Add csrf protection for provision handlers

master
Rajitha Kumara 1 year ago
parent 93427e0077
commit a9aa66173a

@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.io.IOException; import java.io.IOException;
import java.util.Objects;
@WebServlet( @WebServlet(
name = "JIT callback handler", name = "JIT callback handler",
@ -45,6 +46,7 @@ public class JITProvisionCallbackHandler extends HttpServlet {
@Override @Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) { protected void doGet(HttpServletRequest request, HttpServletResponse response) {
String state = request.getParameter("state");
HttpSession session = request.getSession(false); HttpSession session = request.getSession(false);
String JITProvisionCallbackURL = request.getScheme() + HandlerConstants.SCHEME_SEPARATOR String JITProvisionCallbackURL = request.getScheme() + HandlerConstants.SCHEME_SEPARATOR
+ System.getProperty(HandlerConstants.IOT_CORE_HOST_ENV_VAR) + System.getProperty(HandlerConstants.IOT_CORE_HOST_ENV_VAR)
@ -57,6 +59,12 @@ public class JITProvisionCallbackHandler extends HttpServlet {
return; return;
} }
if (state == null || !Objects.equals(state, session.getAttribute("state").toString())) {
response.sendError(org.apache.http.HttpStatus.SC_BAD_REQUEST, "MismatchingStateError: CSRF Warning! " +
"State not equal in request and response");
return;
}
JITData JITInfo = (JITData) session.getAttribute(HandlerConstants.SESSION_JIT_DATA_KEY); JITData JITInfo = (JITData) session.getAttribute(HandlerConstants.SESSION_JIT_DATA_KEY);
if (JITInfo == null) { if (JITInfo == null) {
response.sendError(HttpStatus.SC_UNAUTHORIZED); response.sendError(HttpStatus.SC_UNAUTHORIZED);

@ -70,6 +70,7 @@ public class JITProvisionHandler extends HttpServlet {
private String encodedClientCredentials; private String encodedClientCredentials;
private String JITConfigurationPath; private String JITConfigurationPath;
private String redirectUrl; private String redirectUrl;
private String state;
@Override @Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) { protected void doGet(HttpServletRequest request, HttpServletResponse response) {
@ -83,6 +84,7 @@ public class JITProvisionHandler extends HttpServlet {
+ HandlerConstants.JIT_PROVISION_CALLBACK_URL; + HandlerConstants.JIT_PROVISION_CALLBACK_URL;
JITConfigurationPath = CarbonUtils.getCarbonConfigDirPath() + File.separator + "jit-config.xml"; JITConfigurationPath = CarbonUtils.getCarbonConfigDirPath() + File.separator + "jit-config.xml";
String scope = "openid"; String scope = "openid";
state = HandlerUtil.generateStateToken();
tenantDomain = request.getParameter("tenantDomain"); tenantDomain = request.getParameter("tenantDomain");
redirectUrl = request.getParameter("redirectUrl"); redirectUrl = request.getParameter("redirectUrl");
JITServiceProviderName = request.getParameter("sp"); JITServiceProviderName = request.getParameter("sp");
@ -100,7 +102,7 @@ public class JITProvisionHandler extends HttpServlet {
response.sendRedirect(keyManagerUrl + HandlerConstants.AUTHORIZATION_ENDPOINT + response.sendRedirect(keyManagerUrl + HandlerConstants.AUTHORIZATION_ENDPOINT +
"?response_type=code" + "?response_type=code" +
"&client_id=" + clientId + "&client_id=" + clientId +
"&state=" + "&state=" + state +
"&scope=" + scope + "&scope=" + scope +
"&redirect_uri=" + JITCallbackUrl); "&redirect_uri=" + JITCallbackUrl);
} catch (JITProvisionException | IOException ex) { } catch (JITProvisionException | IOException ex) {
@ -129,6 +131,7 @@ public class JITProvisionHandler extends HttpServlet {
JITInfo.setRedirectUrl(redirectUrl); JITInfo.setRedirectUrl(redirectUrl);
JITInfo.setSp(JITServiceProviderName); JITInfo.setSp(JITServiceProviderName);
session.setMaxInactiveInterval(3600); session.setMaxInactiveInterval(3600);
session.setAttribute("state", state);
session.setAttribute(HandlerConstants.SESSION_JIT_DATA_KEY, JITInfo); session.setAttribute(HandlerConstants.SESSION_JIT_DATA_KEY, JITInfo);
} }

Loading…
Cancel
Save