com.inductiveautomation.ignition.gateway.web.session.WebUiSession.CsrfWebUiSessionAccessControl

All Implemented Interfaces:: AccessControlStrategy

Enclosing interface:: WebUiSession

public static class WebUiSession.CsrfWebUiSessionAccessControl extends WebUiSession.WebUiSessionAccessControl

A WebUiSession.WebUiSessionAccessControl which requires that each request furnish a valid CSRF token.

Note: by default, this strategy can only be mounted with Routes which use an unsafe HTTP method such as POST, PUT, PATCH, or DELETE.

Field Summary

Fields inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractGatewayAccessControlStrategy
permissionType

Fields inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractAccessControlStrategy
EMPTY_SECURITY_LEVELS

Fields inherited from interface com.inductiveautomation.ignition.gateway.dataroutes.AccessControlStrategy
OPEN_ROUTE
Constructor Summary

Constructors

Constructor

Description

CsrfWebUiSessionAccessControl(PermissionType permissionType)
Method Summary

Modifier and Type

Method

Description

RouteAccess

canAccess(RequestContext request)

Determines whether the request should be allowed to proceed.

protected RouteAccess

canAccessInternal(RequestContext request)

Internal method called by canAccess(RequestContext) if AbstractAccessControlStrategy.canAccess(RequestContext) returns RouteAccess.GRANTED.

void

validate(RouteMounterContext routeMounterContext)

Only unsafe HTTP methods are allowed by default since it is usually the intention that unsafe HTTP methods are used for state changing operations and this strategy requires requests to furnish valid CSRF tokens to protect against CSRF attacks, but most clients will not send a CSRF token unless the HTTP method is unsafe

Methods inherited from class com.inductiveautomation.ignition.gateway.web.session.WebUiSession.WebUiSessionAccessControl
getActor, getSecurityLevels, getWebAuthUser

Methods inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractGatewayAccessControlStrategy
getRequiredPermissions, toString

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.inductiveautomation.ignition.gateway.dataroutes.AccessControlStrategy
getWwwAuthenticateHeader

Constructor Details
- CsrfWebUiSessionAccessControl
  
  public CsrfWebUiSessionAccessControl(PermissionType permissionType)
Method Details
- canAccessInternal
  
  protected RouteAccess canAccessInternal(RequestContext request)
  
  Internal method called by canAccess(RequestContext) if AbstractAccessControlStrategy.canAccess(RequestContext) returns RouteAccess.GRANTED. This method checks if the request has a valid CSRF token and if so, returns RouteAccess.GRANTED, otherwise returns RouteAccess.FORBIDDEN. This method may be overridden if CSRF checks should be conditioned upon some other properties of the request in special circumstances.
  
  Parameters:
  
  request - the RequestContext
  
  Returns:
  
  RouteAccess.GRANTED if the request contains a valid CSRF token or RouteAccess.FORBIDDEN if the request does not contain a valid CSRF token
- canAccess
  
  public RouteAccess canAccess(RequestContext request)
  
  Description copied from interface: AccessControlStrategy
  
  Determines whether the request should be allowed to proceed.
  
  Specified by:
  
  canAccess in interface AccessControlStrategy
  
  Overrides:
  
  canAccess in class AbstractAccessControlStrategy
- validate
  
  public void validate(RouteMounterContext routeMounterContext) throws RouteMounterValidationException
  
  Only unsafe HTTP methods are allowed by default since it is usually the intention that unsafe HTTP methods are used for state changing operations and this strategy requires requests to furnish valid CSRF tokens to protect against CSRF attacks, but most clients will not send a CSRF token unless the HTTP method is unsafe
  
  Specified by:
  
  validate in interface AccessControlStrategy
  
  Overrides:
  
  validate in class WebUiSession.WebUiSessionAccessControl
  
  Parameters:
  
  routeMounterContext - the RouteMounterContext to validate
  
  Throws:
  
  RouteMounterValidationException - if validation fails

Class WebUiSession.CsrfWebUiSessionAccessControl

Field Summary

Fields inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractGatewayAccessControlStrategy

Fields inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractAccessControlStrategy

Fields inherited from interface com.inductiveautomation.ignition.gateway.dataroutes.AccessControlStrategy

Constructor Summary

Method Summary

Methods inherited from class com.inductiveautomation.ignition.gateway.web.session.WebUiSession.WebUiSessionAccessControl

Methods inherited from class com.inductiveautomation.ignition.gateway.dataroutes.AbstractGatewayAccessControlStrategy

Methods inherited from class java.lang.Object

Methods inherited from interface com.inductiveautomation.ignition.gateway.dataroutes.AccessControlStrategy

Constructor Details

CsrfWebUiSessionAccessControl

Method Details

canAccessInternal

canAccess

validate