1 | |
|
2 | |
|
3 | |
|
4 | |
|
5 | |
|
6 | |
|
7 | |
|
8 | |
|
9 | |
|
10 | |
|
11 | |
|
12 | |
|
13 | |
|
14 | |
|
15 | |
|
16 | |
|
17 | |
|
18 | |
|
19 | |
|
20 | |
|
21 | |
|
22 | |
|
23 | |
|
24 | |
|
25 | |
|
26 | |
|
27 | |
|
28 | |
|
29 | |
|
30 | |
|
31 | |
|
32 | |
package net.sourceforge.pebble.web.security; |
33 | |
|
34 | |
import net.sourceforge.pebble.Constants; |
35 | |
import net.sourceforge.pebble.domain.AbstractBlog; |
36 | |
import net.sourceforge.pebble.domain.Blog; |
37 | |
import net.sourceforge.pebble.web.action.Action; |
38 | |
import org.apache.commons.codec.binary.Base64; |
39 | |
import org.springframework.stereotype.Component; |
40 | |
|
41 | |
import javax.servlet.http.Cookie; |
42 | |
import javax.servlet.http.HttpServletRequest; |
43 | |
import javax.servlet.http.HttpServletResponse; |
44 | |
import java.net.URLEncoder; |
45 | |
import java.security.MessageDigest; |
46 | |
import java.security.NoSuchAlgorithmException; |
47 | |
import java.security.SecureRandom; |
48 | |
import java.util.*; |
49 | |
|
50 | |
|
51 | |
|
52 | |
|
53 | |
|
54 | |
|
55 | |
@Component |
56 | 4 | public class SecurityTokenValidatorImpl implements SecurityTokenValidator { |
57 | |
|
58 | |
|
59 | |
|
60 | |
|
61 | |
public static final String PEBBLE_SECURITY_TOKEN_PARAMETER = "pebbleSecurityToken"; |
62 | |
|
63 | |
|
64 | |
|
65 | |
|
66 | |
public static final String PEBBLE_SECURITY_SIGNATURE_PARAMETER = "pebbleSecurityHash"; |
67 | |
|
68 | |
|
69 | |
|
70 | |
|
71 | |
private static final String PEBBLE_SECURITY_TOKEN_HEADER = "X-Pebble-Token"; |
72 | |
|
73 | |
|
74 | |
|
75 | |
|
76 | |
private static final String PEBBLE_SECURITY_TOKEN_HEADER_NOCHECK = "nocheck"; |
77 | |
|
78 | |
|
79 | |
|
80 | |
|
81 | 4 | private static final SecureRandom random = new SecureRandom(); |
82 | |
|
83 | |
|
84 | |
|
85 | |
|
86 | |
|
87 | |
|
88 | |
|
89 | |
|
90 | |
|
91 | |
|
92 | |
public boolean validateSecurityToken(HttpServletRequest request, HttpServletResponse response, Action action) { |
93 | |
|
94 | 0 | String token = ensureSecurityTokenExists(request, response); |
95 | 0 | if (shouldValidate(action, request)) { |
96 | |
|
97 | |
|
98 | 0 | if (PEBBLE_SECURITY_TOKEN_HEADER_NOCHECK.equals(request.getHeader(PEBBLE_SECURITY_TOKEN_HEADER))) { |
99 | 0 | return true; |
100 | |
} |
101 | |
|
102 | 0 | String requestToken = request.getParameter(PEBBLE_SECURITY_TOKEN_PARAMETER); |
103 | |
|
104 | 0 | if (token.equals(requestToken)) { |
105 | 0 | return true; |
106 | |
} |
107 | |
|
108 | 0 | return validateSignedRequest(request); |
109 | |
} else { |
110 | 0 | return true; |
111 | |
} |
112 | |
} |
113 | |
|
114 | |
private boolean shouldValidate(Action action, HttpServletRequest request) { |
115 | 0 | RequireSecurityToken annotation = action.getClass().getAnnotation(RequireSecurityToken.class); |
116 | 0 | if (annotation != null) { |
117 | |
|
118 | 0 | Class<? extends SecurityTokenValidatorCondition> condition = annotation.value(); |
119 | 0 | if (condition != null && condition != NullSecurityTokenValidatorCondition.class) { |
120 | |
|
121 | |
try { |
122 | 0 | return condition.newInstance().shouldValidate(request); |
123 | 0 | } catch (IllegalAccessException iae) { |
124 | 0 | throw new RuntimeException("Could not instantiate " + condition); |
125 | 0 | } catch (InstantiationException ie) { |
126 | 0 | throw new RuntimeException("Could not instantiate " + condition); |
127 | |
} |
128 | |
} |
129 | |
|
130 | 0 | return true; |
131 | |
} else { |
132 | |
|
133 | 0 | return false; |
134 | |
} |
135 | |
} |
136 | |
|
137 | |
private String ensureSecurityTokenExists(HttpServletRequest request, HttpServletResponse response) { |
138 | 0 | String token = (String) request.getAttribute(PEBBLE_SECURITY_TOKEN_PARAMETER); |
139 | 0 | if (token != null) { |
140 | |
|
141 | 0 | return token; |
142 | |
} |
143 | 0 | Cookie[] cookies = request.getCookies(); |
144 | 0 | if (cookies != null) { |
145 | 0 | for (Cookie cookie : cookies) { |
146 | 0 | if (PEBBLE_SECURITY_TOKEN_PARAMETER.equals(cookie.getName())) { |
147 | 0 | token = cookie.getValue(); |
148 | |
} |
149 | |
} |
150 | |
} |
151 | |
|
152 | 0 | if (token == null) { |
153 | 0 | String contextPath = request.getContextPath(); |
154 | |
|
155 | 0 | if (contextPath == null || contextPath.length() == 0) { |
156 | 0 | contextPath = "/"; |
157 | |
} |
158 | 0 | token = ""; |
159 | 0 | while (token.length() < 12) { |
160 | 0 | token += Long.toHexString(random.nextLong()); |
161 | |
} |
162 | |
|
163 | 0 | Cookie cookie = new Cookie(PEBBLE_SECURITY_TOKEN_PARAMETER, token); |
164 | |
|
165 | 0 | cookie.setMaxAge(-1); |
166 | 0 | cookie.setPath(contextPath); |
167 | 0 | response.addCookie(cookie); |
168 | |
} |
169 | |
|
170 | 0 | request.setAttribute(PEBBLE_SECURITY_TOKEN_PARAMETER, token); |
171 | 0 | return token; |
172 | |
} |
173 | |
|
174 | |
private boolean validateSignedRequest(HttpServletRequest request) { |
175 | 0 | String requestHash = request.getParameter(PEBBLE_SECURITY_SIGNATURE_PARAMETER); |
176 | 0 | if (requestHash != null) { |
177 | 0 | AbstractBlog blog = (AbstractBlog) request.getAttribute(Constants.BLOG_KEY); |
178 | 0 | if (blog instanceof Blog) { |
179 | 0 | String salt = ((Blog) blog).getXsrfSigningSalt(); |
180 | |
|
181 | 0 | String servletPath = request.getServletPath(); |
182 | 0 | if (servletPath.startsWith("/")) { |
183 | 0 | servletPath = servletPath.substring(1); |
184 | |
} |
185 | 0 | String hash = hashRequest(servletPath, request.getParameterMap(), salt); |
186 | 0 | return hash.equals(requestHash); |
187 | |
} |
188 | |
} |
189 | 0 | return false; |
190 | |
} |
191 | |
|
192 | |
|
193 | |
|
194 | |
|
195 | |
|
196 | |
|
197 | |
|
198 | |
|
199 | |
|
200 | |
public String hashRequest(String servletPath, Map<String, String[]> params, String salt) { |
201 | 12 | List<String> keys = new ArrayList<String>(params.keySet()); |
202 | 12 | Collections.sort(keys); |
203 | |
|
204 | |
MessageDigest digest; |
205 | |
try { |
206 | 12 | digest = MessageDigest.getInstance("MD5"); |
207 | 0 | } catch (NoSuchAlgorithmException e) { |
208 | 0 | throw new RuntimeException(e); |
209 | 12 | } |
210 | 12 | digest.update(servletPath.getBytes()); |
211 | 12 | digest.update((byte) '?'); |
212 | 12 | boolean start = true; |
213 | 12 | for (String key : keys) { |
214 | 24 | if (!key.equals(PEBBLE_SECURITY_SIGNATURE_PARAMETER)) { |
215 | 48 | for (String value : params.get(key)) { |
216 | 24 | if (!start) { |
217 | 12 | digest.update((byte) '&'); |
218 | |
} |
219 | 24 | start = false; |
220 | 24 | digest.update(key.getBytes()); |
221 | 24 | digest.update((byte) '='); |
222 | 24 | digest.update(value.getBytes()); |
223 | |
} |
224 | |
} |
225 | |
} |
226 | 12 | digest.update(salt.getBytes()); |
227 | 12 | byte[] hash = digest.digest(); |
228 | 12 | return new String(Base64.encodeBase64(hash, false)); |
229 | |
} |
230 | |
|
231 | |
|
232 | |
|
233 | |
|
234 | |
|
235 | |
|
236 | |
|
237 | |
|
238 | |
public String generateSignedQueryString(String servletPath, Map<String, String[]> params, String salt) { |
239 | 0 | String hash = hashRequest(servletPath, params, salt); |
240 | 0 | StringBuilder url = new StringBuilder(servletPath); |
241 | 0 | String sep = "?"; |
242 | 0 | for (Map.Entry<String, String[]> param : params.entrySet()) { |
243 | 0 | for (String value : param.getValue()) { |
244 | 0 | url.append(sep); |
245 | 0 | sep = "&"; |
246 | 0 | url.append(URLEncoder.encode(param.getKey())); |
247 | 0 | url.append("="); |
248 | 0 | url.append(URLEncoder.encode(value)); |
249 | |
} |
250 | |
} |
251 | 0 | url.append(sep).append(PEBBLE_SECURITY_SIGNATURE_PARAMETER).append("=").append(URLEncoder.encode(hash)); |
252 | 0 | return url.toString(); |
253 | |
} |
254 | |
|
255 | |
} |