View Javadoc

1   package com.atlassian.plugins.rest.common.security.jersey;
2   
3   import com.atlassian.http.method.Methods;
4   import com.atlassian.plugins.rest.common.security.XsrfCheckFailedException;
5   import com.sun.jersey.spi.container.ContainerRequest;
6   import org.slf4j.Logger;
7   import org.slf4j.LoggerFactory;
8   
9   /**
10   * Protects browsers against XSRF attacks where the origin of a request would not
11   * otherwise be permitted by the same origin policy or CORS.
12   *
13   * @since 2.9.21
14   */
15  class OriginBasedXsrfResourceFilter extends XsrfResourceFilter {
16  
17      private static final Logger log = LoggerFactory.getLogger(OriginBasedXsrfResourceFilter.class);
18  
19      public ContainerRequest filter(final ContainerRequest request) {
20          if (!Methods.isMutative(request.getMethod()) || !isLikelyToBeFromBrowser(request)) {
21              return request;
22          }
23          if (passesAdditionalBrowserChecks(request)) {
24              return request;
25          }
26          else if (!isPostRequest(request.getMethod()) || (request.getMediaType() != null &&
27                  isXsrfable(request.getMethod(), request.getMediaType()))
28              ) {
29              logXsrfFailureButNotBeingEnforced(request, log);
30              return request;
31          }
32          throw new XsrfCheckFailedException();
33      }
34  
35  }