Juan Hernandez has submitted this change and it was merged.
Change subject: restapi: CSRF protection filter
......................................................................
restapi: CSRF protection filter
This patch introduces a filter that protects the RESTAPI from CSRF
attacks. Protection is enabled/disabled globally, using the new
CSRFProtection configuration parameter. By default this parameter is
"false", so the protection isn't enabled. This can be changed with the
"engine-config" tool, as follows:
# engine-config -s CSRFProtection=true
If the protection is enabled globally, then the caller can enable for a
particular session using the "csrf-protection" preference:
GET /ovirt-engine/api HTTP/1.1
Authorization: Basic P/c1qcSSGuTlxUCTEUCosZfZ
Host:
ovirt.example.com
Prefer: persistent-auth, csrf-protection
If this preference isn't specified then the session won't be protected,
even if it is enabled globally.
For protected sessions the caller must always include the "JSESSIONID"
header, which should contain the value of the session identifier:
GET /ovirt-engine/api HTTP/1.1
Cookie: JSESSIONID=y+FXYivGm2rdajrNhTRatNjl
Prefer: persistent-auth, csrf-protection
JSESSIONID: y+FXYivGm2rdajrNhTRatNjl
If the protection is enabled and the caller fails to send this token
then the request will be rejected and logged.
Change-Id: I5700192b62e514091c9f29910596f312c068c5b2
Bug-Url:
https://bugzilla.redhat.com/1077441
Signed-off-by: Juan Hernandez <juan.hernandez(a)redhat.com>
---
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
M backend/manager/modules/restapi/interface/common/jaxrs/pom.xml
A
backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/CSRFProtectionFilter.java
M
backend/manager/modules/restapi/interface/common/jaxrs/src/main/modules/org/ovirt/engine/api/interface-common-jaxrs/main/module.xml
M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml
M ear/src/main/resources/META-INF/MANIFEST.MF
M packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql
M packaging/etc/engine-config/engine-config.properties
8 files changed, 243 insertions(+), 0 deletions(-)
Approvals:
Juan Hernandez: Verified; Looks good to me, approved
--
To view, visit
http://gerrit.ovirt.org/29681
To unsubscribe, visit
http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5700192b62e514091c9f29910596f312c068c5b2
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alexander Wels <awels(a)redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vszocs(a)redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <yzaslavs(a)redhat.com>
Gerrit-Reviewer: automation(a)ovirt.org
Gerrit-Reviewer: oVirt Jenkins CI Server