예제 #1
0
  @Override
  public String toString() {
    StringBuilder sb = new StringBuilder();

    sb.append("\r\n*****************************************************\r\n");
    sb.append("* Owasp.CsrfGuard Properties\r\n");
    sb.append("*\r\n");
    sb.append(String.format("* Logger: %s\r\n", getLogger().getClass().getName()));
    sb.append(String.format("* NewTokenLandingPage: %s\r\n", getNewTokenLandingPage()));
    sb.append(String.format("* PRNG: %s\r\n", getPrng().getAlgorithm()));
    sb.append(String.format("* SessionKey: %s\r\n", getSessionKey()));
    sb.append(String.format("* TokenLength: %s\r\n", getTokenLength()));
    sb.append(String.format("* TokenName: %s\r\n", getTokenName()));
    sb.append(String.format("* Ajax: %s\r\n", isAjaxEnabled()));
    sb.append(String.format("* Rotate: %s\r\n", isRotateEnabled()));
    sb.append(String.format("* TokenPerPage: %s\r\n", isTokenPerPageEnabled()));

    for (IAction action : actions) {
      sb.append(String.format("* Action: %s\r\n", action.getClass().getName()));

      for (String name : action.getParameterMap().keySet()) {
        String value = action.getParameter(name);

        sb.append(String.format("*\tParameter: %s = %s\r\n", name, value));
      }
    }
    sb.append("*****************************************************\r\n");

    return sb.toString();
  }
예제 #2
0
  public boolean isValidRequest(HttpServletRequest request, HttpServletResponse response) {
    boolean valid = !isProtectedPageAndMethod(request);
    HttpSession session = request.getSession(true);
    String tokenFromSession = (String) session.getAttribute(getSessionKey());

    /** sending request to protected resource - verify token * */
    if (tokenFromSession != null && !valid) {
      try {
        if (isAjaxEnabled() && isAjaxRequest(request)) {
          verifyAjaxToken(request);
        } else if (isTokenPerPageEnabled()) {
          verifyPageToken(request);
        } else {
          verifySessionToken(request);
        }
        valid = true;
      } catch (CsrfGuardException csrfe) {
        for (IAction action : getActions()) {
          try {
            action.execute(request, response, csrfe, this);
          } catch (CsrfGuardException exception) {
            getLogger().log(LogLevel.Error, exception);
          }
        }
      }

      /** rotate session and page tokens * */
      if (!isAjaxRequest(request) && isRotateEnabled()) {
        rotateTokens(request);
      }
      /** expected token in session - bad state * */
    } else if ((tokenFromSession == null) && !valid) {
      throw new IllegalStateException(
          "CsrfGuard expects the token to exist in session at this point");
    } else {
      /** unprotected page - nothing to do * */
    }

    return valid;
  }
예제 #3
0
  public static void load(Properties properties)
      throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException,
          ClassNotFoundException, IOException, NoSuchProviderException {
    CsrfGuard csrfGuard = SingletonHolder.instance;

    /** load simple properties * */
    csrfGuard.setLogger(
        (ILogger)
            Class.forName(
                    properties.getProperty(
                        "org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger"))
                .newInstance());
    csrfGuard.setTokenName(
        properties.getProperty("org.owasp.csrfguard.TokenName", "OWASP_CSRFGUARD"));
    csrfGuard.setTokenLength(
        Integer.parseInt(properties.getProperty("org.owasp.csrfguard.TokenLength", "32")));
    csrfGuard.setRotate(
        Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Rotate", "false")));
    csrfGuard.setTokenPerPage(
        Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.TokenPerPage", "false")));
    csrfGuard.setTokenPerPagePrecreate(
        Boolean.valueOf(
            properties.getProperty("org.owasp.csrfguard.TokenPerPagePrecreate", "false")));
    csrfGuard.setPrng(
        SecureRandom.getInstance(
            properties.getProperty("org.owasp.csrfguard.PRNG", "SHA1PRNG"),
            properties.getProperty("org.owasp.csrfguard.PRNG.Provider", "SUN")));
    csrfGuard.setNewTokenLandingPage(
        properties.getProperty("org.owasp.csrfguard.NewTokenLandingPage"));

    // default to false if newTokenLandingPage is not set; default to true if set.
    if (csrfGuard.getNewTokenLandingPage() == null) {
      csrfGuard.setUseNewTokenLandingPage(
          Boolean.valueOf(
              properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "false")));
    } else {
      csrfGuard.setUseNewTokenLandingPage(
          Boolean.valueOf(
              properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "true")));
    }
    csrfGuard.setSessionKey(
        properties.getProperty("org.owasp.csrfguard.SessionKey", "OWASP_CSRFGUARD_KEY"));
    csrfGuard.setAjax(Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Ajax", "false")));
    csrfGuard.setProtect(
        Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Protect", "false")));

    /** first pass: instantiate actions * */
    Map<String, IAction> actionsMap = new HashMap<String, IAction>();

    for (Object obj : properties.keySet()) {
      String key = (String) obj;

      if (key.startsWith(ACTION_PREFIX)) {
        String directive = key.substring(ACTION_PREFIX.length());
        int index = directive.indexOf('.');

        /** action name/class * */
        if (index < 0) {
          String actionClass = properties.getProperty(key);
          IAction action = (IAction) Class.forName(actionClass).newInstance();

          action.setName(directive);
          actionsMap.put(action.getName(), action);
          csrfGuard.getActions().add(action);
        }
      }
    }

    /** second pass: initialize action parameters * */
    for (Object obj : properties.keySet()) {
      String key = (String) obj;

      if (key.startsWith(ACTION_PREFIX)) {
        String directive = key.substring(ACTION_PREFIX.length());
        int index = directive.indexOf('.');

        /** action name/class * */
        if (index >= 0) {
          String actionName = directive.substring(0, index);
          IAction action = actionsMap.get(actionName);

          if (action == null) {
            throw new IOException(
                String.format("action class %s has not yet been specified", actionName));
          }

          String parameterName = directive.substring(index + 1);
          String parameterValue = properties.getProperty(key);

          action.setParameter(parameterName, parameterValue);
        }
      }
    }

    /** ensure at least one action was defined * */
    if (csrfGuard.getActions().size() <= 0) {
      throw new IOException("failure to define at least one action");
    }

    /** initialize protected, unprotected pages * */
    for (Object obj : properties.keySet()) {
      String key = (String) obj;

      if (key.startsWith(PROTECTED_PAGE_PREFIX)) {
        String directive = key.substring(PROTECTED_PAGE_PREFIX.length());
        int index = directive.indexOf('.');

        /** page name/class * */
        if (index < 0) {
          String pageUri = properties.getProperty(key);

          csrfGuard.getProtectedPages().add(Pattern.compile(pageUri));
        }
      }

      if (key.startsWith(UNPROTECTED_PAGE_PREFIX)) {
        String directive = key.substring(UNPROTECTED_PAGE_PREFIX.length());
        int index = directive.indexOf('.');

        /** page name/class * */
        if (index < 0) {
          String pageUri = properties.getProperty(key);

          csrfGuard.getUnprotectedPages().add(Pattern.compile(pageUri));
        }
      }
    }

    /** initialize protected methods * */
    String methodList = properties.getProperty("org.owasp.csrfguard.ProtectedMethods");
    if (methodList != null && methodList.trim().length() != 0) {
      for (String method : methodList.split(",")) {
        csrfGuard.getProtectedMethods().add(method.trim());
      }
    }
  }