Change in ovirt-engine[master]: restapi: CSRF protection filter

juan.hernandez at redhat.com juan.hernandez at redhat.com
Thu Jul 10 09:03:33 UTC 2014 

Juan Hernandez has submitted this change and it was merged.

Change subject: restapi: CSRF protection filter
......................................................................


restapi: CSRF protection filter

This patch introduces a filter that protects the RESTAPI from CSRF
attacks. Protection is enabled/disabled globally, using the new
CSRFProtection configuration parameter. By default this parameter is
"false", so the protection isn't enabled. This can be changed with the
"engine-config" tool, as follows:

  # engine-config -s CSRFProtection=true

If the protection is enabled globally, then the caller can enable for a
particular session using the "csrf-protection" preference:

  GET /ovirt-engine/api HTTP/1.1
  Authorization: Basic P/c1qcSSGuTlxUCTEUCosZfZ
  Host: ovirt.example.com
  Prefer: persistent-auth, csrf-protection

If this preference isn't specified then the session won't be protected,
even if it is enabled globally.

For protected sessions the caller must always include the "JSESSIONID"
header, which should contain the value of the session identifier:

  GET /ovirt-engine/api HTTP/1.1
  Cookie: JSESSIONID=y+FXYivGm2rdajrNhTRatNjl
  Prefer: persistent-auth, csrf-protection
  JSESSIONID: y+FXYivGm2rdajrNhTRatNjl

If the protection is enabled and the caller fails to send this token
then the request will be rejected and logged.

Change-Id: I5700192b62e514091c9f29910596f312c068c5b2
Bug-Url: https://bugzilla.redhat.com/1077441
Signed-off-by: Juan Hernandez <juan.hernandez at redhat.com>
---
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/config/ConfigValues.java
M backend/manager/modules/restapi/interface/common/jaxrs/pom.xml
A backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/CSRFProtectionFilter.java
M backend/manager/modules/restapi/interface/common/jaxrs/src/main/modules/org/ovirt/engine/api/interface-common-jaxrs/main/module.xml
M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml
M ear/src/main/resources/META-INF/MANIFEST.MF
M packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql
M packaging/etc/engine-config/engine-config.properties
8 files changed, 243 insertions(+), 0 deletions(-)

Approvals:
  Juan Hernandez: Verified; Looks good to me, approved



-- 
To view, visit http://gerrit.ovirt.org/29681
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5700192b62e514091c9f29910596f312c068c5b2
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Alexander Wels <awels at redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vszocs at redhat.com>
Gerrit-Reviewer: Yair Zaslavsky <yzaslavs at redhat.com>
Gerrit-Reviewer: automation at ovirt.org
Gerrit-Reviewer: oVirt Jenkins CI Server

More information about the Engine-commits mailing list