSAGE
- See Also:
-
-
Constructor Details
-
ResourceIsolationRequestCycleListener
Create a new listener with the given policies. If no policies are given,FetchMetadataResourceIsolationPolicy
andOriginResourceIsolationPolicy
will be used. The policies are checked in order. The first outcome that's notIResourceIsolationPolicy.ResourceIsolationOutcome.UNKNOWN
will be used.- Parameters:
policies
- the policies to check requests against.
-
-
Method Details
-
setUnknownOutcomeAction
public ResourceIsolationRequestCycleListener setUnknownOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action) Sets the action when none of the resource isolation policies can come to an outcome. DefaultABORT
.- Parameters:
action
- the alternate action- Returns:
- this (for chaining)
-
setDisallowedOutcomeAction
public ResourceIsolationRequestCycleListener setDisallowedOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action) Sets the action when a request is disallowed by a resource isolation policy. Default isABORT
.- Parameters:
action
- the alternate action- Returns:
- this
-
setErrorCode
Modifies the HTTP error code in the exception when a disallowed request is detected.- Parameters:
errorCode
- the alternate HTTP error code, default403 FORBIDDEN
- Returns:
- this
-
setErrorMessage
Modifies the HTTP message in the exception when a disallowed request is detected.- Parameters:
errorMessage
- the alternate message- Returns:
- this
-
addExemptedPaths
-
onBeginRequest
Description copied from interface:IRequestCycleListener
Called when the request cycle object is beginning its response- Specified by:
onBeginRequest
in interfaceIRequestCycleListener
-
isEnabled
Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a multi-tenant application. When false, the CSRF detection is not performed for the running request. Defaulttrue
- Returns:
true
when the CSRF checks need to be performed.
-
isChecked
Override to limit whether the request to the specific page should be checked for a possible CSRF attack.- Parameters:
targetedPage
- the page that is the target for the action- Returns:
true
when the request to the page should be checked for CSRF issues.
-
isChecked
Override to change the request handler types that are checked. Currently only action handlers (form submits, link clicks, AJAX events) are checked.- Parameters:
handler
- the handler that is currently processing- Returns:
- true when resource isolation should be checked for this
handler
-
onRequestHandlerResolved
Description copied from interface:IRequestCycleListener
Called when anIRequestHandler
is resolved and will be executed.- Specified by:
onRequestHandlerResolved
in interfaceIRequestCycleListener
-
onEndRequest
Allow isolation policy to add headers.- Specified by:
onEndRequest
in interfaceIRequestCycleListener
- See Also:
-
allowHandler
Allow the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ALLOW
.- Parameters:
request
- the requestpage
- the page that is targeted with this request
-
suppressHandler
protected void suppressHandler(jakarta.servlet.http.HttpServletRequest request, IRequestablePage page) Suppress the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.SUPPRESS
.- Parameters:
request
- the requestpage
- the page that is targeted with this request
-
abortHandler
Abort the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ABORT
.- Parameters:
request
- the requestpage
- the page that is targeted with this request
-