Package org.forgerock.http.filter

Class CsrfFilter

java.lang.Object

org.forgerock.http.filter.CsrfFilter

All Implemented Interfaces:

Filter

public final class CsrfFilter
extends Object
implements Filter

A generic filter for preventing cross-site request forgery (CSRF) attacks when using cookie-based authentication. This filter is configured with the name of a session cookie and will then require that every non-GET request using that cookie is required to have an additional header containing a SHA-256 hash of the same cookie as an anti-CSRF token.

Design

The design of this filter addresses drawbacks of the common double-submit cookie approach, in which a completely random anti-CSRF token is set as a second non-HttpOnly cookie on the client. The client then looks up the cookie value on each request and sends it as a custom header. The main drawback of double-submit cookies is that an attacker may be able to overwrite the second cookie with a known value, for example if they find a vulnerability on an insecure sub-domain. This filter prevents this by making the anti-CSRF token be a cryptographic hash of the session cookie itself. This eliminates the need for a second cookie (although the client can still use one for convenient storage of the token) and prevents an attacker from changing the value because the hash would then fail to validate.

Most clients should store the anti-CSRF token in a cookie or in sessionStorage. As a convenience, the filter returns the correct CSRF token on failed responses and when a Set-Cookie header for the cookie is present in the response. This provides a way for a legitimate client to learn the CSRF token value. This is safe because reading the response of cross-site requests is blocked by the same-origin policy.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	CsrfFilter.Builder	Builder class for the CSRF filter.

Method Summary

Modifier and Type	Method	Description
Promise<Response,NeverThrowsException>	filter(Context context, Request request, Handler next)	Filters the request and/or response of an exchange.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

filter

public Promise<Response,NeverThrowsException> filter(Context context,
 Request request,
 Handler next)

Description copied from interface: Filter

Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

Specified by:

filter in interface Filter

Parameters:

context - The request context.

request - The request.

next - The next filter or handler in the chain to handle the request.

Returns:

A Promise representing the response to be returned to the client.