Skip to content

Instantly share code, notes, and snippets.

@shimarin

shimarin/AntiXSRFFilter.java

Last active August 29, 2015 13:55
Download ZIP

Revisions

  1. shimarin revised this gist Jan 31, 2014. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion AntiXSRFFilter.java
    View file
    Original file line number Diff line number Diff line change
    @@ -41,7 +41,7 @@ public void doFilter(ServletRequest _request, ServletResponse _response,
    String header = request.getHeader("X-XSRF-TOKEN");
    if (session == null || header == null || !header.equals(session.getId())) {
    // It's possibly a cross site request
    ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Token mismatch");
    response.sendError(HttpServletResponse.SC_FORBIDDEN, "Token mismatch");
    return;
    }
    }
  2. shimarin revised this gist Jan 31, 2014. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion AntiXSRFFilter.java
    View file
    Original file line number Diff line number Diff line change
    @@ -40,7 +40,7 @@ public void doFilter(ServletRequest _request, ServletResponse _response,
    HttpSession session = request.getSession(false);
    String header = request.getHeader("X-XSRF-TOKEN");
    if (session == null || header == null || !header.equals(session.getId())) {
    // else it's possibly a cross site request
    // It's possibly a cross site request
    ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Token mismatch");
    return;
    }
  3. shimarin revised this gist Jan 31, 2014. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions AntiXSRFFilter.java
    View file
    Original file line number Diff line number Diff line change
    @@ -46,6 +46,7 @@ public void doFilter(ServletRequest _request, ServletResponse _response,
    }
    }

    response.addHeader("X-Content-Type-Options", "nosniff");
    Cookie cookie = new Cookie("XSRF-TOKEN",request.getSession(true).getId());
    cookie.setPath(request.getContextPath());
    response.addCookie(cookie);
  4. shimarin revised this gist Jan 31, 2014. 1 changed file with 0 additions and 1 deletion.
    1 change: 0 additions & 1 deletion AntiXSRFFilter.java
    View file
    Original file line number Diff line number Diff line change
    @@ -29,7 +29,6 @@ public void init(FilterConfig filterConfig) throws ServletException {
    if (methodsToBeProtected != null) {
    this.methodsToBeProtected = methodsToBeProtected.split("\\s*,\\s*");
    }
    for (String m:this.methodsToBeProtected) System.out.println(m);
    }

    @Override
  5. shimarin created this gist Jan 31, 2014.
    60 changes: 60 additions & 0 deletions AntiXSRFFilter.java
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,60 @@
    package com.walbrix.servlet;
    import java.io.IOException;

    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.Cookie;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import javax.servlet.http.HttpSession;

    public class AntiXSRFFilter implements Filter {
    private String[] methodsToBeProtected = new String[] {"POST","DELETE","PUT"};

    private boolean isMethodToBeProtected(String method)
    {
    for (String m:this.methodsToBeProtected) {
    if (m.equals(method)) return true;
    }
    return false;
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    String methodsToBeProtected = filterConfig.getInitParameter("methodsToBeProtected");
    if (methodsToBeProtected != null) {
    this.methodsToBeProtected = methodsToBeProtected.split("\\s*,\\s*");
    }
    for (String m:this.methodsToBeProtected) System.out.println(m);
    }

    @Override
    public void doFilter(ServletRequest _request, ServletResponse _response,
    FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) _request;
    HttpServletResponse response = (HttpServletResponse) _response;
    if (isMethodToBeProtected(request.getMethod())) {
    HttpSession session = request.getSession(false);
    String header = request.getHeader("X-XSRF-TOKEN");
    if (session == null || header == null || !header.equals(session.getId())) {
    // else it's possibly a cross site request
    ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Token mismatch");
    return;
    }
    }

    Cookie cookie = new Cookie("XSRF-TOKEN",request.getSession(true).getId());
    cookie.setPath(request.getContextPath());
    response.addCookie(cookie);

    chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
    }
    16 changes: 16 additions & 0 deletions web.xml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,16 @@
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">

    <filter>
    <filter-name>AntiXSRFFilter</filter-name>
    <filter-class>com.walbrix.servlet.AntiXSRFFilter</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>AntiXSRFFilter</filter-name>
    <url-pattern>/api/*</url-pattern>
    </filter-mapping>

    </web-app>