Starting with version 1.3 some redback services are available trough rest request.
Starting with version 2.5 we added some filters to prevent CSRF attacks.
We use JAXRS annotations and authz/karma are verified through cxf interceptors.
Starting with version 2.5 there has been added an interceptor that tries to check for CSRF attacks. CSRF can be initiated by malicious sites that let your browser execute HTTP requests or JavaScript-Code aimed to your redback site. Without CSRF prevention only the login cookie is checked for proper authorization and which is sent automatically from your browser after login. The redback REST services are not checking if the request is from the same origin as the login request.
For more information see the OWASP info .
Redback uses two mechanisms for checking cross site requests: Header validation and a validation token.
The behaviour of the filter can be configured, see REST configuration .
The header validation uses a base URL where the incoming requests are checked against. Per default the base URL is determined dynamically, but can be configured.
Each client request is checked for the HTTP headers Origin and Referer header. If the Origin header is existent and the base URL does not match the header value the request will be denied. After that the Referer header is checked and matched against the base URL. If the header is existent and does not the base URL the request is denied. If neither Origin nor Referer header are presented, the request is denied (can be configured).
If the header validation was successful, the request is checked for the X-XSRF-TOKEN header. This header must contain a token that is returned from the login REST service together with the user information (validationToken element of the user element returned from the Login service). The token is encrypted with a key that is generated dynamically during startup of the redback service. That means that after restart of the redback services all tokens generated before will be invalid. Validation tokens have a lifetime of 3 hours. After that you have to login again.
You must add the following maven dependency
<dependency> <groupId>org.codehaus.redback</groupId> <artifactId>redback-rest-services</artifactId> <version>2.2-SNAPSHOT</version> </dependency>
The spring file is in the redback-rest-services module. You must add META-INF/spring-context.xml in your spring configuration.
And add cxf servlet in your web.xml :
<servlet> <servlet-name>CXFServlet</servlet-name> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>CXFServlet</servlet-name> <url-pattern>/services/*</url-pattern> </servlet-mapping>
Rest services are declared as it in the cxf configuration :
<jaxrs:server id="redbackServices" address="/redbackServices"> <jaxrs:providers> <ref bean="authenticationInterceptor#rest"/> <ref bean="permissionInterceptor#rest"/> </jaxrs:providers> <jaxrs:serviceBeans> <ref bean="userService#rest"/> ... more coming ... </jaxrs:serviceBeans> </jaxrs:server>
This interceptor is basic on HTTP BASIC authz with using HttpBasicAuthentication spring component.
This inceptor will use a new created annotation named @RedbackAuthorization which supports attributes : permissions, resource and noRestriction.
You can use it :
@RedbackAuthorization( permissions = "user-management-user-create" ) public Boolean deleteUser( @PathParam( "userName" ) String username )
The interceptor will basically check if the user has one of the required permissions.
Note all exposed services must be marked with this annotation. If not forbidden http response will be returned.
If the service doesn't need special permissions you must do :
@RedbackAuthorization(noRestriction = true) public Boolean ping()
This is the interceptor used for CSRF prevention. See info above.
Dependencies to add in order to use those REST Services
<dependency> <groupId>org.codehaus.redback</groupId> <artifactId>redback-rest-api</artifactId> <version>2.2-SNAPSHOT</version> </dependency> if you use CXF: <dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-bundle-jaxrs</artifactId> <version>2.6.4</version> <exclusions> <exclusion> <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-server</artifactId> </exclusion> </exclusions> </dependency>
Sample on how to use
Error during retrieving content skip as ignoreDownloadError activated.
Error during retrieving content skip as ignoreDownloadError activated.