Merge branch 'hostnamefix' into 'master'

Hostname checking in httpsession Credentials are checked per session and hostname is checked per request. This can be abused to escalate privileges from one event to another by copying JSESSIONID-cookie from hostname to another See merge request !216

Merge branch 'hostnamefix' into 'master'
Hostname checking in httpsession Credentials are checked per session and hostname is checked per request. This can be abused to escalate privileges from one event to another by copying JSESSIONID-cookie from hostname to another See merge request !216
Juho Juopperi
Commit b1c2c9b5 authored Jan 11, 2015 by Juho Juopperi
Showing with 13 additions and 6 deletions
code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
--- a/code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
+++ b/code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
@@ -19,9 +19,8 @@
 package fi.codecrew.moya;

 import java.io.IOException;
-import java.io.PrintWriter;
-import java.security.Principal;
 import java.nio.charset.Charset;
+import java.security.Principal;

 import javax.ejb.EJB;
 import javax.faces.application.ProjectStage;
@@ -35,8 +34,8 @@ import javax.servlet.ServletResponse;
 import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;

-import org.apache.http.HttpRequest;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.slf4j.MDC;
@@ -53,6 +52,7 @@ import fi.codecrew.moya.rest.RestApplicationEntrypoint;
 @WebFilter(filterName = "hostnameFilter", displayName = "hostname and authentication filter", urlPatterns = { "/*" })
 public class HostnameFilter implements Filter {

+	private static final String SESSION_HOSTNAMESTORE = "moya-session-hostname";
 	private static final Logger logger = LoggerFactory.getLogger(HostnameFilter.class);
 	private static final String HTTP_HOSTNAME_ID = "moya_hostname_session_id";
 	private boolean developmentMode = false;
@@ -137,7 +137,7 @@ public class HostnameFilter implements Filter {
 	 */

 	private static final String[] NOAUTH_RESTPATHS = new String[] {
-			"/reader/EventRole/","/user/auth"
+			"/reader/EventRole/", "/user/auth"

 	};

@@ -147,6 +147,7 @@ public class HostnameFilter implements Filter {
 		// logger.info("HostnameFilter called!");
 		HttpServletRequest httpRequest = null;
 		AuthType authtype = AuthType.UNKNOWN;
+
 		if (request != null && request instanceof HttpServletRequest) {
 			httpRequest = ((HttpServletRequest) request);
 			parseHostname(httpRequest);
@@ -208,7 +209,6 @@ public class HostnameFilter implements Filter {

 	private boolean restAuth(HttpServletRequest httpRequest, ServletResponse response) {

-		
 		String sp = httpRequest.getPathInfo();
 		for (String s : NOAUTH_RESTPATHS) {
 			if (sp.startsWith(s)) {
@@ -274,9 +274,16 @@ public class HostnameFilter implements Filter {
 		boolean ssl = proto.equals("https");
 		BortalLocalContextHolder.setSsl(ssl);

+		HttpSession session = httpRequest.getSession();
+		Object sessionHostname = session.getAttribute(SESSION_HOSTNAMESTORE);
+		if (sessionHostname == null) {
+			session.setAttribute(SESSION_HOSTNAMESTORE, hostname);
+		} else if (!hostname.equals(sessionHostname)) {
+			throw new RuntimeException("Hostname mismatch!");
+		}
+
 		BortalLocalContextHolder.setHostname(hostname);
 		BortalLocalContextHolder.setInDevelopmentMode(developmentMode);

 	}
-
 }