Class CsrfPreventionRequestCycleListener
- java.lang.Object
-
- org.apache.wicket.protocol.http.OriginResourceIsolationPolicy
-
- org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener
-
- All Implemented Interfaces:
IResourceIsolationPolicy
,IRequestCycleListener
- Direct Known Subclasses:
WebSocketAwareCsrfPreventionRequestCycleListener
@Deprecated(since="9.1.0") public class CsrfPreventionRequestCycleListener extends OriginResourceIsolationPolicy implements IRequestCycleListener
Deprecated.UseFetchMetadataResourceIsolationPolicy
insteadPrevents CSRF attacks on Wicket components by checking theOrigin
andReferer
HTTP headers for cross domain requests. By default only checks requests that try to perform an action on a component, such as a form submit, or link click.Installation
You can enable this CSRF prevention filter by adding it to the request cycle listeners in your
application's init method
:@Override protected void init() { // ... getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); // ... }
Configuration
When the
Origin
orReferer
HTTP header is present but doesn't match the requested URL this listener will by default throw a HTTP error (400 BAD REQUEST
) and abort the request. You canconfigure
this specific action.A missing
Origin
andReferer
HTTP header is handled as if it were a bad request and rejected. You canconfigure the specific action
to a different value, suppressing or allowing the request when the HTTP headers are missing.When the
Origin
HTTP header is present and has the valuenull
it is considered to be from a "privacy-sensitive" context and will trigger the no origin action. You can customize what happens in those actions by overriding the respectiveonXXXX
methods.When you want to accept certain cross domain request from a range of hosts, you can
whitelist those domains
.You can
enable or disable
this listener by overridingisEnabled()
.You can
customize
whether a particular page should be checked for CSRF requests. For example you can skip checking pages that have a@NoCsrfCheck
annotation, or only those pages that extend your base secure page class. For example:@Override protected boolean isChecked(IRequestablePage requestedPage) { return requestedPage instanceof SecurePage; }
You can also tweak the request handlers that are checked. The CSRF prevention request cycle listener checks only action handlers, not render handlers. Override
isChecked(IRequestHandler)
to customize this behavior.You can customize the default actions that are performed by overriding the event handlers for them:
onWhitelisted(HttpServletRequest, String, IRequestablePage)
when an origin was whitelistedonMatchingOrigin(HttpServletRequest, String, IRequestablePage)
when an origin was matchingonAborted(HttpServletRequest, String, IRequestablePage)
when an origin was in conflict and the request should be abortedonAllowed(HttpServletRequest, String, IRequestablePage)
when an origin was in conflict and the request should be allowedonSuppressed(HttpServletRequest, String, IRequestablePage)
when an origin was in conflict and the request should be suppressed
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
CsrfPreventionRequestCycleListener.CsrfAction
Deprecated.The action to perform when a missing or conflicting source URI is detected.-
Nested classes/interfaces inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
IResourceIsolationPolicy.ResourceIsolationOutcome
-
-
Constructor Summary
Constructors Constructor Description CsrfPreventionRequestCycleListener()
Deprecated.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description protected void
abortHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toABORT
.CsrfPreventionRequestCycleListener
addAcceptedOrigin(String acceptedOrigin)
Deprecated.TODO remove in Wicket 10protected void
allowHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toALLOW
.protected void
checkRequest(javax.servlet.http.HttpServletRequest request, String sourceUri, IRequestablePage page)
Deprecated.Performs the check of theOrigin
orReferer
header that is targeted at thepage
.protected String
getSourceUri(javax.servlet.http.HttpServletRequest containerRequest)
Deprecated.Resolves the source URI from the request headers (Origin
orReferer
).protected boolean
isChecked(IRequestablePage targetedPage)
Deprecated.Override to limit whether the request to the specific page should be checked for a possible CSRF attack.protected boolean
isChecked(IRequestHandler handler)
Deprecated.Override to change the request handler types that are checked.protected boolean
isEnabled()
Deprecated.Dynamic override for enabling/disabling the CSRF detection.protected void
matchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an origin was checked and matched the request origin.protected void
onAborted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toABORTED
.protected void
onAllowed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toALLOW
.void
onBeginRequest(RequestCycle cycle)
Deprecated.Called when the request cycle object is beginning its responseprotected void
onMatchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Called when the origin HTTP header matched the request.void
onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
Deprecated.Called when anIRequestHandler
is resolved and will be executed.protected void
onSuppressed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toSUPPRESSED
.protected void
onWhitelisted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Called when the origin was available in the whitelist.CsrfPreventionRequestCycleListener
setConflictingOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)
Deprecated.Sets the action when a conflicting Origin header is detected.CsrfPreventionRequestCycleListener
setErrorCode(int errorCode)
Deprecated.Modifies the HTTP error code in the exception when a conflicting Origin header is detected.CsrfPreventionRequestCycleListener
setErrorMessage(String errorMessage)
Deprecated.Modifies the HTTP message in the exception when a conflicting Origin header is detected.CsrfPreventionRequestCycleListener
setNoOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)
Deprecated.Sets the action when no Origin header is present in the request.protected void
suppressHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toSUPPRESS
.protected IRequestHandler
unwrap(IRequestHandler handler)
Deprecated.Unwraps the handler if it is aIRequestHandlerDelegate
down to the deepest nested handler.protected void
whitelistedHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an origin is in the whitelist.-
Methods inherited from class org.apache.wicket.protocol.http.OriginResourceIsolationPolicy
getTargetUriFromRequest, isLocalOrigin, isRequestAllowed, isWhitelistedHost, normalizeUri
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.wicket.request.cycle.IRequestCycleListener
onDetach, onEndRequest, onException, onExceptionRequestHandlerResolved, onRequestHandlerExecuted, onRequestHandlerScheduled, onUrlMapped
-
Methods inherited from interface org.apache.wicket.protocol.http.IResourceIsolationPolicy
setHeaders
-
-
-
-
Constructor Detail
-
CsrfPreventionRequestCycleListener
public CsrfPreventionRequestCycleListener()
Deprecated.
-
-
Method Detail
-
addAcceptedOrigin
public CsrfPreventionRequestCycleListener addAcceptedOrigin(String acceptedOrigin)
Deprecated.TODO remove in Wicket 10- Overrides:
addAcceptedOrigin
in classOriginResourceIsolationPolicy
- Parameters:
acceptedOrigin
- the acceptable origin- Returns:
- this
-
setNoOriginAction
public CsrfPreventionRequestCycleListener setNoOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)
Deprecated.Sets the action when no Origin header is present in the request. DefaultALLOW
.- Parameters:
action
- the alternate action- Returns:
- this (for chaining)
-
setConflictingOriginAction
public CsrfPreventionRequestCycleListener setConflictingOriginAction(CsrfPreventionRequestCycleListener.CsrfAction action)
Deprecated.Sets the action when a conflicting Origin header is detected. Default isERROR
.- Parameters:
action
- the alternate action- Returns:
- this
-
setErrorCode
public CsrfPreventionRequestCycleListener setErrorCode(int errorCode)
Deprecated.Modifies the HTTP error code in the exception when a conflicting Origin header is detected.- Parameters:
errorCode
- the alternate HTTP error code, default400 BAD REQUEST
- Returns:
- this
-
setErrorMessage
public CsrfPreventionRequestCycleListener setErrorMessage(String errorMessage)
Deprecated.Modifies the HTTP message in the exception when a conflicting Origin header is detected.- Parameters:
errorMessage
- the alternate message- Returns:
- this
-
onBeginRequest
public void onBeginRequest(RequestCycle cycle)
Deprecated.Description copied from interface:IRequestCycleListener
Called when the request cycle object is beginning its response- Specified by:
onBeginRequest
in interfaceIRequestCycleListener
-
isEnabled
protected boolean isEnabled()
Deprecated.Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a multi-tenant application. When false, the CSRF detection is not performed for the running request. Defaulttrue
- Returns:
true
when the CSRF checks need to be performed.
-
isChecked
protected boolean isChecked(IRequestablePage targetedPage)
Deprecated.Override to limit whether the request to the specific page should be checked for a possible CSRF attack.- Parameters:
targetedPage
- the page that is the target for the action- Returns:
true
when the request to the page should be checked for CSRF issues.
-
isChecked
protected boolean isChecked(IRequestHandler handler)
Deprecated.Override to change the request handler types that are checked. Currently only action handlers (form submits, link clicks, AJAX events) are checked for a matching Origin HTTP header.- Parameters:
handler
- the handler that is currently processing- Returns:
- true when the Origin HTTP header should be checked for this
handler
-
unwrap
protected IRequestHandler unwrap(IRequestHandler handler)
Deprecated.Unwraps the handler if it is aIRequestHandlerDelegate
down to the deepest nested handler.- Parameters:
handler
- The handler to unwrap- Returns:
- the deepest handler that does not implement
IRequestHandlerDelegate
-
onRequestHandlerResolved
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
Deprecated.Description copied from interface:IRequestCycleListener
Called when anIRequestHandler
is resolved and will be executed.- Specified by:
onRequestHandlerResolved
in interfaceIRequestCycleListener
-
getSourceUri
protected String getSourceUri(javax.servlet.http.HttpServletRequest containerRequest)
Deprecated.Resolves the source URI from the request headers (Origin
orReferer
).- Parameters:
containerRequest
- the current container request- Returns:
- the normalized source URI.
-
checkRequest
protected void checkRequest(javax.servlet.http.HttpServletRequest request, String sourceUri, IRequestablePage page)
Deprecated.Performs the check of theOrigin
orReferer
header that is targeted at thepage
.- Parameters:
request
- the current container requestsourceUri
- the source URIpage
- the page that is the target of the request
-
whitelistedHandler
protected void whitelistedHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an origin is in the whitelist. Default action is to allow the whitelisted origin.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP headerpage
- the page that is targeted with this request
-
onWhitelisted
protected void onWhitelisted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Called when the origin was available in the whitelist. Override this method to implement your own custom action.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP headerpage
- the page that is targeted with this request
-
matchingOrigin
protected void matchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an origin was checked and matched the request origin. Default action is to allow the whitelisted origin.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP headerpage
- the page that is targeted with this request
-
onMatchingOrigin
protected void onMatchingOrigin(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Called when the origin HTTP header matched the request. Override this method to implement your own custom action.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP headerpage
- the page that is targeted with this request
-
allowHandler
protected void allowHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toALLOW
.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP header, may benull
or emptypage
- the page that is targeted with this request
-
onAllowed
protected void onAllowed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toALLOW
.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP header, may benull
or emptypage
- the page that is targeted with this request
-
suppressHandler
protected void suppressHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toSUPPRESS
.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP header, may benull
or emptypage
- the page that is targeted with this request
-
onSuppressed
protected void onSuppressed(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toSUPPRESSED
.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP header, may benull
or emptypage
- the page that is targeted with this request
-
abortHandler
protected void abortHandler(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toABORT
.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP header, may benull
or emptypage
- the page that is targeted with this request
-
onAborted
protected void onAborted(javax.servlet.http.HttpServletRequest request, String origin, IRequestablePage page)
Deprecated.Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction
orconflictingOriginAction
) is set toABORTED
.- Parameters:
request
- the requestorigin
- the contents of theOrigin
HTTP header, may benull
or emptypage
- the page that is targeted with this request
-
-