Juan Hernandez has submitted this change and it was merged. Change subject: restapi: CSRF protection filter ...................................................................... restapi: CSRF protection filter This patch introduces a filter that protects the RESTAPI from CSRF attacks. Protection is enabled/disabled globally, using the new CSRFProtection configuration parameter. By default this parameter is "false", so the protection isn't enabled. This can be changed with the "engine-config" tool, as follows: # engine-config -s CSRFProtection=true If the protection is enabled globally, then the caller can enable for a particular session using the "csrf-protection" preference: GET /ovirt-engine/api HTTP/1.1 Authorization: Basic P/c1qcSSGuTlxUCTEUCosZfZ Host: ovirt.example.com Prefer: persistent-auth, csrf-protection If this preference isn't specified then the session won't be protected, even if it is enabled globally. For protected sessions the caller must always include the "JSESSIONID" header, which should contain the value of the session identifier: GET /ovirt-engine/api HTTP/1.1 Cookie: JSESSIONID=y+FXYivGm2rdajrNhTRatNjl Prefer: persistent-auth, csrf-protection JSESSIONID: y+FXYivGm2rdajrNhTRatNjl If the protection is enabled and the caller fails to send this token then the request will be rejected and logged. Change-Id: I5700192b62e514091c9f29910596f312c068c5b2 Bug-Url: https://bugzilla.redhat.com/1077441 Signed-off-by: Juan Hernandez <juan.hernandez@redhat.com> --- M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java M backend/manager/modules/restapi/interface/common/jaxrs/pom.xml A backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/CSRFProtectionFilter.java M backend/manager/modules/restapi/interface/common/jaxrs/src/main/modules/org/ovirt/engine/api/interface-common-jaxrs/main/module.xml M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml M ear/src/main/resources/META-INF/MANIFEST.MF M packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql M packaging/etc/engine-config/engine-config.properties 8 files changed, 243 insertions(+), 0 deletions(-) Approvals: Juan Hernandez: Verified; Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/29681 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I5700192b62e514091c9f29910596f312c068c5b2 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <juan.hernandez@redhat.com> Gerrit-Reviewer: Alexander Wels <awels@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernandez@redhat.com> Gerrit-Reviewer: Vojtech Szocs <vszocs@redhat.com> Gerrit-Reviewer: Yair Zaslavsky <yzaslavs@redhat.com> Gerrit-Reviewer: automation@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server