Ard Schrijvers pushed to branch bugfix/CMS-9917 at cms / hippo-cms
Commits: 8e866fd5 by Ard Schrijvers at 2016-02-09T10:28:02+01:00 CMS-9917 Add support for a comma/tab/return/space separated "accepted-origin-whitelist" in wicket filter init param or context param for example in cms webapp: <context-param> <description>The address of the repository</description> <param-name>accepted-origin-whitelist</param-name> <param-value>example.com, example.org</param-value> </context-param> Note that the whitelisting works for subdomains as well, so for above, www.example.com and www.example.org are both whitelisted - - - - - 1 changed file: - engine/src/main/java/org/hippoecm/frontend/Main.java Changes: ===================================== engine/src/main/java/org/hippoecm/frontend/Main.java ===================================== --- a/engine/src/main/java/org/hippoecm/frontend/Main.java +++ b/engine/src/main/java/org/hippoecm/frontend/Main.java @@ -124,6 +124,9 @@ public class Main extends PluginApplication { public final static String ENCRYPT_URLS = "encrypt-urls"; public final static String OUTPUT_WICKETPATHS = "output-wicketpaths"; public final static String PLUGIN_APPLICATION_NAME_PARAMETER = "config"; + + // comma separated init parameter + public final static String ACCEPTED_ORIGIN_WHITELIST = "accepted-origin-whitelist"; /** * Custom Wicket {@link IRequestCycleListener} class names parameter which can be comma or whitespace-separated * string to set multiple {@link IRequestCycleListener}s. @@ -162,8 +165,6 @@ public class Main extends PluginApplication { protected void init() { super.init(); - getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); - addRequestCycleListeners(); registerSessionListeners(); @@ -607,7 +608,9 @@ public class Main extends PluginApplication { } /** - * Adds the default built-in {@link IRequestCycleListener} or configured custom {@link IRequestCycleListener}s. + * Adds the default built-in {@link IRequestCycleListener} or configured custom {@link IRequestCycleListener}s. Note that the + * default <code>CsrfPreventionRequestCycleListener</code> always gets added, regardless whether custom {@link IRequestCycleListener}s + * are configured. * <P> * If no custom {@link IRequestCycleListener}s are configured, then this simply registers the default built-in * listeners such as {@link org.hippoecm.frontend.diagnosis.DiagnosticsRequestCycleListener} and {@link RepositoryRuntimeExceptionHandlingRequestCycleListener}. @@ -618,6 +621,8 @@ public class Main extends PluginApplication { String[] listenerClassNames = StringUtils.split(getConfigurationParameter(REQUEST_CYCLE_LISTENERS_PARAM, null), " ,\t\r\n"); RequestCycleListenerCollection requestCycleListenerCollection = getRequestCycleListeners(); + addCsrfPreventionRequestCycleListener(requestCycleListenerCollection); + if (listenerClassNames == null || listenerClassNames.length == 0) { requestCycleListenerCollection.add(new DiagnosticsRequestCycleListener()); requestCycleListenerCollection.add(new RepositoryRuntimeExceptionHandlingRequestCycleListener()); @@ -634,6 +639,18 @@ public class Main extends PluginApplication { } } + private void addCsrfPreventionRequestCycleListener(final RequestCycleListenerCollection requestCycleListenerCollection) { + final CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener(); + // split on tab (\t), line feed (\n), carriage return (\r), form feed (\f), " ", and "," + final String[] acceptedOrigins = StringUtils.split(getConfigurationParameter(ACCEPTED_ORIGIN_WHITELIST, null), " ,\t\f\r\n"); + if (acceptedOrigins != null && acceptedOrigins.length > 0) { + for (String acceptedOrigin : acceptedOrigins) { + listener.addAcceptedOrigin(acceptedOrigin); + } + } + requestCycleListenerCollection.add(listener); + } + private static class ResponseSplittingProtectingServletWebResponse extends ServletWebResponse { public ResponseSplittingProtectingServletWebResponse(final WebRequest webRequest, final HttpServletResponse httpServletResponse) { View it on GitLab: https://code.onehippo.org/cms/hippo-cms/commit/8e866fd5cc2b48cdba985be7d5c906e7cd04059c
_______________________________________________ Hippocms-svn mailing list Hippocms-svn@lists.onehippo.org https://lists.onehippo.org/mailman/listinfo/hippocms-svn