com.jalios.jcms.servlet

Class SecurityFilter

java.lang.Object

com.jalios.jcms.servlet.JcmsServletFilter

com.jalios.jcms.servlet.SecurityFilter

All Implemented Interfaces:

javax.servlet.Filter

public class SecurityFilter
extends JcmsServletFilter
implements javax.servlet.Filter

ServletFilter to add an additionnal security layer to a JCMS webapp.

When enabled, this filter performs the following checks :

• check the "redirect" parameter value to prevent redirect to external site (phishing)

This filter should be configured first in the list of all filters used on a webapp. Customize this filter configuration in your web.xml:

  <filter>
    <filter-name>securityFilter</filter-name>
    <filter-class>com.jalios.jcms.servlet.SecurityFilter</filter-class>
    <init-param>
      <param-name>enabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <!-- 1. should we filter redirect value ? -->
    <init-param>
      <param-name>filterRedirect</param-name>
      <param-value>true</param-value>
    </init-param>
    <!--
       List of valid redirect start value.
       You should make a combination of all possible: 
        - scheme (http/https)
        - ports (none, 80, 443)
        - domains and ip (jalios.com, www.jalios.com, )
        - path (/)
    -->
    <init-param>
      <param-name>validRedirectURLs</param-name>
      <param-value>
        http://localhost:8080/jcms/
        http://127.0.0.1:8080/jcms/
      </param-value>
    </init-param>
    <!-- List of valid redirect perl5 regular expression pattern. -->
    <init-param>
      <param-name>validRedirectURLsRegexp</param-name>
      <param-value>
        https?://(127\.0\.0\.1|localhost)/jcms/.*
        https?://(127\.0\.0\.1|localhost):(8080|8443)/jcms/.*
      </param-value>
    </init-param>
    
    <!-- 2. should we filter XSS attempts ? -->
    <init-param>
      <param-name>filterXSS</param-name>
      <param-value>true</param-value>
    </init-param>
    <!-- List of params to check for XSS attempts. -->
    <init-param>
      <param-name>paramsToCheckForXSS</param-name>
      <param-value>redirect id portal</param-value>
    </init-param>
    
    <!--
       Optional redirect URL (relative to the webapp or absolute)
       used when security error is detected
    -->
    <init-param>
      <param-name>redirectURL</param-name>
      <param-value>custom/reportSecurityError.jsp</param-value>
    </init-param>
 

And add this filter mapping:

  <filter-mapping>
    <filter-name>securityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
 

Here is an example of jsp in which you can display informations about the hacking attempt:

  <%@ include file='/jcore/doInitPage.jspf' %>
  <%
    String invalidRedirect = (String) session.getAttribute(SecurityFilter.INVALID_REDIRECT_KEY);
    session.removeAttribute(SecurityFilter.INVALID_REDIRECT_KEY);
    
    String invalidParam = (String) session.getAttribute(SecurityFilter.INVALID_PARAM_KEY);
    session.removeAttribute(SecurityFilter.INVALID_PARAM_KEY);
  %>
  Someone is trying to hack this site.<br />
  redirect: <%= Util.escapeHtml(invalidRedirect) %><br />
  param: <%= Util.escapeHtml(invalidParam) %>
 

Since:

jcms-5.6

Version:

$Revision: 72250 $

Author:

Olivier Jaquemet

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	INVALID_PARAM_KEY session attribute key used when a invalid param is detected
static java.lang.String	INVALID_REDIRECT_KEY session attribute key used when a invalid redirect is detected
static java.lang.String	REVISION

Constructor Summary

Constructors

Constructor and Description
SecurityFilter()

Method Summary

Modifier and Type	Method and Description
void	destroy() Implementation of Filter.destroy() method.
void	doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) Implementation of Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) method.
void	init(javax.servlet.FilterConfig conf) Implementation of Filter.init(javax.servlet.FilterConfig) method.

Methods inherited from class com.jalios.jcms.servlet.JcmsServletFilter

endFilter, initJSONBridge, processFilter

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REVISION

public static final java.lang.String REVISION

See Also:

Constant Field Values

INVALID_REDIRECT_KEY

public static final java.lang.String INVALID_REDIRECT_KEY

session attribute key used when a invalid redirect is detected

See Also:

Constant Field Values

INVALID_PARAM_KEY

public static final java.lang.String INVALID_PARAM_KEY

session attribute key used when a invalid param is detected

See Also:

Constant Field Values

Constructor Detail

SecurityFilter

public SecurityFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig conf)
          throws javax.servlet.ServletException

Implementation of Filter.init(javax.servlet.FilterConfig) method.

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

destroy

public void destroy()

Implementation of Filter.destroy() method.

Specified by:

destroy in interface javax.servlet.Filter

doFilter

public void doFilter(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Implementation of Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) method.

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

java.io.IOException

javax.servlet.ServletException