Package org.apache.wicket.protocol.http
Class CsrfPreventionRequestCycleListener
- java.lang.Object
-
- org.apache.wicket.protocol.http.OriginResourceIsolationPolicy
-
- org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener
-
- All Implemented Interfaces:
IResourceIsolationPolicy,IRequestCycleListener
- Direct Known Subclasses:
WebSocketAwareCsrfPreventionRequestCycleListener
@Deprecated(since="9.1.0") public class CsrfPreventionRequestCycleListener extends OriginResourceIsolationPolicy implements IRequestCycleListener
Deprecated.UseFetchMetadataResourceIsolationPolicyinsteadPrevents CSRF attacks on Wicket components by checking theOriginandRefererHTTP headers for cross domain requests. By default only checks requests that try to perform an action on a component, such as a form submit, or link click.Installation
You can enable this CSRF prevention filter by adding it to the request cycle listeners in your
application's init method:@Override protected void init() { // ... getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); // ... }Configuration
When the
OriginorRefererHTTP header is present but doesn't match the requested URL this listener will by default throw a HTTP error (400 BAD REQUEST) and abort the request. You canconfigurethis specific action.A missing
OriginandRefererHTTP header is handled as if it were a bad request and rejected. You canconfigure the specific actionto a different value, suppressing or allowing the request when the HTTP headers are missing.When the
OriginHTTP header is present and has the valuenullit is considered to be from a "privacy-sensitive" context and will trigger the no origin action. You can customize what happens in those actions by overriding the respectiveonXXXXmethods.When you want to accept certain cross domain request from a range of hosts, you can
whitelist those domains.You can
enable or disablethis listener by overridingisEnabled().You can
customizewhether a particular page should be checked for CSRF requests. For example you can skip checking pages that have a@NoCsrfCheckannotation, or only those pages that extend your base secure page class. For example:@Override protected boolean isChecked(IRequestablePage requestedPage) { return requestedPage instanceof SecurePage; }You can also tweak the request handlers that are checked. The CSRF prevention request cycle listener checks only action handlers, not render handlers. Override
isChecked(IRequestHandler)to customize this behavior.You can customize the default actions that are performed by overriding the event handlers for them:
onWhitelisted(HttpServletRequest, String, IRequestablePage)when an origin was whitelistedonMatchingOrigin(HttpServletRequest, String, IRequestablePage)when an origin was matchingonAborted(HttpServletRequest, String, IRequestablePage)when an origin was in conflict and the request should be abortedonAllowed(HttpServletRequest, String, IRequestablePage)when an origin was in conflict and the request should be allowedonSuppressed(HttpServletRequest, String, IRequestablePage)when an origin was in conflict and the request should be suppressed
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classCsrfPreventionRequestCycleListener.CsrfActionDeprecated.The action to perform when a missing or conflicting source URI is detected.-
Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
IResourceIsolationPolicy.ResourceIsolationOutcome
-
-
Constructor Summary
Constructors Constructor Description CsrfPreventionRequestCycleListener()Deprecated.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description protected voidabortHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toABORT.CsrfPreventionRequestCycleListeneraddAcceptedOrigin(String acceptedOrigin)Deprecated.TODO remove in Wicket 10protected voidallowHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toALLOW.protected voidcheckRequest(javax.servlet.http.HttpServletRequest request, String sourceUri, IRequestablePage page)Deprecated.Performs the check of theOriginorRefererheader that is targeted at thepage.protected StringgetSourceUri(javax.servlet.http.HttpServletRequest containerRequest)Deprecated.Resolves the source URI from the request headers (OriginorReferer).protected booleanisChecked(IRequestablePage targetedPage)Deprecated.Override to limit whether the request to the specific page should be checked for a possible CSRF attack.protected booleanisChecked(IRequestHandler handler)Deprecated.Override to change the request handler types that are checked.protected booleanisEnabled()Deprecated.Dynamic override for enabling/disabling the CSRF detection.protected voidmatchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Handles the case where an origin was checked and matched the request origin.protected voidonAborted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toABORTED.protected voidonAllowed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toALLOW.voidonBeginRequest(RequestCycle cycle)Deprecated.Called when the request cycle object is beginning its responseprotected voidonMatchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Called when the origin HTTP header matched the request.voidonRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)Deprecated.Called when anIRequestHandleris resolved and will be executed.protected voidonSuppressed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toSUPPRESSED.protected voidonWhitelisted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Called when the origin was available in the whitelist.CsrfPreventionRequestCycleListenersetConflictingOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)Deprecated.Sets the action when a conflicting Origin header is detected.CsrfPreventionRequestCycleListenersetErrorCode(int errorCode)Deprecated.Modifies the HTTP error code in the exception when a conflicting Origin header is detected.CsrfPreventionRequestCycleListenersetErrorMessage(String errorMessage)Deprecated.Modifies the HTTP message in the exception when a conflicting Origin header is detected.CsrfPreventionRequestCycleListenersetNoOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)Deprecated.Sets the action when no Origin header is present in the request.protected voidsuppressHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toSUPPRESS.protected IRequestHandlerunwrap(IRequestHandler handler)Deprecated.Unwraps the handler if it is aIRequestHandlerDelegatedown to the deepest nested handler.protected voidwhitelistedHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)Deprecated.Handles the case where an origin is in the whitelist.-
Methods inherited from class org.apache.wicket.protocol.http.OriginResourceIsolationPolicy
getTargetUriFromRequest, isLocalOrigin, isRequestAllowed, isWhitelistedHost, normalizeUri
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.wicket.request.cycle.IRequestCycleListener
onDetach, onEndRequest, onException, onExceptionRequestHandlerResolved, onRequestHandlerExecuted, onRequestHandlerScheduled, onUrlMapped
-
Methods inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
setHeaders
-
-
-
-
Constructor Detail
-
CsrfPreventionRequestCycleListener
public CsrfPreventionRequestCycleListener()
Deprecated.
-
-
Method Detail
-
addAcceptedOrigin
public CsrfPreventionRequestCycleListener addAcceptedOrigin(String acceptedOrigin)
Deprecated.TODO remove in Wicket 10- Overrides:
addAcceptedOriginin classOriginResourceIsolationPolicy- Parameters:
acceptedOrigin- the acceptable origin- Returns:
- this
-
setNoOriginAction
public CsrfPreventionRequestCycleListener setNoOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)
Deprecated.Sets the action when no Origin header is present in the request. DefaultALLOW.- Parameters:
action- the alternate action- Returns:
- this (for chaining)
-
setConflictingOriginAction
public CsrfPreventionRequestCycleListener setConflictingOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)
Deprecated.Sets the action when a conflicting Origin header is detected. Default isERROR.- Parameters:
action- the alternate action- Returns:
- this
-
setErrorCode
public CsrfPreventionRequestCycleListener setErrorCode(int errorCode)
Deprecated.Modifies the HTTP error code in the exception when a conflicting Origin header is detected.- Parameters:
errorCode- the alternate HTTP error code, default400 BAD REQUEST- Returns:
- this
-
setErrorMessage
public CsrfPreventionRequestCycleListener setErrorMessage(String errorMessage)
Deprecated.Modifies the HTTP message in the exception when a conflicting Origin header is detected.- Parameters:
errorMessage- the alternate message- Returns:
- this
-
onBeginRequest
public void onBeginRequest(RequestCycle cycle)
Deprecated.Description copied from interface:IRequestCycleListenerCalled when the request cycle object is beginning its response- Specified by:
onBeginRequestin interfaceIRequestCycleListener
-
isEnabled
protected boolean isEnabled()
Deprecated.Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a multi-tenant application. When false, the CSRF detection is not performed for the running request. Defaulttrue- Returns:
truewhen the CSRF checks need to be performed.
-
isChecked
protected boolean isChecked(IRequestablePage targetedPage)
Deprecated.Override to limit whether the request to the specific page should be checked for a possible CSRF attack.- Parameters:
targetedPage- the page that is the target for the action- Returns:
truewhen the request to the page should be checked for CSRF issues.
-
isChecked
protected boolean isChecked(IRequestHandler handler)
Deprecated.Override to change the request handler types that are checked. Currently only action handlers (form submits, link clicks, AJAX events) are checked for a matching Origin HTTP header.- Parameters:
handler- the handler that is currently processing- Returns:
- true when the Origin HTTP header should be checked for this
handler
-
unwrap
protected IRequestHandler unwrap(IRequestHandler handler)
Deprecated.Unwraps the handler if it is aIRequestHandlerDelegatedown to the deepest nested handler.- Parameters:
handler- The handler to unwrap- Returns:
- the deepest handler that does not implement
IRequestHandlerDelegate
-
onRequestHandlerResolved
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
Deprecated.Description copied from interface:IRequestCycleListenerCalled when anIRequestHandleris resolved and will be executed.- Specified by:
onRequestHandlerResolvedin interfaceIRequestCycleListener
-
getSourceUri
protected String getSourceUri(javax.servlet.http.HttpServletRequest containerRequest)
Deprecated.Resolves the source URI from the request headers (OriginorReferer).- Parameters:
containerRequest- the current container request- Returns:
- the normalized source URI.
-
checkRequest
protected void checkRequest(javax.servlet.http.HttpServletRequest request, String sourceUri, IRequestablePage page)
Deprecated.Performs the check of theOriginorRefererheader that is targeted at thepage.- Parameters:
request- the current container requestsourceUri- the source URIpage- the page that is the target of the request
-
whitelistedHandler
protected void whitelistedHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an origin is in the whitelist. Default action is to allow the whitelisted origin.- Parameters:
request- the requestorigin- the contents of theOriginHTTP headerpage- the page that is targeted with this request
-
onWhitelisted
protected void onWhitelisted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Called when the origin was available in the whitelist. Override this method to implement your own custom action.- Parameters:
request- the requestorigin- the contents of theOriginHTTP headerpage- the page that is targeted with this request
-
matchingOrigin
protected void matchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an origin was checked and matched the request origin. Default action is to allow the whitelisted origin.- Parameters:
request- the requestorigin- the contents of theOriginHTTP headerpage- the page that is targeted with this request
-
onMatchingOrigin
protected void onMatchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Called when the origin HTTP header matched the request. Override this method to implement your own custom action.- Parameters:
request- the requestorigin- the contents of theOriginHTTP headerpage- the page that is targeted with this request
-
allowHandler
protected void allowHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toALLOW.- Parameters:
request- the requestorigin- the contents of theOriginHTTP header, may benullor emptypage- the page that is targeted with this request
-
onAllowed
protected void onAllowed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toALLOW.- Parameters:
request- the requestorigin- the contents of theOriginHTTP header, may benullor emptypage- the page that is targeted with this request
-
suppressHandler
protected void suppressHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toSUPPRESS.- Parameters:
request- the requestorigin- the contents of theOriginHTTP header, may benullor emptypage- the page that is targeted with this request
-
onSuppressed
protected void onSuppressed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toSUPPRESSED.- Parameters:
request- the requestorigin- the contents of theOriginHTTP header, may benullor emptypage- the page that is targeted with this request
-
abortHandler
protected void abortHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toABORT.- Parameters:
request- the requestorigin- the contents of theOriginHTTP header, may benullor emptypage- the page that is targeted with this request
-
onAborted
protected void onAborted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginActionorconflictingOriginAction) is set toABORTED.- Parameters:
request- the requestorigin- the contents of theOriginHTTP header, may benullor emptypage- the page that is targeted with this request
-
-