Author: cziegeler Date: Thu Jul 14 13:42:34 2011 New Revision: 1146709 URL: http://svn.apache.org/viewvc?rev=1146709&view=rev Log: SLING-2141 - Add a way to check the referrer for modification requests
Added: sling/trunk/contrib/extensions/security/ sling/trunk/contrib/extensions/security/pom.xml (with props) sling/trunk/contrib/extensions/security/src/ sling/trunk/contrib/extensions/security/src/main/ sling/trunk/contrib/extensions/security/src/main/java/ sling/trunk/contrib/extensions/security/src/main/java/org/ sling/trunk/contrib/extensions/security/src/main/java/org/apache/ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java (with props) sling/trunk/contrib/extensions/security/src/main/resources/ sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/ sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/ sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties (with props) Added: sling/trunk/contrib/extensions/security/pom.xml URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/pom.xml?rev=1146709&view=auto ============================================================================== --- sling/trunk/contrib/extensions/security/pom.xml (added) +++ sling/trunk/contrib/extensions/security/pom.xml Thu Jul 14 13:42:34 2011 @@ -0,0 +1,98 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.sling</groupId> + <artifactId>sling</artifactId> + <version>10</version> + </parent> + + <artifactId>org.apache.sling.security</artifactId> + <version>0.5.0-SNAPSHOT</version> + <packaging>bundle</packaging> + + <name>Apache Sling Security</name> + <description> + The Apache Sling Security module. + </description> + + <scm> + <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</connection> + <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security</developerConnection> + <url>http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security</url> + </scm> + + <build> + <plugins> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-scr-plugin</artifactId> + </plugin> + <plugin> + <groupId>org.apache.sling</groupId> + <artifactId>maven-sling-plugin</artifactId> + </plugin> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + <extensions>true</extensions> + <configuration> + <instructions> + <Bundle-Category>sling</Bundle-Category> + <Private-Package> + org.apache.sling.security.impl + </Private-Package> + </instructions> + </configuration> + </plugin> + </plugins> + </build> + + <dependencies> + <dependency> + <groupId>org.apache.sling</groupId> + <artifactId>org.apache.sling.commons.osgi</artifactId> + <version>2.0.6</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.apache.felix</groupId> + <artifactId>org.apache.felix.scr.annotations</artifactId> + </dependency> + <dependency> + <groupId>javax.servlet</groupId> + <artifactId>servlet-api</artifactId> + </dependency> + <dependency> + <groupId>org.osgi</groupId> + <artifactId>org.osgi.core</artifactId> + </dependency> + <dependency> + <groupId>org.osgi</groupId> + <artifactId>org.osgi.compendium</artifactId> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </dependency> + </dependencies> +</project> Propchange: sling/trunk/contrib/extensions/security/pom.xml ------------------------------------------------------------------------------ svn:eol-style = native Propchange: sling/trunk/contrib/extensions/security/pom.xml ------------------------------------------------------------------------------ svn:keywords = Id Propchange: sling/trunk/contrib/extensions/security/pom.xml ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java?rev=1146709&view=auto ============================================================================== --- sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java (added) +++ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java Thu Jul 14 13:42:34 2011 @@ -0,0 +1,159 @@ +/* + * Copyright 1997-2011 Day Management AG + * Barfuesserplatz 6, 4001 Basel, Switzerland + * All Rights Reserved. + * + * This software is the confidential and proprietary information of + * Day Management AG, ("Confidential Information"). You shall not + * disclose such Confidential Information and shall use it only in + * accordance with the terms of the license agreement you entered into + * with Day. + */ +package org.apache.sling.security.impl; + +import java.io.IOException; +import java.net.URI; +import java.net.URISyntaxException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.felix.scr.annotations.Property; +import org.apache.felix.scr.annotations.PropertyUnbounded; +import org.apache.felix.scr.annotations.sling.SlingFilter; +import org.apache.felix.scr.annotations.sling.SlingFilterScope; +import org.apache.sling.commons.osgi.OsgiUtil; +import org.osgi.service.component.ComponentContext; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@SlingFilter(order=-100000,scope=SlingFilterScope.REQUEST,metatype=true, + description="%referrer.description", + label="%referrer.name") +public class ReferrerFilter implements Filter { + + private static final boolean DEFAULT_ALLOW_EMPTY = true; + + @Property(boolValue=DEFAULT_ALLOW_EMPTY) + private static final String PROP_ALLOW_EMPTY = "allow.empty"; + + @Property(unbounded=PropertyUnbounded.ARRAY) + private static final String PROP_HOSTS = "allow.hosts"; + + private boolean allowEmpty; + + private String[] allowHosts; + + /** + * Activate + */ + protected void activate(final ComponentContext ctx) { + this.allowEmpty = OsgiUtil.toBoolean(ctx.getProperties().get(PROP_ALLOW_EMPTY), DEFAULT_ALLOW_EMPTY); + this.allowHosts = OsgiUtil.toStringArray(ctx.getProperties().get(PROP_HOSTS)); + if ( this.allowHosts != null ) { + if ( this.allowHosts.length == 0 ) { + this.allowHosts = null; + } else if ( this.allowHosts.length == 1 && this.allowHosts[0].trim().length() == 0 ) { + this.allowHosts = null; + } + } + } + + /** Logger. */ + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + private boolean isModification(final HttpServletRequest req) { + final String method = req.getMethod(); + if ("POST".equals(method)) { + return true; + } else if ("PUT".equals(method)) { + return true; + } else if ("DELETE".equals(method)) { + return true; + } + return false; + } + + public void doFilter(final ServletRequest req, + final ServletResponse res, + final FilterChain chain) + throws IOException, ServletException { + if ( req instanceof HttpServletRequest && res instanceof HttpServletResponse ) { + final HttpServletRequest request = (HttpServletRequest)req; + + // is this a modification request + if ( this.isModification(request) ) { + if ( !this.isValidRequest(request) ) { + final HttpServletResponse response = (HttpServletResponse)res; + // we use 500 + response.sendError(500); + return; + } + } + } + chain.doFilter(req, res); + } + + private boolean isValidRequest(final HttpServletRequest request) { + final String referrer = request.getHeader("referer"); + // check for missing/empty referrer + if ( referrer == null || referrer.trim().length() == 0 ) { + if ( !this.allowEmpty ) { + this.logger.info("Rejected empty referrer header for {} request to {}", request.getMethod(), request.getRequestURI()); + } + return this.allowEmpty; + } + // check for relative referrer - which is always allowed + if ( referrer.indexOf(":/") == - 1 ) { + return true; + } + final URI uri; + try { + uri = new URI(referrer); + } catch (URISyntaxException e) { + // if this is invalid we just return invalid + this.logger.info("Rejected illegal referrer header for {} request to {} : {}", + new Object[] {request.getMethod(), request.getRequestURI(), referrer}); + return false; + } + final String host = uri.getHost(); + final boolean valid; + if ( this.allowHosts == null ) { + valid = host.equals(request.getServerName()); + } else { + boolean flag = false; + for(final String allowHost : this.allowHosts) { + if ( host.equals(allowHost) ) { + flag = true; + break; + } + } + valid = flag; + } + if ( !valid) { + this.logger.info("Rejected referrer header for {} request to {} : {}", + new Object[] {request.getMethod(), request.getRequestURI(), referrer}); + } + return valid; + } + + /** + * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) + */ + public void init(FilterConfig arg0) throws ServletException { + // nothing to do + } + + /** + * @see javax.servlet.Filter#destroy() + */ + public void destroy() { + // nothing to do + } +} Propchange: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java ------------------------------------------------------------------------------ svn:keywords = author date id revision rev url Propchange: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties?rev=1146709&view=auto ============================================================================== --- sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties (added) +++ sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties Thu Jul 14 13:42:34 2011 @@ -0,0 +1,35 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# +# This file contains localization strings for configuration labels and +# descriptions as used in the metatype.xml descriptor generated by the +# the SCR plugin + +# +# Referrer Filter +referrer.name = Apache Sling Referrer Filter +referrer.description = Request filter checking the referrer of modification requests. + +allow.empty.name = Allow Empty +allow.empty.description = Allow an empty or missing referrer + +allow.hosts.name = Allow Hosts +allow.hosts.description = List of allowed hosts for the referrer. IF this is empty only the server\ + host is allowed. Propchange: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties ------------------------------------------------------------------------------ svn:eol-style = native Propchange: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties ------------------------------------------------------------------------------ svn:keywords = Id Propchange: sling/trunk/contrib/extensions/security/src/main/resources/OSGI-INF/metatype/metatype.properties ------------------------------------------------------------------------------ svn:mime-type = text/plain