jetbrains.buildServer.web

Class CSRFFilter

java.lang.Object

jetbrains.buildServer.web.CSRFFilter

public class CSRFFilter
extends java.lang.Object

This is a filter which provides CSRF protection for authenticated users. Here are the checks on HTTP request to verify that it is safe:

• if request is not-modifying (GET, OPTIONS) - it is safe
• if request has 'Origin' header it MUST match 'Host' or 'X-Forwarded-Host' headers (or one of the enabled CORS origins)

If Origin in request is unset, request is considered safe only if one of the following is true:

• request has 'X-Requested-With' header (set for AJAX requests, which are protected by same-origin-policy/CORS)
• teamcity.csrf.allow_non_browser property is set and User-Agent from request is not recognized as a browser
• HttpSession does not have information about logged-in user and there is no RememberMe cookie (i.e. POST requests with basic authentication are allowed)
• request has a parameter ATTRIBUTE and it matches session attribute ATTRIBUTE

Since:

2017.1 (19/10/16)

Author:

kir

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	ATTRIBUTE
static java.lang.String	CSRF_HEADER

Constructor Summary

Constructors

Constructor and Description
CSRFFilter(ExtensionsProvider extensionsProvider, EventDispatcher<BuildServerListener> multicaster)

Method Summary

Modifier and Type	Method and Description
static void	removeSessionAttribute(javax.servlet.http.HttpSession session) Remove CSRF token from the session
static java.lang.String	setSessionAttribute(javax.servlet.http.HttpSession session) Add a CSRF token to the session, if the session does not have such a token yet
boolean	validateRequest(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ATTRIBUTE

public static final java.lang.String ATTRIBUTE

See Also:

Constant Field Values

CSRF_HEADER

public static final java.lang.String CSRF_HEADER

See Also:

Constant Field Values

Constructor Detail

CSRFFilter

public CSRFFilter(ExtensionsProvider extensionsProvider,
                  EventDispatcher<BuildServerListener> multicaster)

Method Detail

setSessionAttribute

public static java.lang.String setSessionAttribute(@NotNull
                                                   javax.servlet.http.HttpSession session)

Add a CSRF token to the session, if the session does not have such a token yet

Returns:

current or newly set CSRF token

removeSessionAttribute

public static void removeSessionAttribute(@NotNull
                                          javax.servlet.http.HttpSession session)

Remove CSRF token from the session

validateRequest

public boolean validateRequest(javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpServletResponse response)