Package com.jalios.jcms.servlet
Class SecurityFilter
- java.lang.Object
-
- com.jalios.jcms.servlet.JcmsServletFilter
-
- com.jalios.jcms.servlet.SecurityFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
public class SecurityFilter extends JcmsServletFilter implements javax.servlet.Filter
ServletFilter to add an additionnal security layer to a JCMS webapp.
When enabled, this filter performs the following checks :- check the "redirect" parameter value to prevent redirect to external site (phishing)
This filter should be configured first in the list of all filters used on a webapp. Customize this filter configuration in your web.xml:<filter> <filter-name>securityFilter</filter-name> <filter-class>com.jalios.jcms.servlet.SecurityFilter</filter-class> <init-param> <param-name>enabled</param-name> <param-value>true</param-value> </init-param> <!-- 1. should we filter redirect value ? --> <init-param> <param-name>filterRedirect</param-name> <param-value>true</param-value> </init-param> <!-- List of valid redirect start value. You should make a combination of all possible: - scheme (http/https) - ports (none, 80, 443) - domains and ip (jalios.com, www.jalios.com, ) - path (/) --> <init-param> <param-name>validRedirectURLs</param-name> <param-value> http://localhost:8080/jcms/ http://127.0.0.1:8080/jcms/ </param-value> </init-param> <!-- List of valid redirect perl5 regular expression pattern. --> <init-param> <param-name>validRedirectURLsRegexp</param-name> <param-value> https?://(127\.0\.0\.1|localhost)/jcms/.* https?://(127\.0\.0\.1|localhost):(8080|8443)/jcms/.* </param-value> </init-param> <!-- 2. should we filter XSS attempts ? --> <init-param> <param-name>filterXSS</param-name> <param-value>true</param-value> </init-param> <!-- List of params to check for XSS attempts. --> <init-param> <param-name>paramsToCheckForXSS</param-name> <param-value>redirect id portal</param-value> </init-param> <!-- Optional redirect URL (relative to the webapp or absolute) used when security error is detected --> <init-param> <param-name>redirectURL</param-name> <param-value>custom/reportSecurityError.jsp</param-value> </init-param>
And add this filter mapping:<filter-mapping> <filter-name>securityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Here is an example of jsp in which you can display informations about the hacking attempt:<%@ include file='/jcore/doInitPage.jspf' %> <% String invalidRedirect = (String) session.getAttribute(SecurityFilter.INVALID_REDIRECT_KEY); session.removeAttribute(SecurityFilter.INVALID_REDIRECT_KEY); String invalidParam = (String) session.getAttribute(SecurityFilter.INVALID_PARAM_KEY); session.removeAttribute(SecurityFilter.INVALID_PARAM_KEY); %> Someone is trying to hack this site.<br /> redirect: <%= Util.escapeHtml(invalidRedirect) %><br /> param: <%= Util.escapeHtml(invalidParam) %>
- Since:
- jcms-5.6
- Author:
- Olivier Jaquemet
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
INVALID_PARAM_KEY
session attribute key used when a invalid param is detectedstatic java.lang.String
INVALID_REDIRECT_KEY
session attribute key used when a invalid redirect is detected
-
Constructor Summary
Constructors Constructor Description SecurityFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
destroy()
Implementation ofFilter.destroy()
method.void
doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain)
Implementation ofFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
method.void
init(javax.servlet.FilterConfig conf)
Implementation ofFilter.init(javax.servlet.FilterConfig)
method.-
Methods inherited from class com.jalios.jcms.servlet.JcmsServletFilter
endFilter, initJSONBridge, processFilter
-
-
-
-
Field Detail
-
INVALID_REDIRECT_KEY
public static final java.lang.String INVALID_REDIRECT_KEY
session attribute key used when a invalid redirect is detected- See Also:
- Constant Field Values
-
INVALID_PARAM_KEY
public static final java.lang.String INVALID_PARAM_KEY
session attribute key used when a invalid param is detected- See Also:
- Constant Field Values
-
-
Method Detail
-
init
public void init(javax.servlet.FilterConfig conf) throws javax.servlet.ServletException
Implementation ofFilter.init(javax.servlet.FilterConfig)
method.- Specified by:
init
in interfacejavax.servlet.Filter
- Throws:
javax.servlet.ServletException
-
destroy
public void destroy()
Implementation ofFilter.destroy()
method.- Specified by:
destroy
in interfacejavax.servlet.Filter
-
doFilter
public void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
Implementation ofFilter.doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
method.- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
java.io.IOException
javax.servlet.ServletException
-
-