Package org.apache.archiva.redback.rest.services.interceptors

Class RequestValidationInterceptor

java.lang.Object

org.apache.archiva.redback.rest.services.interceptors.AbstractInterceptor

org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor

All Implemented Interfaces:

javax.ws.rs.container.ContainerRequestFilter, javax.ws.rs.container.ContainerResponseFilter

@Provider
@Service("requestValidationInterceptor#rest")
@Priority(1000)
public class RequestValidationInterceptor
extends AbstractInterceptor
implements javax.ws.rs.container.ContainerRequestFilter, javax.ws.rs.container.ContainerResponseFilter

Created by Martin Stockhammer on 19.01.17.

This interceptor tries to check if requests come from a valid origin and are not generated by another site on behalf of the real client.

We are using some of the techniques mentioned in https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Try to find Origin and Referer of the request. Match them to the target address, that may be either statically configured or is determined by the Host/X-Forwarded-For Header.

Field Summary

Fields inherited from class org.apache.archiva.redback.rest.services.interceptors.AbstractInterceptor

AUTHENTICATION_RESULT, SECURITY_SESSION

Constructor Summary

Constructors

Constructor	Description
RequestValidationInterceptor(UserConfiguration config)

Method Summary

Modifier and Type	Method	Description
void	filter(javax.ws.rs.container.ContainerRequestContext containerRequestContext)
void	filter(javax.ws.rs.container.ContainerRequestContext requestContext, javax.ws.rs.container.ContainerResponseContext responseContext)
void	init()
void	setHttpRequest(javax.servlet.http.HttpServletRequest request)

Methods inherited from class org.apache.archiva.redback.rest.services.interceptors.AbstractInterceptor

getAuthenticationResult, getHttpServletRequest, getHttpServletResponse, getRedbackAuthorization, getSecuritySession, ignoreAuth, setHttpServletRequest, setHttpServletResponse

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

RequestValidationInterceptor

@Inject
public RequestValidationInterceptor(@Named("userConfiguration#default")
                                    UserConfiguration config)

Method Detail

filter

public void filter(javax.ws.rs.container.ContainerRequestContext requestContext,
                   javax.ws.rs.container.ContainerResponseContext responseContext)
            throws IOException

Specified by:

filter in interface javax.ws.rs.container.ContainerResponseFilter

Throws:

IOException

init

@PostConstruct
public void init()

filter

public void filter(javax.ws.rs.container.ContainerRequestContext containerRequestContext)
            throws IOException

Specified by:

filter in interface javax.ws.rs.container.ContainerRequestFilter

Throws:

IOException

setHttpRequest

public void setHttpRequest(javax.servlet.http.HttpServletRequest request)