RestCsrfPreventionFilter (Apache HBase 2.2.3 API)

java.lang.Object
- org.apache.hadoop.hbase.rest.filter.RestCsrfPreventionFilter

All Implemented Interfaces:

javax.servlet.Filter
```
@InterfaceAudience.Public
public class RestCsrfPreventionFilter
extends Object
implements javax.servlet.Filter
```
This filter provides protection against cross site request forgery (CSRF) attacks for REST APIs. Enabling this filter on an endpoint results in the requirement of all client to send a particular (configurable) HTTP header with every request. In the absense of this header the filter will reject the attempt as a bad request.

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`static interface`	`RestCsrfPreventionFilter.HttpInteraction` Defines the minimal API requirements for the filter to execute its filtering logic.
`private static class`	`RestCsrfPreventionFilter.ServletFilterHttpInteraction` `RestCsrfPreventionFilter.HttpInteraction` implementation for use in the servlet filter.

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`BROWSER_USER_AGENT_PARAM`
`(package private) static String`	`BROWSER_USER_AGENTS_DEFAULT`
`private Set<Pattern>`	`browserUserAgents`
`static String`	`CUSTOM_HEADER_PARAM`
`static String`	`CUSTOM_METHODS_TO_IGNORE_PARAM`
`static String`	`HEADER_DEFAULT`
`static String`	`HEADER_USER_AGENT`
`private String`	`headerName`
`private static org.slf4j.Logger`	`LOG`
`(package private) static String`	`METHODS_TO_IGNORE_DEFAULT`
`private Set<String>`	`methodsToIgnore`

Constructor Summary

Constructors
Constructor and Description

RestCsrfPreventionFilter()

Constructors
Constructor and Description
`RestCsrfPreventionFilter()`

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`destroy()`
`void`	`doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)`
`static Map<String,String>`	`getFilterParams(org.apache.hadoop.conf.Configuration conf, String confPrefix)` Constructs a mapping of configuration properties to be used for filter initialization.
`void`	`handleHttpInteraction(RestCsrfPreventionFilter.HttpInteraction httpInteraction)` Handles an `RestCsrfPreventionFilter.HttpInteraction` by applying the filtering logic.
`void`	`init(javax.servlet.FilterConfig filterConfig)`
`protected boolean`	`isBrowser(String userAgent)` This method interrogates the User-Agent String and returns whether it refers to a browser.
`(package private) void`	`parseBrowserUserAgents(String userAgents)`
`(package private) void`	`parseMethodsToIgnore(String mti)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - LOG
```
private static final org.slf4j.Logger LOG
```
  - HEADER_USER_AGENT
```
public static final String HEADER_USER_AGENT
```
    See Also:
    
    Constant Field Values
  - BROWSER_USER_AGENT_PARAM
```
public static final String BROWSER_USER_AGENT_PARAM
```
    See Also:
    
    Constant Field Values
  - CUSTOM_HEADER_PARAM
```
public static final String CUSTOM_HEADER_PARAM
```
    See Also:
    
    Constant Field Values
  - CUSTOM_METHODS_TO_IGNORE_PARAM
```
public static final String CUSTOM_METHODS_TO_IGNORE_PARAM
```
    See Also:
    
    Constant Field Values
  - BROWSER_USER_AGENTS_DEFAULT
```
static final String BROWSER_USER_AGENTS_DEFAULT
```
    See Also:
    
    Constant Field Values
  - HEADER_DEFAULT
```
public static final String HEADER_DEFAULT
```
    See Also:
    
    Constant Field Values
  - METHODS_TO_IGNORE_DEFAULT
```
static final String METHODS_TO_IGNORE_DEFAULT
```
    See Also:
    
    Constant Field Values
  - headerName
```
private String headerName
```
  - methodsToIgnore
```
private Set<String> methodsToIgnore
```
  - browserUserAgents
```
private Set<Pattern> browserUserAgents
```
- Constructor Detail
  - RestCsrfPreventionFilter
```
public RestCsrfPreventionFilter()
```
- Method Detail
  - init
```
public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
```
    Specified by:
    
    init in interface javax.servlet.Filter
    
    Throws:
    
    javax.servlet.ServletException
  - parseBrowserUserAgents
```
void parseBrowserUserAgents(String userAgents)
```
  - parseMethodsToIgnore
```
void parseMethodsToIgnore(String mti)
```
  - isBrowser
```
protected boolean isBrowser(String userAgent)
```
    This method interrogates the User-Agent String and returns whether it refers to a browser. If its not a browser, then the requirement for the CSRF header will not be enforced; if it is a browser, the requirement will be enforced.
    A User-Agent String is considered to be a browser if it matches any of the regex patterns from browser-useragent-regex; the default behavior is to consider everything a browser that matches the following: "^Mozilla.*,^Opera.*". Subclasses can optionally override this method to use different behavior.
    
    Parameters:
    
    userAgent - The User-Agent String, or null if there isn't one
    
    Returns:
    
    true if the User-Agent String refers to a browser, false if not
  - handleHttpInteraction
```
public void handleHttpInteraction(RestCsrfPreventionFilter.HttpInteraction httpInteraction)
                           throws IOException,
                                  javax.servlet.ServletException
```
    Handles an RestCsrfPreventionFilter.HttpInteraction by applying the filtering logic.
    
    Parameters:
    
    httpInteraction - caller's HTTP interaction
    
    Throws:
    
    IOException - if there is an I/O error
    
    javax.servlet.ServletException - if the implementation relies on the servlet API and a servlet API call has failed
  - doFilter
```
public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
```
    Specified by:
    
    doFilter in interface javax.servlet.Filter
    
    Throws:
    
    IOException
    
    javax.servlet.ServletException
  - destroy
```
public void destroy()
```
    Specified by:
    
    destroy in interface javax.servlet.Filter
  - getFilterParams
```
public static Map<String,String> getFilterParams(org.apache.hadoop.conf.Configuration conf,
                                                 String confPrefix)
```
    Constructs a mapping of configuration properties to be used for filter initialization. The mapping includes all properties that start with the specified configuration prefix. Property names in the mapping are trimmed to remove the configuration prefix.
    
    Parameters:
    
    conf - configuration to read
    
    confPrefix - configuration prefix
    
    Returns:
    
    mapping of configuration properties to be used for filter initialization

Class RestCsrfPreventionFilter

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

LOG

HEADER_USER_AGENT

BROWSER_USER_AGENT_PARAM

CUSTOM_HEADER_PARAM

CUSTOM_METHODS_TO_IGNORE_PARAM

BROWSER_USER_AGENTS_DEFAULT

HEADER_DEFAULT

METHODS_TO_IGNORE_DEFAULT

headerName

methodsToIgnore

browserUserAgents

Constructor Detail

RestCsrfPreventionFilter

Method Detail

init

parseBrowserUserAgents

parseMethodsToIgnore

isBrowser

handleHttpInteraction

doFilter

destroy

getFilterParams