Package com.jalios.jcms.servlet

Class SecurityFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class SecurityFilter
extends JcmsServletFilter
implements javax.servlet.Filter
    ServletFilter to add an additionnal security layer to a JCMS webapp.

    When enabled, this filter performs the following checks :
    • check the "redirect" parameter value to prevent redirect to external site (phishing)

    This filter should be configured first in the list of all filters used on a webapp. Customize this filter configuration in your web.xml: 
     
  <filter>
    <filter-name>securityFilter</filter-name>
    <filter-class>com.jalios.jcms.servlet.SecurityFilter</filter-class>
    <init-param>
      <param-name>enabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <!-- 1. should we filter redirect value ? -->
    <init-param>
      <param-name>filterRedirect</param-name>
      <param-value>true</param-value>
    </init-param>
    <!--
       List of valid redirect start value.
       You should make a combination of all possible: 
        - scheme (http/https)
        - ports (none, 80, 443)
        - domains and ip (jalios.com, www.jalios.com, )
        - path (/)
    -->
    <init-param>
      <param-name>validRedirectURLs</param-name>
      <param-value>
        http://localhost:8080/jcms/
        http://127.0.0.1:8080/jcms/
      </param-value>
    </init-param>
    <!-- List of valid redirect perl5 regular expression pattern. -->
    <init-param>
      <param-name>validRedirectURLsRegexp</param-name>
      <param-value>
        https?://(127\.0\.0\.1|localhost)/jcms/.*
        https?://(127\.0\.0\.1|localhost):(8080|8443)/jcms/.*
      </param-value>
    </init-param>
    
    <!-- 2. should we filter XSS attempts ? -->
    <init-param>
      <param-name>filterXSS</param-name>
      <param-value>true</param-value>
    </init-param>
    <!-- List of params to check for XSS attempts. -->
    <init-param>
      <param-name>paramsToCheckForXSS</param-name>
      <param-value>redirect id portal</param-value>
    </init-param>
    
    <!--
       Optional redirect URL (relative to the webapp or absolute)
       used when security error is detected
    -->
    <init-param>
      <param-name>redirectURL</param-name>
      <param-value>custom/reportSecurityError.jsp</param-value>
    </init-param>
    And add this filter mapping: 
     
  <filter-mapping>
    <filter-name>securityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
    Here is an example of jsp in which you can display informations about the hacking attempt: 
     
  <%@ include file='/jcore/doInitPage.jspf' %>
  <%
    String invalidRedirect = (String) session.getAttribute(SecurityFilter.INVALID_REDIRECT_KEY);
    session.removeAttribute(SecurityFilter.INVALID_REDIRECT_KEY);
    
    String invalidParam = (String) session.getAttribute(SecurityFilter.INVALID_PARAM_KEY);
    session.removeAttribute(SecurityFilter.INVALID_PARAM_KEY);
  %>
  Someone is trying to hack this site.<br />
  redirect: <%= Util.escapeHtml(invalidRedirect) %><br />
  param: <%= Util.escapeHtml(invalidParam) %>
    Since:
    jcms-5.6
    Author:
    Olivier Jaquemet

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String INVALID_PARAM_KEY
      session attribute key used when a invalid param is detected
      static java.lang.String INVALID_REDIRECT_KEY
      session attribute key used when a invalid redirect is detected

    • Constructor Summary

      Constructors 
      Constructor Description
      SecurityFilter()  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void destroy()
      Implementation of Filter.destroy() method.
      void doFilter​(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)
      Implementation of Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) method.
      void init​(javax.servlet.FilterConfig conf)
      Implementation of Filter.init(javax.servlet.FilterConfig) method.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • INVALID_REDIRECT_KEY

        public static final java.lang.String INVALID_REDIRECT_KEY
        session attribute key used when a invalid redirect is detected
        See Also:
        Constant Field Values

      • INVALID_PARAM_KEY

        public static final java.lang.String INVALID_PARAM_KEY
        session attribute key used when a invalid param is detected
        See Also:
        Constant Field Values

    • Constructor Detail

      • SecurityFilter

        public SecurityFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig conf)
          throws javax.servlet.ServletException
        Implementation of Filter.init(javax.servlet.FilterConfig) method.
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException

      • destroy

        public void destroy()
        Implementation of Filter.destroy() method.
        Specified by:
        destroy in interface javax.servlet.Filter

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Implementation of Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) method.
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        java.io.IOException
        javax.servlet.ServletException