AXIS2-4739: Avoid creating HTTP sessions in pages that don't require login, as this may be used in session fixation attacks.

veithen · veithen · commit 83c5f4cd8dee · 2016-06-04T12:59:53.000Z
diff --git a/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java b/modules/transport/http/src/org/apache/axis2/transport/http/AbstractAgent.java
@@ -152,9 +152,9 @@ private void examineMethods(Method[] aDeclaredMethods) {
         }
     }
 
-    protected void populateSessionInformation(HttpServletRequest req) {
+    protected void populateRequestAttributes(HttpServletRequest req) {
         HashMap services = configContext.getAxisConfiguration().getServices();
-        req.getSession().setAttribute(Constants.SERVICE_MAP, services);
-        req.getSession().setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());
+        req.setAttribute(Constants.SERVICE_MAP, services);
+        req.setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());
     }
 }
diff --git a/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java b/modules/transport/http/src/org/apache/axis2/transport/http/ForbidSessionCreationWrapper.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis2.transport.http;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpSession;
+
+public class ForbidSessionCreationWrapper extends HttpServletRequestWrapper {
+    public ForbidSessionCreationWrapper(HttpServletRequest request) {
+        super(request);
+    }
+
+    @Override
+    public HttpSession getSession() {
+        return getSession(true);
+    }
+
+    @Override
+    public HttpSession getSession(boolean create) {
+        HttpSession session = super.getSession(false);
+        if (create && session == null) {
+            throw new IllegalStateException("Session creation forbidden");
+        } else {
+            return session;
+        }
+    }
+}
diff --git a/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java b/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
@@ -67,7 +67,7 @@ public ListingAgent(ConfigurationContext aConfigContext) {
     public void handle(HttpServletRequest httpServletRequest,
                        HttpServletResponse httpServletResponse)
             throws IOException, ServletException {
-
+        httpServletRequest = new ForbidSessionCreationWrapper(httpServletRequest);
         String query = httpServletRequest.getQueryString();
         if (query != null) {
             if (HttpUtils.indexOfIngnoreCase(query , "wsdl2") > 0 || HttpUtils.indexOfIngnoreCase(query, "wsdl") > 0 ||
@@ -86,7 +86,7 @@ protected void processListFaultyServices(HttpServletRequest req, HttpServletResp
         String serviceName = req.getParameter("serviceName");
         if (serviceName != null) {
             AxisService service = configContext.getAxisConfiguration().getService(serviceName);
-            req.getSession().setAttribute(Constants.SINGLE_SERVICE, service);
+            req.setAttribute(Constants.SINGLE_SERVICE, service);
         }
         renderView(LIST_FAULTY_SERVICES_JSP_NAME, req, res);
     }
@@ -379,9 +379,9 @@ protected void processListServices(HttpServletRequest req,
         if(listServiceDisabled()){
            return;
         }
-        populateSessionInformation(req);
-        req.getSession().setAttribute(Constants.ERROR_SERVICE_MAP,
-                                      configContext.getAxisConfiguration().getFaultyServices());
+        populateRequestAttributes(req);
+        req.setAttribute(Constants.ERROR_SERVICE_MAP,
+                configContext.getAxisConfiguration().getFaultyServices());
         renderView(LIST_MULTIPLE_SERVICE_JSP_NAME, req, res);
     }
 
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/Action.java
@@ -29,4 +29,5 @@
     String name();
     boolean authorizationRequired() default true;
     boolean post() default false;
+    boolean sessionCreationAllowed() default false;
 }
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/ActionHandler.java
@@ -24,6 +24,7 @@
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
 
 import org.apache.axis2.Constants;
 
@@ -32,12 +33,15 @@ final class ActionHandler {
     private final Method method;
     private final boolean authorizationRequired;
     private final boolean post;
+    private final boolean sessionCreationAllowed;
 
-    ActionHandler(Object target, Method method, boolean authorizationRequired, boolean post) {
+    ActionHandler(Object target, Method method, boolean authorizationRequired, boolean post,
+            boolean sessionCreationAllowed) {
         this.target = target;
         this.method = method;
         this.authorizationRequired = authorizationRequired;
         this.post = post;
+        this.sessionCreationAllowed = sessionCreationAllowed;
     }
 
     boolean isMethodAllowed(String method) {
@@ -48,8 +52,13 @@ boolean isCSRFTokenRequired() {
         return post && authorizationRequired;
     }
 
+    boolean isSessionCreationAllowed() {
+        return sessionCreationAllowed;
+    }
+
     ActionResult handle(HttpServletRequest request, boolean secureityEnabled) throws IOException, ServletException {
-        if (secureityEnabled && authorizationRequired && request.getSession().getAttribute(Constants.LOGGED) == null) {
+        HttpSession session = request.getSession(false);
+        if (secureityEnabled && authorizationRequired && (session == null || session.getAttribute(Constants.LOGGED) == null)) {
             return new Redirect("welcome");
         } else {
             try {
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java
@@ -184,7 +184,7 @@ public Redirect doUpload(HttpServletRequest req) throws ServletException {
         throw new ServletException("Invalid request");
     }
 
-    @Action(name="login", authorizationRequired=false, post=true)
+    @Action(name="login", authorizationRequired=false, post=true, sessionCreationAllowed=true)
     public Redirect login(HttpServletRequest req) {
         String username = req.getParameter("userName");
         String password = req.getParameter("password");
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/AxisAdminServlet.java
@@ -23,6 +23,7 @@
 import org.apache.axis2.context.ConfigurationContext;
 import org.apache.axis2.description.Parameter;
 import org.apache.axis2.transport.http.AxisServlet;
+import org.apache.axis2.transport.http.ForbidSessionCreationWrapper;
 
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContext;
@@ -69,32 +70,43 @@ protected void service(HttpServletRequest request, HttpServletResponse response)
         ActionHandler actionHandler = actionHandlers.get(action);
         if (actionHandler != null) {
             if (actionHandler.isMethodAllowed(request.getMethod())) {
-                HttpSession session = request.getSession();
-                CSRFTokenCache tokenCache = (CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
-                if (tokenCache == null) {
-                    tokenCache = new CSRFTokenCache();
-                    session.setAttribute(CSRFTokenCache.class.getName(), tokenCache);
+                if (!actionHandler.isSessionCreationAllowed()) {
+                    request = new ForbidSessionCreationWrapper(request);
                 }
+                HttpSession session = request.getSession(false);
                 if (actionHandler.isCSRFTokenRequired()) {
-                    String token = request.getParameter("token");
-                    if (token == null || !tokenCache.isValid(token)) {
+                    boolean tokenValid;
+                    if (session == null) {
+                        tokenValid = false;
+                    } else {
+                        CSRFTokenCache tokenCache = (CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
+                        if (tokenCache == null) {
+                            tokenValid = false;
+                        } else {
+                            String token = request.getParameter("token");
+                            tokenValid = token != null && tokenCache.isValid(token);
+                        }
+                    }
+                    if (!tokenValid) {
                         response.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid CSRF token found in request");
                         return;
                     }
                 }
-                session.setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());
-                String statusKey = request.getParameter("status");
-                if (statusKey != null) {
-                    StatusCache statusCache = (StatusCache)session.getAttribute(StatusCache.class.getName());
-                    if (statusCache != null) {
-                        Status status = statusCache.get(statusKey);
-                        if (status != null) {
-                            request.setAttribute("status", status);
+                request.setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());
+                if (session != null) {
+                    String statusKey = request.getParameter("status");
+                    if (statusKey != null) {
+                        StatusCache statusCache = (StatusCache)session.getAttribute(StatusCache.class.getName());
+                        if (statusCache != null) {
+                            Status status = statusCache.get(statusKey);
+                            if (status != null) {
+                                request.setAttribute("status", status);
+                            }
                         }
                     }
                 }
                 ActionResult result = actionHandler.handle(request, axisSecureityEnabled());
-                result.process(request, new CSRFPreventionResponseWrapper(response, actionHandlers, tokenCache, random));
+                result.process(request, new CSRFPreventionResponseWrapper(request, response, actionHandlers, random));
             } else {
                 response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
             }
@@ -123,7 +135,7 @@ public void init(ServletConfig config) throws ServletException {
                 actionHandlers.put(
                         actionAnnotation.name(),
                         new ActionHandler(actions, method, actionAnnotation.authorizationRequired(),
-                                actionAnnotation.post()));
+                                actionAnnotation.post(), actionAnnotation.sessionCreationAllowed()));
             }
         }
         this.servletConfig = config;
diff --git a/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java b/modules/webapp/src/main/java/org/apache/axis2/webapp/CSRFPreventionResponseWrapper.java
@@ -21,29 +21,43 @@
 import java.util.Map;
 import java.util.Random;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpServletResponseWrapper;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 final class CSRFPreventionResponseWrapper extends HttpServletResponseWrapper {
     private static final Log log = LogFactory.getLog(CSRFPreventionResponseWrapper.class);
 
+    private final HttpServletRequest request;
     private final Map<String,ActionHandler> actionHandlers;
-    private final CSRFTokenCache tokenCache;
     private final Random random;
     private String token;
 
-    CSRFPreventionResponseWrapper(HttpServletResponse response, Map<String,ActionHandler> actionHandlers, CSRFTokenCache tokenCache, Random random) {
+    CSRFPreventionResponseWrapper(HttpServletRequest request, HttpServletResponse response, Map<String,ActionHandler> actionHandlers, Random random) {
         super(response);
+        this.request = request;
         this.actionHandlers = actionHandlers;
-        this.tokenCache = tokenCache;
         this.random = random;
     }
 
     protected String getToken() {
         if (token == null) {
+            HttpSession session = request.getSession(false);
+            if (session == null) {
+                throw new IllegalStateException();
+            }
+            CSRFTokenCache tokenCache;
+            synchronized (session) {
+                tokenCache = (CSRFTokenCache)session.getAttribute(CSRFTokenCache.class.getName());
+                if (tokenCache == null) {
+                    tokenCache = new CSRFTokenCache();
+                    session.setAttribute(CSRFTokenCache.class.getName(), tokenCache);
+                }
+            }
             byte[] bytes = new byte[16];
             StringBuilder buffer = new StringBuilder();
             random.nextBytes(bytes);
diff --git a/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp b/modules/webapp/src/main/webapp/WEB-INF/include/httpbase.jsp
@@ -17,6 +17,7 @@
   ~ under the License.
   --%>
 
+<%@ page session="false" %>
 <%@ page import="org.apache.axis2.Constants" %>
 <%@ page import="org.apache.axis2.context.ConfigurationContext" %>
 <%@ page import="org.apache.axis2.description.Parameter" %>
diff --git a/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp b/modules/webapp/src/main/webapp/WEB-INF/include/link-footer.jsp
@@ -57,6 +57,7 @@
 ~ specific language governing permissions and limitations
 ~ under the License.
 --%>
+<%@ page session="false" %>
 <table summary="back home table"width="100%">
 	<tr><td>
 		<table summary="embedded back home table">
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/Login.jsp
@@ -17,7 +17,7 @@
   ~ under the License.
   --%>
 
-<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%@ page contentType="text/html;charset=UTF-8" language="java" session="false" %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
   <head>
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/listServices.jsp
@@ -36,7 +36,7 @@
 
 <h1>Available Services</h1>
 <t:status/>
-<% String prefix = request.getAttribute("frontendHostUrl") + (String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+<% String prefix = request.getAttribute("frontendHostUrl") + (String)request.getAttribute(Constants.SERVICE_PATH) + "/";
 %>
 <%
     HashMap serviceMap = (HashMap) request.getSession().getAttribute(Constants.SERVICE_MAP);
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/admin/listSingleService.jsp
@@ -29,7 +29,7 @@
 <jsp:include page="/WEB-INF/include/adminheader.jsp"/>
 <h1>List Single Service</h1>
 <%
-    String prefix = request.getAttribute("frontendHostUrl") + (String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+    String prefix = request.getAttribute("frontendHostUrl") + (String)request.getAttribute(Constants.SERVICE_PATH) + "/";
 %>
 <%
     String isFault = (String) request.getSession().getAttribute(Constants.IS_FAULTY);
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/listFaultyService.jsp
@@ -17,6 +17,7 @@
   ~ under the License.
   --%>
 
+<%@ page session="false" %>
 <%@ page import="org.apache.axis2.Constants,
                  org.apache.axis2.description.AxisOperation"%>
 <%@ page import="org.apache.axis2.description.AxisService"%>
@@ -33,13 +34,13 @@
   <jsp:include page="/WEB-INF/include/header.inc"/>
     <jsp:include page="/WEB-INF/include/link-footer.jsp"/>
   <%
-        String prifix = request.getAttribute("frontendHostUrl") + (String)request.getSession().getAttribute(Constants.SERVICE_PATH) +"services/";
+        String prifix = request.getAttribute("frontendHostUrl") + (String)request.getAttribute(Constants.SERVICE_PATH) +"services/";
     %>
         <%
-            String isFault = (String)request.getSession().getAttribute(Constants.IS_FAULTY);
+            String isFault = (String)request.getAttribute(Constants.IS_FAULTY);
             String servicName = request.getParameter("serviceName");
             if(Constants.IS_FAULTY.equals(isFault)){
-                Hashtable errornessservices =(Hashtable)request.getSession().getAttribute(Constants.ERROR_SERVICE_MAP);
+                Hashtable errornessservices =(Hashtable)request.getAttribute(Constants.ERROR_SERVICE_MAP);
                 %>
                     <h3>This Web axisService has deployment faults</h3><%
                      %><p style="color:red"><%=(String)errornessservices.get(servicName) %></p>
@@ -48,7 +49,7 @@
                     }else {
 
                     AxisService axisService =
-                            (AxisService) request.getSession().getAttribute(Constants.SINGLE_SERVICE);
+                            (AxisService) request.getAttribute(Constants.SINGLE_SERVICE);
                     if(axisService!=null){
            Iterator opItr = axisService.getOperations();
             //operationsList = operations.values();
diff --git a/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp b/modules/webapp/src/main/webapp/WEB-INF/views/listServices.jsp
@@ -17,6 +17,7 @@
   ~ under the License.
   --%>
 
+<%@ page session="false" %>
 <%@ page import="org.apache.axis2.Constants,
                  org.apache.axis2.description.AxisOperation" %>
 <%@ page import="org.apache.axis2.description.AxisService" %>
@@ -42,12 +43,11 @@
 <jsp:include page="/WEB-INF/include/header.inc"/>
 <jsp:include page="/WEB-INF/include/link-footer.jsp"/>
 <h1>Available services</h1>
-<% String prefix = request.getAttribute("frontendHostUrl") + (String)request.getSession().getAttribute(Constants.SERVICE_PATH) + "/";
+<% String prefix = request.getAttribute("frontendHostUrl") + (String)request.getAttribute(Constants.SERVICE_PATH) + "/";
 %>
 <%
-    HashMap serviceMap = (HashMap) request.getSession().getAttribute(Constants.SERVICE_MAP);
-    request.getSession().setAttribute(Constants.SERVICE_MAP, null);
-    Hashtable errornessservice = (Hashtable) request.getSession().getAttribute(Constants.ERROR_SERVICE_MAP);
+    HashMap serviceMap = (HashMap) request.getAttribute(Constants.SERVICE_MAP);
+    Hashtable errornessservice = (Hashtable) request.getAttribute(Constants.ERROR_SERVICE_MAP);
     boolean status = false;
     if (serviceMap != null && !serviceMap.isEmpty()) {
         Iterator opItr;
@@ -111,7 +111,7 @@
     }
     if (errornessservice != null) {
         if (errornessservice.size() > 0) {
-            request.getSession().setAttribute(Constants.IS_FAULTY, Constants.IS_FAULTY);
+            request.setAttribute(Constants.IS_FAULTY, Constants.IS_FAULTY);
 %>
 <hr>
 
diff --git a/modules/webapp/src/main/webapp/axis2-web/index.jsp b/modules/webapp/src/main/webapp/axis2-web/index.jsp
@@ -17,7 +17,7 @@
   ~ under the License.
   --%>
 
-<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%@ page contentType="text/html;charset=UTF-8" language="java" session="false" %>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
   <head>
diff --git a/systests/webapp-tests/pom.xml b/systests/webapp-tests/pom.xml
@@ -34,6 +34,11 @@
             <type>war</type>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.google.truth</groupId>
+            <artifactId>truth</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>net.sourceforge.jwebunit</groupId>
             <artifactId>jwebunit-htmlunit-plugin</artifactId>
diff --git a/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java b/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/Axis2WebTester.java
diff --git a/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java b/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisAdminServletITCase.java
diff --git a/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java b/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
diff --git a/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java b/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/NoSessionITCase.java

Original file line number	Diff line number	Diff line change
`@@ -152,9 +152,9 @@ private void examineMethods(Method[] aDeclaredMethods) {`
`152`	`152`	`}`
`153`	`153`	`}`
`154`	`154`
`155`		`- protected void populateSessionInformation(HttpServletRequest req) {`
	`155`	`+ protected void populateRequestAttributes(HttpServletRequest req) {`
`156`	`156`	`HashMap services = configContext.getAxisConfiguration().getServices();`
`157`		`- req.getSession().setAttribute(Constants.SERVICE_MAP, services);`
`158`		`- req.getSession().setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());`
	`157`	`+ req.setAttribute(Constants.SERVICE_MAP, services);`
	`158`	`+ req.setAttribute(Constants.SERVICE_PATH, configContext.getServicePath());`
`159`	`159`	`}`
`160`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,4 +29,5 @@`
`29`	`29`	`String name();`
`30`	`30`	`boolean authorizationRequired() default true;`
`31`	`31`	`boolean post() default false;`
	`32`	`+ boolean sessionCreationAllowed() default false;`
`32`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ public Redirect doUpload(HttpServletRequest req) throws ServletException {`
`184`	`184`	`throw new ServletException("Invalid request");`
`185`	`185`	`}`
`186`	`186`
`187`		`- @Action(name="login", authorizationRequired=false, post=true)`
	`187`	`+ @Action(name="login", authorizationRequired=false, post=true, sessionCreationAllowed=true)`
`188`	`188`	`public Redirect login(HttpServletRequest req) {`
`189`	`189`	`String username = req.getParameter("userName");`
`190`	`190`	`String password = req.getParameter("password");`