XSRF: add ignored methods + parameter handling for tokens

adrienlauer · adrienlauer · commit a65ef4ee5401 · 2018-09-10T13:03:17.000+02:00
diff --git a/web/security/src/main/java/org/seedstack/seed/web/security/WebSecurityConfig.java b/web/security/src/main/java/org/seedstack/seed/web/security/WebSecurityConfig.java
@@ -8,6 +8,7 @@
 
 package org.seedstack.seed.web.security;
 
+import com.google.common.collect.Lists;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -145,9 +146,12 @@ public static class XSRFConfig {
         @NotBlank
         private String headerName = "X-XSRF-TOKEN";
         @NotBlank
+        private String paramName = "xsrfToken";
+        @NotBlank
         private String algorithm = "SHA1PRNG";
         private int length = 32;
         private boolean perRequestToken = false;
+        private List<String> ignoreHttpMethods = Lists.newArrayList("GET", "HEAD", "OPTIONS");
 
         public String getCookieName() {
             return cookieName;
@@ -220,5 +224,23 @@ public XSRFConfig setCookieHttpOnly(boolean cookieHttpOnly) {
             this.cookieHttpOnly = cookieHttpOnly;
             return this;
         }
+
+        public String getParamName() {
+            return paramName;
+        }
+
+        public XSRFConfig setParamName(String paramName) {
+            this.paramName = paramName;
+            return this;
+        }
+
+        public List<String> getIgnoreHttpMethods() {
+            return ignoreHttpMethods;
+        }
+
+        public XSRFConfig setIgnoreHttpMethods(List<String> ignoreHttpMethods) {
+            this.ignoreHttpMethods = ignoreHttpMethods;
+            return this;
+        }
     }
 }
diff --git a/web/security/src/main/java/org/seedstack/seed/web/security/internal/AntiXsrfFilter.java b/web/security/src/main/java/org/seedstack/seed/web/security/internal/AntiXsrfFilter.java
@@ -9,6 +9,7 @@
 package org.seedstack.seed.web.security.internal;
 
 import java.security.SecureRandom;
+import java.util.List;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.Cookie;
@@ -35,56 +36,83 @@ protected boolean onPreHandle(ServletRequest request, ServletResponse response,
         HttpServletRequest httpServletRequest = (HttpServletRequest) request;
         HttpServletResponse httpServletResponse = (HttpServletResponse) response;
         final HttpSession session = httpServletRequest.getSession(false);
-        final boolean noCheck;
-        if (mappedValue != null && ((String[]) mappedValue).length != 0) {
-            noCheck = NO_CHECK.equals(((String[]) mappedValue)[0]);
-        } else {
-            noCheck = false;
-        }
 
         // Only apply XSRF protection when there is a session
         if (session != null) {
             // If session is new, generate a token and put it in a cookie
             if (session.isNew()) {
                 setXsrfCookie(httpServletResponse);
             }
-            // Else, if noCheck is NOT set, check if the request and cookie tokens match
-            else if (!noCheck) {
-                String cookieToken = extractCookieToken(httpServletRequest);
-                String requestToken = httpServletRequest.getHeader(xsrfConfig.getHeaderName());
-
-                if (requestToken == null) {
-                    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
-                            "Missing CSRF protection token in the request headers");
-                    return false;
+            // Else, apply XSRF protection logic
+            else {
+                final boolean noCheck;
+                if (mappedValue != null && ((String[]) mappedValue).length != 0) {
+                    noCheck = NO_CHECK.equals(((String[]) mappedValue)[0]);
+                } else {
+                    noCheck = false;
                 }
 
-                if (cookieToken == null) {
-                    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
-                            "Missing CSRF protection token cookie");
-                    return false;
+                if (!noCheck && !isRequestIgnored(httpServletRequest)) {
+                    String cookieToken = getTokenFromCookie(httpServletRequest);
+
+                    // If no cookie is available, send an error
+                    if (cookieToken == null) {
+                        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
+                                "Missing CSRF protection token cookie");
+                        return false;
+                    }
+
+                    // Try to obtain the request token from a header
+                    String requestToken = getTokenFromHeader(httpServletRequest);
+
+                    // Fallback to query parameter if we didn't a token in the headers
+                    if (requestToken == null) {
+                        requestToken = getTokenFromParameter(httpServletRequest);
+                    }
+
+                    // If no request token available, send an error
+                    if (requestToken == null) {
+                        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
+                                "Missing CSRF protection token in the request headers");
+                        return false;
+                    }
+
+                    // If tokens don't match, send an error
+                    if (!cookieToken.equals(requestToken)) {
+                        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
+                                "Request token does not match session token");
+                        return false;
+                    }
+
+                    // Regenerate token if per-request tokens are in use
+                    if (xsrfConfig.isPerRequestToken()) {
+                        setXsrfCookie(httpServletResponse);
+                    }
                 }
+            }
+        }
+        return true;
+    }
 
-                // Check for multiple headers (keep only the first one)
-                int commaIndex = requestToken.indexOf(',');
-                if (commaIndex != -1) {
-                    requestToken = requestToken.substring(0, commaIndex).trim();
-                }
+    protected boolean isRequestIgnored(HttpServletRequest httpServletRequest) {
+        List<String> ignoreHttpMethods = xsrfConfig.getIgnoreHttpMethods();
+        return ignoreHttpMethods != null && ignoreHttpMethods.contains(httpServletRequest.getMethod());
+    }
 
-                // Check if tokens match
-                if (!cookieToken.equals(requestToken)) {
-                    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
-                            "Request token does not match session token");
-                    return false;
-                }
+    protected String getTokenFromParameter(HttpServletRequest httpServletRequest) {
+        return httpServletRequest.getParameter(xsrfConfig.getParamName());
+    }
 
-                // Regenerate token if per-request tokens are in use
-                if (xsrfConfig.isPerRequestToken()) {
-                    setXsrfCookie(httpServletResponse);
-                }
+    protected String getTokenFromHeader(HttpServletRequest httpServletRequest) {
+        String header = httpServletRequest.getHeader(xsrfConfig.getHeaderName());
+        if (header != null) {
+            int commaIndex = header.indexOf(',');
+            if (commaIndex != -1) {
+                // If header is multi-valued, only keep the first one
+                header = header.substring(0, commaIndex).trim();
             }
         }
-        return true;
+        return header;
     }
 
     protected void postHandle(ServletRequest request, ServletResponse response) {
@@ -117,7 +145,7 @@ protected void deleteXsrfCookie(HttpServletResponse httpServletResponse) {
         httpServletResponse.setHeader(SET_COOKIE_HEADER, cookieSpec);
     }
 
-    protected String extractCookieToken(HttpServletRequest httpServletRequest) {
+    protected String getTokenFromCookie(HttpServletRequest httpServletRequest) {
         String cookieName = xsrfConfig.getCookieName();
         for (Cookie cookie : httpServletRequest.getCookies()) {
             if (cookieName.equals(cookie.getName())) {
diff --git a/web/security/src/main/resources/org/seedstack/seed/web/security/WebSecurityConfig.properties b/web/security/src/main/resources/org/seedstack/seed/web/security/WebSecurityConfig.properties
@@ -14,11 +14,13 @@ loginUrl=The URL of the authentication form to redirect to when the user needs t
 logoutUrl=The URL to redirect to after logout.
 xsrf.cookieName=The name of the cookie used for XSRF protection.
 xsrf.headerName=The name of the HTTP header used for XSRF protection.
+xsrf.paramName=The name of the HTTP parameter (query param or form param) used for XSRF protection.
 xsrf.algorithm=The name of the SecureRandom algorithm for generating the XSRF random token.
 xsrf.length=The length of the random XSRF token.
 xsrf.perRequestToken=If true, a new random XSRF token is generated for each request.
 xsrf.sameSitePolicy=Define the value of the 'SameSite' attribute on the XSRF cookie.
 xsrf.httpOnly=If true, the XSRF token cookie will be set to HTTP only, preventing its access from JavaScript.
+xsrf.ignoreHttpMethods=The list of HTTP methods ignored for XSRF protection.
 form.usernameParameter=The name of the parameter carrying the user name in the authentication form.
 form.passwordParameter=The name of the parameter carrying the password in the authentication form.
 form.rememberMeParameter=The name of the parameter carrying the remember me flag in the authentication form.
diff --git a/web/security/src/test/resources/application.yaml b/web/security/src/test/resources/application.yaml
@@ -36,38 +36,30 @@ security:
     loginUrl: /login.html
     logoutUrl: /logout.html
     successUrl: /success.html
+    xsrf:
+      ignoreHttpMethods: []
     form:
       usernameParameter: user
       passwordParameter: pw
     urls:
-      -
-        pattern: /jediCouncil.html
-        filters: [authcBasic, 'perms[lightSaber:wield, academy:learn]']
-      -
-        pattern: /jediAcademy.html
-        filters: [authcBasic, 'perms[academy:learn]']
-      -
-        pattern: /protected
-        filters: authc
-      -
-        pattern: /cert-protected
-        filters: cert
-      -
-        pattern: /login.html
-        filters: authc
-      -
-        pattern: /success.html
-        filters: authc
-      -
-        pattern: /logout
-        filters: logout
-      -
-        pattern: /teapot
-        filters: 'teapot[param]'
-      -
-        pattern: /xsrf-protected-without-session
-        filters: xsrf
-      -
-        pattern: /xsrf-protected-with-session
-        filters: [authcBasic, xsrf]
+    - pattern: /jediCouncil.html
+      filters: [authcBasic, 'perms[lightSaber:wield, academy:learn]']
+    - pattern: /jediAcademy.html
+      filters: [authcBasic, 'perms[academy:learn]']
+    - pattern: /protected
+      filters: authc
+    - pattern: /cert-protected
+      filters: cert
+    - pattern: /login.html
+      filters: authc
+    - pattern: /success.html
+      filters: authc
+    - pattern: /logout
+      filters: logout
+    - pattern: /teapot
+      filters: 'teapot[param]'
+    - pattern: /xsrf-protected-without-session
+      filters: xsrf
+    - pattern: /xsrf-protected-with-session
+      filters: [authcBasic, xsrf]
 
