Class RequestValidationInterceptor
- java.lang.Object
-
- org.apache.archiva.redback.rest.services.interceptors.AbstractInterceptor
-
- org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
-
- All Implemented Interfaces:
javax.ws.rs.container.ContainerRequestFilter
,javax.ws.rs.container.ContainerResponseFilter
@Provider @Service("requestValidationInterceptor#rest") @Priority(1000) public class RequestValidationInterceptor extends AbstractInterceptor implements javax.ws.rs.container.ContainerRequestFilter, javax.ws.rs.container.ContainerResponseFilter
Created by Martin Stockhammer on 19.01.17.This interceptor tries to check if requests come from a valid origin and are not generated by another site on behalf of the real client.
We are using some of the techniques mentioned in https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Try to find Origin and Referer of the request. Match them to the target address, that may be either statically configured or is determined by the Host/X-Forwarded-For Header.
-
-
Field Summary
-
Fields inherited from class org.apache.archiva.redback.rest.services.interceptors.AbstractInterceptor
AUTHENTICATION_RESULT, SECURITY_SESSION
-
-
Constructor Summary
Constructors Constructor Description RequestValidationInterceptor(UserConfiguration config)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
filter(javax.ws.rs.container.ContainerRequestContext containerRequestContext)
void
filter(javax.ws.rs.container.ContainerRequestContext requestContext, javax.ws.rs.container.ContainerResponseContext responseContext)
void
init()
void
setHttpRequest(javax.servlet.http.HttpServletRequest request)
-
Methods inherited from class org.apache.archiva.redback.rest.services.interceptors.AbstractInterceptor
getAuthenticationResult, getHttpServletRequest, getHttpServletResponse, getRedbackAuthorization, getSecuritySession, ignoreAuth, setHttpServletRequest, setHttpServletResponse
-
-
-
-
Constructor Detail
-
RequestValidationInterceptor
@Inject public RequestValidationInterceptor(@Named("userConfiguration#default") UserConfiguration config)
-
-
Method Detail
-
filter
public void filter(javax.ws.rs.container.ContainerRequestContext requestContext, javax.ws.rs.container.ContainerResponseContext responseContext) throws IOException
- Specified by:
filter
in interfacejavax.ws.rs.container.ContainerResponseFilter
- Throws:
IOException
-
init
@PostConstruct public void init()
-
filter
public void filter(javax.ws.rs.container.ContainerRequestContext containerRequestContext) throws IOException
- Specified by:
filter
in interfacejavax.ws.rs.container.ContainerRequestFilter
- Throws:
IOException
-
setHttpRequest
public void setHttpRequest(javax.servlet.http.HttpServletRequest request)
-
-