Class RestCsrfPreventionFilter
java.lang.Object
org.apache.hadoop.hbase.rest.filter.RestCsrfPreventionFilter
- All Implemented Interfaces:
javax.servlet.Filter
This filter provides protection against cross site request forgery (CSRF) attacks for REST APIs.
Enabling this filter on an endpoint results in the requirement of all client to send a particular
(configurable) HTTP header with every request. In the absense of this header the filter will
reject the attempt as a bad request.
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic interface
Defines the minimal API requirements for the filter to execute its filtering logic.private static final class
RestCsrfPreventionFilter.HttpInteraction
implementation for use in the servlet filter. -
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
destroy()
void
doFilter
(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) getFilterParams
(org.apache.hadoop.conf.Configuration conf, String confPrefix) Constructs a mapping of configuration properties to be used for filter initialization.void
handleHttpInteraction
(RestCsrfPreventionFilter.HttpInteraction httpInteraction) Handles anRestCsrfPreventionFilter.HttpInteraction
by applying the filtering logic.void
init
(javax.servlet.FilterConfig filterConfig) protected boolean
This method interrogates the User-Agent String and returns whether it refers to a browser.(package private) void
parseBrowserUserAgents
(String userAgents) (package private) void
-
Field Details
-
LOG
-
HEADER_USER_AGENT
- See Also:
-
BROWSER_USER_AGENT_PARAM
- See Also:
-
CUSTOM_HEADER_PARAM
- See Also:
-
CUSTOM_METHODS_TO_IGNORE_PARAM
- See Also:
-
BROWSER_USER_AGENTS_DEFAULT
- See Also:
-
HEADER_DEFAULT
- See Also:
-
METHODS_TO_IGNORE_DEFAULT
- See Also:
-
headerName
-
methodsToIgnore
-
browserUserAgents
-
-
Constructor Details
-
RestCsrfPreventionFilter
public RestCsrfPreventionFilter()
-
-
Method Details
-
init
- Specified by:
init
in interfacejavax.servlet.Filter
-
parseBrowserUserAgents
-
parseMethodsToIgnore
-
isBrowser
This method interrogates the User-Agent String and returns whether it refers to a browser. If its not a browser, then the requirement for the CSRF header will not be enforced; if it is a browser, the requirement will be enforced.A User-Agent String is considered to be a browser if it matches any of the regex patterns from browser-useragent-regex; the default behavior is to consider everything a browser that matches the following: "^Mozilla.*,^Opera.*". Subclasses can optionally override this method to use different behavior.
- Parameters:
userAgent
- The User-Agent String, or null if there isn't one- Returns:
- true if the User-Agent String refers to a browser, false if not
-
handleHttpInteraction
public void handleHttpInteraction(RestCsrfPreventionFilter.HttpInteraction httpInteraction) throws IOException, javax.servlet.ServletException Handles anRestCsrfPreventionFilter.HttpInteraction
by applying the filtering logic.- Parameters:
httpInteraction
- caller's HTTP interaction- Throws:
IOException
- if there is an I/O errorjavax.servlet.ServletException
- if the implementation relies on the servlet API and a servlet API call has failed
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException - Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
-
destroy
- Specified by:
destroy
in interfacejavax.servlet.Filter
-
getFilterParams
public static Map<String,String> getFilterParams(org.apache.hadoop.conf.Configuration conf, String confPrefix) Constructs a mapping of configuration properties to be used for filter initialization. The mapping includes all properties that start with the specified configuration prefix. Property names in the mapping are trimmed to remove the configuration prefix.- Parameters:
conf
- configuration to readconfPrefix
- configuration prefix- Returns:
- mapping of configuration properties to be used for filter initialization
-