Juan Hernandez has uploaded a new change for review. Change subject: sdk: Send session header ......................................................................
sdk: Send session header As part of the implementation of the CSRF protection mechanism the server will in the near future start to require clients to send a header named JSESSIONID containing exactly the same value than the already existing JSESSIONID cookie. See the corresponding engine change for details: http://gerrit.ovirt.org/26578 This patch modifies the SDK so that it will always send this header. Change-Id: Iaefe1bec233b2dc5ec262983c7a5c0557a2be4e3 Related: https://bugzilla.redhat.com/1077441 Related: https://bugzilla.redhat.com/CVE-2014-0151 Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com> --- M ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/web/HttpProxy.java 1 file changed, 15 insertions(+), 0 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine-sdk-java refs/changes/44/26844/1 diff --git a/ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/web/HttpProxy.java b/ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/web/HttpProxy.java index 483a9d1..b24ef5f 100644 --- a/ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/web/HttpProxy.java +++ b/ovirt-engine-sdk-java/src/main/java/org/ovirt/engine/sdk/web/HttpProxy.java @@ -28,6 +28,7 @@ import org.apache.http.client.methods.HttpPut; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.protocol.ClientContext; +import org.apache.http.cookie.Cookie; import org.apache.http.protocol.BasicHttpContext; import org.ovirt.engine.sdk.exceptions.ServerException; import org.ovirt.engine.sdk.utils.HttpHeaderUtils; @@ -38,6 +39,11 @@ * Proxy in to transport layer */ public class HttpProxy { + + /** + * The name of the cookie and header containig the session identifier. + */ + private static final String SESSION_ID = "JSESSIONID"; private static final String SESSION_TTL_HEADER = "Session-TTL"; private static final String COOKIE_HEADER = "Cookie"; @@ -198,6 +204,15 @@ String.valueOf(this.pool.getSessionTimeout())); } } + + // In order to protect itself from CSRF attacks, the server requires a header containing the same value that the + // session cookie: + for (Cookie cookie : pool.getCookies()) { + if (cookie.getName().equals(SESSION_ID)) { + request.setHeader(SESSION_ID, cookie.getValue()); + break; + } + } } /** -- To view, visit http://gerrit.ovirt.org/26844 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iaefe1bec233b2dc5ec262983c7a5c0557a2be4e3 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine-sdk-java Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
