[HippoCMS-scm] [Git][cms/hippo-cms][bugfix/CMS-9917] CMS-9917 Add support for a comma/tab/return/space separated "accepted-origin-whi…

[Ard Schrijvers]

Ard Schrijvers pushed to branch bugfix/CMS-9917 at cms / hippo-cms


Commits:
8e866fd5 by Ard Schrijvers at 2016-02-09T10:28:02+01:00
CMS-9917 Add support for a comma/tab/return/space separated 
"accepted-origin-whitelist" in wicket filter init param or context 
param

for example in cms webapp:
  <context-param>
    <description>The address of the repository</description>
    <param-name>accepted-origin-whitelist</param-name>
    <param-value>example.com, example.org</param-value>
  </context-param>

  Note that the whitelisting works for subdomains as well, so for above, 
www.example.com and www.example.org are both whitelisted

- - - - -


1 changed file:

- engine/src/main/java/org/hippoecm/frontend/Main.java


Changes:

=====================================
engine/src/main/java/org/hippoecm/frontend/Main.java
=====================================
--- a/engine/src/main/java/org/hippoecm/frontend/Main.java
+++ b/engine/src/main/java/org/hippoecm/frontend/Main.java
@@ -124,6 +124,9 @@ public class Main extends PluginApplication {
     public final static String ENCRYPT_URLS = "encrypt-urls";
     public final static String OUTPUT_WICKETPATHS = "output-wicketpaths";
     public final static String PLUGIN_APPLICATION_NAME_PARAMETER = "config";
+
+    // comma separated init parameter
+    public final static String ACCEPTED_ORIGIN_WHITELIST = 
"accepted-origin-whitelist";
     /**
      * Custom Wicket {@link IRequestCycleListener} class names parameter which 
can be comma or whitespace-separated
      * string to set multiple {@link IRequestCycleListener}s.
@@ -162,8 +165,6 @@ public class Main extends PluginApplication {
     protected void init() {
         super.init();
 
-        getRequestCycleListeners().add(new 
CsrfPreventionRequestCycleListener());
-
         addRequestCycleListeners();
 
         registerSessionListeners();
@@ -607,7 +608,9 @@ public class Main extends PluginApplication {
     }
 
     /**
-     * Adds the default built-in {@link IRequestCycleListener} or configured 
custom {@link IRequestCycleListener}s.
+     * Adds the default built-in {@link IRequestCycleListener} or configured 
custom {@link IRequestCycleListener}s. Note that the
+     * default <code>CsrfPreventionRequestCycleListener</code> always gets 
added, regardless whether custom  {@link IRequestCycleListener}s
+     * are configured.
      * <P>
      * If no custom {@link IRequestCycleListener}s are configured, then this 
simply registers the default built-in
      * listeners such as {@link 
org.hippoecm.frontend.diagnosis.DiagnosticsRequestCycleListener} and {@link 
RepositoryRuntimeExceptionHandlingRequestCycleListener}.
@@ -618,6 +621,8 @@ public class Main extends PluginApplication {
         String[] listenerClassNames = 
StringUtils.split(getConfigurationParameter(REQUEST_CYCLE_LISTENERS_PARAM, 
null), " ,\t\r\n");
         RequestCycleListenerCollection requestCycleListenerCollection = 
getRequestCycleListeners();
 
+        addCsrfPreventionRequestCycleListener(requestCycleListenerCollection);
+
         if (listenerClassNames == null || listenerClassNames.length == 0) {
             requestCycleListenerCollection.add(new 
DiagnosticsRequestCycleListener());
             requestCycleListenerCollection.add(new 
RepositoryRuntimeExceptionHandlingRequestCycleListener());
@@ -634,6 +639,18 @@ public class Main extends PluginApplication {
         }
     }
 
+    private void addCsrfPreventionRequestCycleListener(final 
RequestCycleListenerCollection requestCycleListenerCollection) {
+        final CsrfPreventionRequestCycleListener listener = new 
CsrfPreventionRequestCycleListener();
+        // split on tab (\t), line feed (\n), carriage return (\r), form feed 
(\f), " ", and ","
+        final String[] acceptedOrigins = 
StringUtils.split(getConfigurationParameter(ACCEPTED_ORIGIN_WHITELIST, null), " 
,\t\f\r\n");
+        if (acceptedOrigins != null && acceptedOrigins.length > 0) {
+            for (String acceptedOrigin : acceptedOrigins) {
+                listener.addAcceptedOrigin(acceptedOrigin);
+            }
+        }
+        requestCycleListenerCollection.add(listener);
+    }
+
     private static class ResponseSplittingProtectingServletWebResponse extends 
ServletWebResponse {
 
         public ResponseSplittingProtectingServletWebResponse(final WebRequest 
webRequest, final HttpServletResponse httpServletResponse) {



View it on GitLab: 
https://code.onehippo.org/cms/hippo-cms/commit/8e866fd5cc2b48cdba985be7d5c906e7cd04059c

_______________________________________________
Hippocms-svn mailing list
Hippocms-svn@lists.onehippo.org
https://lists.onehippo.org/mailman/listinfo/hippocms-svn