Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.jalios.jcms.servlet
Class SecurityFilter

java.lang.Object
  extended by com.jalios.jcms.servlet.JcmsServletFilter
      extended by com.jalios.jcms.servlet.SecurityFilter
All Implemented Interfaces:
javax.servlet.Filter
public class SecurityFilter
extends JcmsServletFilter
implements javax.servlet.Filter

ServletFilter to add an additionnal security layer to a JCMS webapp.

When enabled, this filter performs the following checks :


This filter should be configured first in the list of all filters used on a webapp. Customize this filter configuration in your web.xml: 
  <filter>
    <filter-name>securityFilter</filter-name>
    <filter-class>com.jalios.jcms.servlet.SecurityFilter</filter-class>
    <init-param>
      <param-name>enabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <!-- 1. should we filter redirect value ? -->
    <init-param>
      <param-name>filterRedirect</param-name>
      <param-value>true</param-value>
    </init-param>
    <!--
       List of valid redirect start value.
       You should make a combination of all possible: 
        - scheme (http/https)
        - ports (none, 80, 443)
        - domains and ip (jalios.com, www.jalios.com, )
        - path (/)
    -->
    <init-param>
      <param-name>validRedirectURLs</param-name>
      <param-value>
        http://localhost:8080/jcms/
        http://127.0.0.1:8080/jcms/
      </param-value>
    </init-param>
    <!-- List of valid redirect perl5 regular expression pattern. -->
    <init-param>
      <param-name>validRedirectURLsRegexp</param-name>
      <param-value>
        https?://(127\.0\.0\.1|localhost)/jcms/.*
        https?://(127\.0\.0\.1|localhost):(8080|8443)/jcms/.*
      </param-value>
    </init-param>

    <!-- 2. should we filter XSS attempts ? -->
    <init-param>
      <param-name>filterXSS</param-name>
      <param-value>true</param-value>
    </init-param>
    <!-- List of params to check for XSS attempts. -->
    <init-param>
      <param-name>paramsToCheckForXSS</param-name>
      <param-value>redirect id portal</param-value>
    </init-param>

    <!--
       Optional redirect URL (relative to the webapp or absolute)
       used when security error is detected
    -->
    <init-param>
      <param-name>redirectURL</param-name>
      <param-value>custom/reportSecurityError.jsp</param-value>
    </init-param>
And add this filter mapping: 
  <filter-mapping>
    <filter-name>securityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
Here is an example of jsp in which you can display informations about the hacking attempt: 
  <%@ include file='/jcore/doInitPage.jsp' %>
  <%
    String invalidRedirect = (String) session.getAttribute(SecurityFilter.INVALID_REDIRECT_KEY);
    session.removeAttribute(SecurityFilter.INVALID_REDIRECT_KEY);

    String invalidParam = (String) session.getAttribute(SecurityFilter.INVALID_PARAM_KEY);
    session.removeAttribute(SecurityFilter.INVALID_PARAM_KEY);
  %>
  Someone is trying to hack this site.<br />
  redirect: <%= Util.escapeHtml(invalidRedirect) %><br />
  param: <%= Util.escapeHtml(invalidParam) %>

Since:
jcms-5.6
Version:
$Revision: 63952 $
Author:
Olivier Jaquemet

Field Summary
static String INVALID_PARAM_KEY
          session attribute key used when a invalid param is detected
static String INVALID_REDIRECT_KEY
          session attribute key used when a invalid redirect is detected
static String REVISION
           
 
Constructor Summary
SecurityFilter()
           
 
Method Summary
 void destroy()
          Implementation of Filter.destroy() method.
 void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)
          Implementation of Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) method.
 void init(javax.servlet.FilterConfig conf)
          Implementation of Filter.init(javax.servlet.FilterConfig) method.
 
Methods inherited from class com.jalios.jcms.servlet.JcmsServletFilter
endFilter, initJSONBridge, processFilter
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

REVISION

public static final String REVISION
See Also:
Constant Field Values

INVALID_REDIRECT_KEY

public static final String INVALID_REDIRECT_KEY
session attribute key used when a invalid redirect is detected

See Also:
Constant Field Values

INVALID_PARAM_KEY

public static final String INVALID_PARAM_KEY
session attribute key used when a invalid param is detected

See Also:
Constant Field Values
Constructor Detail

SecurityFilter

public SecurityFilter()
Method Detail

init

public void init(javax.servlet.FilterConfig conf)
          throws javax.servlet.ServletException
Implementation of Filter.init(javax.servlet.FilterConfig) method.

Specified by:
init in interface javax.servlet.Filter
Throws:
javax.servlet.ServletException

destroy

public void destroy()
Implementation of Filter.destroy() method.

Specified by:
destroy in interface javax.servlet.Filter

doFilter

public void doFilter(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
Implementation of Filter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) method.

Specified by:
doFilter in interface javax.servlet.Filter
Throws:
IOException
javax.servlet.ServletException
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2001-2010 Jalios SA. All Rights Reserved.