Package jetbrains.buildServer.web

Class CSRFFilter

  • public class CSRFFilter
extends Object
    This is a filter which provides CSRF protection for authenticated users. Here are the checks on HTTP request to verify that it is safe:
    • if request is not-modifying (GET, OPTIONS) - it is safe
    • if request has 'Origin' header it MUST match 'Host' or 'X-Forwarded-Host' headers (or one of the enabled CORS origins)
    If Origin in request is unset, request is considered safe only if one of the following is true:
    • request has 'X-Requested-With' header (set for AJAX requests, which are protected by same-origin-policy/CORS)
    • teamcity.csrf.allow_non_browser property is set and User-Agent from request is not recognized as a browser
    • HttpSession does not have information about logged-in user and there is no RememberMe cookie (i.e. POST requests with basic authentication are allowed)
    • request has a parameter ATTRIBUTE and it matches session attribute ATTRIBUTE
    Since:
    2017.1 (19/10/16)
    Author:
    kir

    • Method Detail

      • setSessionAttribute

        public static String setSessionAttribute​(@NotNull
                                         javax.servlet.http.HttpSession session)
        Add a CSRF token to the session, if the session does not have such a token yet
        Returns:
        current or newly set CSRF token

      • removeSessionAttribute

        public static void removeSessionAttribute​(@NotNull
                                          javax.servlet.http.HttpSession session)
        Remove CSRF token from the session

      • hasUnsafeCookies

        public static boolean hasUnsafeCookies​(javax.servlet.http.HttpServletRequest request)

      • validateRequest

        public boolean validateRequest​(javax.servlet.http.HttpServletRequest request,
                               javax.servlet.http.HttpServletResponse response)