LUT-28902 : Security token filter

src/java/fr/paris/lutece/portal/service/admin/AdminTokenAccessDeniedException.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2002-2022, City of Paris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice
+ *     and the following disclaimer.
+ *
+ *  2. Redistributions in binary form must reproduce the above copyright notice
+ *     and the following disclaimer in the documentation and/or other materials
+ *     provided with the distribution.
+ *
+ *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * License 1.0
+ */
+package fr.paris.lutece.portal.service.admin;
+
+/**
+ * Exception thrown when the user can't access a feature.
+ */
+public class AdminTokenAccessDeniedException extends RuntimeException
+{
+    /**
+     *
+     */
+    private static final long serialVersionUID = 323303358249337792L;
+
+    /**
+     * Builds a AccessDeniedException with the message
+     * 
+     * @param strMessage
+     *            the message
+     */
+    public AdminTokenAccessDeniedException( String strMessage )
+    {
+        super( strMessage );
+    }
+}

src/java/fr/paris/lutece/portal/service/content/XPageAppService.java

@@ -40,10 +40,12 @@
 import fr.paris.lutece.portal.service.portal.PortalService;
 import fr.paris.lutece.portal.service.security.LuteceUser;
 import fr.paris.lutece.portal.service.security.SecurityService;
+import fr.paris.lutece.portal.service.security.SecurityTokenHandler;
 import fr.paris.lutece.portal.service.security.UserNotSignedException;
 import fr.paris.lutece.portal.service.template.AppTemplateService;
 import fr.paris.lutece.portal.service.util.AppException;
 import fr.paris.lutece.portal.service.util.AppLogService;
+import fr.paris.lutece.portal.util.mvc.utils.ReflectionUtils;
 import fr.paris.lutece.portal.web.xpages.XPage;
 import fr.paris.lutece.portal.web.xpages.XPageApplication;
 import fr.paris.lutece.portal.web.xpages.XPageApplicationEntry;
@@ -104,11 +106,18 @@ public static void registerXPageApplication( XPageApplicationEntry entry ) throw
                     throw new LuteceInitException( ERROR_INSTANTIATION + entry.getId( ) + " - Could not find bean named " + applicationBeanName,
                             new ResolutionException( applicationBeanName ) );
                 }
+
+                Class clazz = CDI.current( ).getBeanManager( ).getBeans( applicationBeanName ).iterator( ).next( ).getBeanClass( );
+                SecurityTokenHandler securityTokenHandler = CDI.current( ).select( SecurityTokenHandler.class ).get( );
+                securityTokenHandler.registerDisabledActions( entry.getId( ), ReflectionUtils.getDeclaredMethods( clazz ) );
             }
             else
             {
                 // check that the class can be found
-                Class.forName( entry.getClassName( ) ).newInstance( );
+                Object instance = Class.forName( entry.getClassName( ) ).newInstance( );
+
+                SecurityTokenHandler securityTokenHandler = CDI.current( ).select( SecurityTokenHandler.class ).get( );
+                securityTokenHandler.registerDisabledActions( entry.getId( ), ReflectionUtils.getDeclaredMethods( instance.getClass( ) ) );
             }
 
             _mapApplications.put( entry.getId( ), entry );

src/java/fr/paris/lutece/portal/service/message/SiteMessageHandler.java

@@ -36,6 +36,7 @@
 import fr.paris.lutece.portal.service.content.PageData;
 import fr.paris.lutece.portal.service.includes.PageInclude;
 import fr.paris.lutece.portal.service.includes.PageIncludeService;
+import fr.paris.lutece.portal.service.security.SecurityTokenHandler;
 import fr.paris.lutece.portal.service.template.AppTemplateService;
 import fr.paris.lutece.portal.service.util.AppPathService;
 import fr.paris.lutece.portal.web.constants.Markers;
@@ -49,6 +50,7 @@
 import java.util.Map;
 
 import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
 import jakarta.servlet.http.HttpServletRequest;
 
 /**
@@ -72,6 +74,9 @@ public class SiteMessageHandler implements ISiteMessageHandler
     private static final String BOOKMARK_BASE_URL = "@base_url@";
     private static final String MARK_BACK_URL = "back_url";
 
+    @Inject
+    private SecurityTokenHandler _securityTokenHandler;
+
     /**
      * {@inheritDoc }
      */
@@ -113,6 +118,8 @@ public String getPage( HttpServletRequest request, int nMode )
 
         // Delete message in session
         SiteMessageService.cleanMessageSession( request );
+
+        _securityTokenHandler.addSessionTokenValue( request, model );
 
         HtmlTemplate template = AppTemplateService.getTemplate( TEMPLATE_MESSAGE, locale, model );
 

src/java/fr/paris/lutece/portal/service/security/SecurityTokenFilterAdmin.java

@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 2002-2024, City of Paris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice
+ *     and the following disclaimer.
+ *
+ *  2. Redistributions in binary form must reproduce the above copyright notice
+ *     and the following disclaimer in the documentation and/or other materials
+ *     provided with the distribution.
+ *
+ *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * License 1.0
+ */
+package fr.paris.lutece.portal.service.security;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.StreamSupport;
+
+import org.eclipse.microprofile.config.Config;
+import org.eclipse.microprofile.config.ConfigProvider;
+
+import fr.paris.lutece.portal.service.admin.AdminTokenAccessDeniedException;
+import fr.paris.lutece.portal.util.mvc.utils.MVCUtils;
+import fr.paris.lutece.portal.web.LocalVariables;
+import jakarta.inject.Inject;
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+/**
+ * Filter to manage the CSRF token validation for MVCAdminJspBean requests.
+ */
+public class SecurityTokenFilterAdmin implements Filter
+{
+    private static final String EXCLUDED_RESOURCES_CONFIG = ".securityTokenFilterAdmin.exclude";
+
+    private Set<String> _excludedResources = new HashSet<String>( );
+    @Inject
+    private SecurityTokenHandler _securityTokenHandler;
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void init( FilterConfig filterConfig ) throws ServletException
+    {
+        Config config = ConfigProvider.getConfig( );
+        _excludedResources = StreamSupport.stream( config.getPropertyNames( ).spliterator( ), false )
+                .filter( n -> n.endsWith( EXCLUDED_RESOURCES_CONFIG ) )
+                .flatMap( n -> Arrays.stream( config.getValue( n, String [ ].class ) ) )
+                .collect( Collectors.toSet( ) );
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException
+    {
+        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
+        LocalVariables.setLocal( null, httpServletRequest, httpServletResponse );
+        _securityTokenHandler.handle( httpServletRequest );
+
+        if ( _securityTokenHandler.shouldNotFilter( httpServletRequest )
+                || isResourceExcluded( httpServletRequest ) )
+        {
+            chain.doFilter( request, response );
+            return;
+        }
+
+        String action = MVCUtils.getAction( httpServletRequest );
+        if ( !_securityTokenHandler.validate( httpServletRequest, action ) )
+        {
+            throw new ServletException( new AdminTokenAccessDeniedException( "SecurityTokenFilterSite :: Invalid security token" ) );
+        }
+
+        chain.doFilter( request, response );
+    }
+
+    /**
+     * Checks if the requested URI is excluded from security token validation.
+     * 
+     * @param request
+     *            The request
+     * @return
+     *         True is the resource is excluded for the token validation.
+     */
+    private boolean isResourceExcluded( HttpServletRequest request )
+    {
+        boolean bExcluded = false;
+        for ( String strExcluded : _excludedResources )
+        {
+            if ( request.getServletPath( ).contains( strExcluded ) )
+            {
+                bExcluded = true;
+                break;
+            }
+        }
+        return bExcluded;
+    }
+
+}

src/java/fr/paris/lutece/portal/service/security/SecurityTokenFilterSite.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2002-2024, City of Paris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice
+ *     and the following disclaimer.
+ *
+ *  2. Redistributions in binary form must reproduce the above copyright notice
+ *     and the following disclaimer in the documentation and/or other materials
+ *     provided with the distribution.
+ *
+ *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * License 1.0
+ */
+package fr.paris.lutece.portal.service.security;
+
+import java.io.IOException;
+
+import fr.paris.lutece.portal.service.admin.AccessDeniedException;
+import fr.paris.lutece.portal.util.mvc.utils.MVCUtils;
+import jakarta.inject.Inject;
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+
+/**
+ * Filter to manage the CSRF token validation for MVCApplication requests.
+ */
+public class SecurityTokenFilterSite implements Filter
+{
+    @Inject
+    private SecurityTokenHandler _securityTokenHandler;
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException
+    {
+        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+        _securityTokenHandler.handle( httpServletRequest );
+
+        if ( _securityTokenHandler.shouldNotFilter( httpServletRequest ) )
+        {
+            chain.doFilter( request, response );
+            return;
+        }
+
+        String action = MVCUtils.getAction( httpServletRequest );
+        if ( !_securityTokenHandler.validate( httpServletRequest, action ) )
+        {
+            throw new ServletException( new AccessDeniedException( "Invalid security token" ) );
+        }
+
+        chain.doFilter( request, response );
+    }
+
+}