Add csrf protection for provision handlers

issue-10462/secure-pending-operation-6.2
Rajitha Kumara 1 year ago
parent 93427e0077
commit a9aa66173a

@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.util.Objects;
@WebServlet(
name = "JIT callback handler",
@ -45,6 +46,7 @@ public class JITProvisionCallbackHandler extends HttpServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) {
String state = request.getParameter("state");
HttpSession session = request.getSession(false);
String JITProvisionCallbackURL = request.getScheme() + HandlerConstants.SCHEME_SEPARATOR
+ System.getProperty(HandlerConstants.IOT_CORE_HOST_ENV_VAR)
@ -57,6 +59,12 @@ public class JITProvisionCallbackHandler extends HttpServlet {
return;
}
if (state == null || !Objects.equals(state, session.getAttribute("state").toString())) {
response.sendError(org.apache.http.HttpStatus.SC_BAD_REQUEST, "MismatchingStateError: CSRF Warning! " +
"State not equal in request and response");
return;
}
JITData JITInfo = (JITData) session.getAttribute(HandlerConstants.SESSION_JIT_DATA_KEY);
if (JITInfo == null) {
response.sendError(HttpStatus.SC_UNAUTHORIZED);

@ -70,6 +70,7 @@ public class JITProvisionHandler extends HttpServlet {
private String encodedClientCredentials;
private String JITConfigurationPath;
private String redirectUrl;
private String state;
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) {
@ -83,6 +84,7 @@ public class JITProvisionHandler extends HttpServlet {
+ HandlerConstants.JIT_PROVISION_CALLBACK_URL;
JITConfigurationPath = CarbonUtils.getCarbonConfigDirPath() + File.separator + "jit-config.xml";
String scope = "openid";
state = HandlerUtil.generateStateToken();
tenantDomain = request.getParameter("tenantDomain");
redirectUrl = request.getParameter("redirectUrl");
JITServiceProviderName = request.getParameter("sp");
@ -100,7 +102,7 @@ public class JITProvisionHandler extends HttpServlet {
response.sendRedirect(keyManagerUrl + HandlerConstants.AUTHORIZATION_ENDPOINT +
"?response_type=code" +
"&client_id=" + clientId +
"&state=" +
"&state=" + state +
"&scope=" + scope +
"&redirect_uri=" + JITCallbackUrl);
} catch (JITProvisionException | IOException ex) {
@ -129,6 +131,7 @@ public class JITProvisionHandler extends HttpServlet {
JITInfo.setRedirectUrl(redirectUrl);
JITInfo.setSp(JITServiceProviderName);
session.setMaxInactiveInterval(3600);
session.setAttribute("state", state);
session.setAttribute(HandlerConstants.SESSION_JIT_DATA_KEY, JITInfo);
}

Loading…
Cancel
Save