Package org.apache.hadoop.security.http

Class RestCsrfPreventionFilter

java.lang.Object
org.apache.hadoop.security.http.RestCsrfPreventionFilter
All Implemented Interfaces:
javax.servlet.Filter
@Public @Evolving public class RestCsrfPreventionFilter extends Object implements javax.servlet.Filter
This filter provides protection against cross site request forgery (CSRF) attacks for REST APIs. Enabling this filter on an endpoint results in the requirement of all client to send a particular (configurable) HTTP header with every request. In the absense of this header the filter will reject the attempt as a bad request.

  • Field Details

  • Constructor Details

    • RestCsrfPreventionFilter

      public RestCsrfPreventionFilter()

  • Method Details

    • init

      public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
      Specified by:
      init in interface javax.servlet.Filter
      Throws:
      javax.servlet.ServletException

    • isBrowser

      protected boolean isBrowser(String userAgent)
      This method interrogates the User-Agent String and returns whether it refers to a browser. If its not a browser, then the requirement for the CSRF header will not be enforced; if it is a browser, the requirement will be enforced.

      A User-Agent String is considered to be a browser if it matches any of the regex patterns from browser-useragent-regex; the default behavior is to consider everything a browser that matches the following: "^Mozilla.*,^Opera.*". Subclasses can optionally override this method to use different behavior.

      Parameters:
      userAgent - The User-Agent String, or null if there isn't one
      Returns:
      true if the User-Agent String refers to a browser, false if not

    • handleHttpInteraction

      public void handleHttpInteraction(org.apache.hadoop.security.http.RestCsrfPreventionFilter.HttpInteraction httpInteraction) throws IOException, javax.servlet.ServletException
      Handles an RestCsrfPreventionFilter.HttpInteraction by applying the filtering logic.
      Parameters:
      httpInteraction - caller's HTTP interaction
      Throws:
      IOException - if there is an I/O error
      javax.servlet.ServletException - if the implementation relies on the servlet API and a servlet API call has failed

    • doFilter

      public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
      Specified by:
      doFilter in interface javax.servlet.Filter
      Throws:
      IOException
      javax.servlet.ServletException

    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter

    • getFilterParams

      public static Map<String,String> getFilterParams(Configuration conf, String confPrefix)
      Constructs a mapping of configuration properties to be used for filter initialization. The mapping includes all properties that start with the specified configuration prefix. Property names in the mapping are trimmed to remove the configuration prefix.
      Parameters:
      conf - configuration to read
      confPrefix - configuration prefix
      Returns:
      mapping of configuration properties to be used for filter initialization