Package org.apache.wicket.protocol.http
Class ResourceIsolationRequestCycleListener
- java.lang.Object
-
- org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener
-
- All Implemented Interfaces:
IRequestCycleListener
- Direct Known Subclasses:
WebSocketAwareResourceIsolationRequestCycleListener
public class ResourceIsolationRequestCycleListener extends Object implements IRequestCycleListener
ThisRequestCycle
listener ensures resource isolation, adding a layer of protection for modern browsers that prevent Cross-Site Request Forgery attacks.It uses the
FetchMetadataResourceIsolationPolicy
andOriginResourceIsolationPolicy
by default and can be customized with additionalIResourceIsolationPolicy
s.URL paths that are intended to be used cross-site can be excempted from these policies.
Learn more about Fetch Metadata and resource isolation at https://web.dev/fetch-metadata/
- Author:
- Santiago Diaz - saldiaz@google.com, Ecenaz Jen Ozmen - ecenazo@google.com
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
ResourceIsolationRequestCycleListener.CsrfAction
The action to perform when the outcome of the resource isolation policy is DISALLOWED or UNKNOWN.
-
Field Summary
Fields Modifier and Type Field Description static String
ERROR_MESSAGE
-
Constructor Summary
Constructors Constructor Description ResourceIsolationRequestCycleListener(IResourceIsolationPolicy... policies)
Create a new listener with the given policies.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
abortHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)
Abort the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ABORT
.void
addExemptedPaths(String... exemptions)
protected void
allowHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)
Allow the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ALLOW
.protected boolean
isChecked(IRequestablePage targetedPage)
Override to limit whether the request to the specific page should be checked for a possible CSRF attack.protected boolean
isChecked(IRequestHandler handler)
Override to change the request handler types that are checked.protected boolean
isEnabled()
Dynamic override for enabling/disabling the CSRF detection.void
onBeginRequest(RequestCycle cycle)
Called when the request cycle object is beginning its responsevoid
onEndRequest(RequestCycle cycle)
Allow isolation policy to add headers.void
onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
Called when anIRequestHandler
is resolved and will be executed.ResourceIsolationRequestCycleListener
setDisallowedOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)
Sets the action when a request is disallowed by a resource isolation policy.ResourceIsolationRequestCycleListener
setErrorCode(int errorCode)
Modifies the HTTP error code in the exception when a disallowed request is detected.ResourceIsolationRequestCycleListener
setErrorMessage(String errorMessage)
Modifies the HTTP message in the exception when a disallowed request is detected.ResourceIsolationRequestCycleListener
setUnknownOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)
Sets the action when none of the resource isolation policies can come to an outcome.protected void
suppressHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)
Suppress the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.SUPPRESS
.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.wicket.request.cycle.IRequestCycleListener
onDetach, onException, onExceptionRequestHandlerResolved, onRequestHandlerExecuted, onRequestHandlerScheduled, onUrlMapped
-
-
-
-
Field Detail
-
ERROR_MESSAGE
public static final String ERROR_MESSAGE
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
ResourceIsolationRequestCycleListener
public ResourceIsolationRequestCycleListener(IResourceIsolationPolicy... policies)
Create a new listener with the given policies. If no policies are given,FetchMetadataResourceIsolationPolicy
andOriginResourceIsolationPolicy
will be used. The policies are checked in order. The first outcome that's notIResourceIsolationPolicy.ResourceIsolationOutcome.UNKNOWN
will be used.- Parameters:
policies
- the policies to check requests against.
-
-
Method Detail
-
setUnknownOutcomeAction
public ResourceIsolationRequestCycleListener setUnknownOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)
Sets the action when none of the resource isolation policies can come to an outcome. DefaultABORT
.- Parameters:
action
- the alternate action- Returns:
- this (for chaining)
-
setDisallowedOutcomeAction
public ResourceIsolationRequestCycleListener setDisallowedOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)
Sets the action when a request is disallowed by a resource isolation policy. Default isABORT
.- Parameters:
action
- the alternate action- Returns:
- this
-
setErrorCode
public ResourceIsolationRequestCycleListener setErrorCode(int errorCode)
Modifies the HTTP error code in the exception when a disallowed request is detected.- Parameters:
errorCode
- the alternate HTTP error code, default403 FORBIDDEN
- Returns:
- this
-
setErrorMessage
public ResourceIsolationRequestCycleListener setErrorMessage(String errorMessage)
Modifies the HTTP message in the exception when a disallowed request is detected.- Parameters:
errorMessage
- the alternate message- Returns:
- this
-
addExemptedPaths
public void addExemptedPaths(String... exemptions)
-
onBeginRequest
public void onBeginRequest(RequestCycle cycle)
Description copied from interface:IRequestCycleListener
Called when the request cycle object is beginning its response- Specified by:
onBeginRequest
in interfaceIRequestCycleListener
-
isEnabled
protected boolean isEnabled()
Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a multi-tenant application. When false, the CSRF detection is not performed for the running request. Defaulttrue
- Returns:
true
when the CSRF checks need to be performed.
-
isChecked
protected boolean isChecked(IRequestablePage targetedPage)
Override to limit whether the request to the specific page should be checked for a possible CSRF attack.- Parameters:
targetedPage
- the page that is the target for the action- Returns:
true
when the request to the page should be checked for CSRF issues.
-
isChecked
protected boolean isChecked(IRequestHandler handler)
Override to change the request handler types that are checked. Currently only action handlers (form submits, link clicks, AJAX events) are checked.- Parameters:
handler
- the handler that is currently processing- Returns:
- true when resource isolation should be checked for this
handler
-
onRequestHandlerResolved
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
Description copied from interface:IRequestCycleListener
Called when anIRequestHandler
is resolved and will be executed.- Specified by:
onRequestHandlerResolved
in interfaceIRequestCycleListener
-
onEndRequest
public void onEndRequest(RequestCycle cycle)
Allow isolation policy to add headers.- Specified by:
onEndRequest
in interfaceIRequestCycleListener
- See Also:
IResourceIsolationPolicy.setHeaders(HttpServletResponse)
-
allowHandler
protected void allowHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)
Allow the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ALLOW
.- Parameters:
request
- the requestpage
- the page that is targeted with this request
-
suppressHandler
protected void suppressHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)
Suppress the execution of the listener in the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.SUPPRESS
.- Parameters:
request
- the requestpage
- the page that is targeted with this request
-
abortHandler
protected void abortHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)
Abort the request because the outcome results inResourceIsolationRequestCycleListener.CsrfAction.ABORT
.- Parameters:
request
- the requestpage
- the page that is targeted with this request
-
-