Add logging about missing or invalid CSRF tokens.

Fix #80

Author: cssru

src/main/java/ru/mystamps/web/service/SiteService.java

@@ -19,6 +19,8 @@
 
 import java.util.Date;
 
+import javax.servlet.http.HttpServletRequest;
+
 public interface SiteService {
 	@SuppressWarnings("PMD.UseObjectForClearerAPI")
 	void logAboutAbsentPage(
@@ -39,4 +41,6 @@ void logAboutFailedAuthentication(
 		String agent,
 		Date date
 	);
+	void logAboutMissingCsrfToken(HttpServletRequest request);
+	void logAboutInvalidCsrfToken(HttpServletRequest request);
 }

src/main/java/ru/mystamps/web/service/SiteServiceImpl.java

@@ -19,6 +19,8 @@
 
 import java.util.Date;
 
+import javax.servlet.http.HttpServletRequest;
+
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.Validate;
 
@@ -33,6 +35,7 @@
 import ru.mystamps.web.Db;
 import ru.mystamps.web.dao.SuspiciousActivityDao;
 import ru.mystamps.web.dao.dto.AddSuspiciousActivityDbDto;
+import ru.mystamps.web.support.spring.security.SecurityContextUtils;
 
 @RequiredArgsConstructor
 public class SiteServiceImpl implements SiteService {
@@ -44,6 +47,11 @@ public class SiteServiceImpl implements SiteService {
 	private static final String PAGE_NOT_FOUND = "PageNotFound";
 	private static final String AUTHENTICATION_FAILED = "AuthenticationFailed";
 
+	// see add-types-for-csrf-tokens-to-suspicious_activities_types-table changeset
+	// in src/main/resources/liquibase/version/0.4/2016-02-19--csrf_events.xml
+	private static final String MISSING_CSRF_TOKEN = "MissingCsrfToken";
+	private static final String INVALID_CSRF_TOKEN = "InvalidCsrfToken";
+	
 	private final SuspiciousActivityDao suspiciousActivities;
 
 	@Override
@@ -76,6 +84,46 @@ public void logAboutFailedAuthentication(
 		logEvent(AUTHENTICATION_FAILED, page, method, userId, ip, referer, agent, date);
 	}
 
+	/**
+	 * @author Sergey Chechenev
+	 */
+	@Override
+	@Transactional
+	public void logAboutMissingCsrfToken(HttpServletRequest request) {
+		
+		logEvent(
+			MISSING_CSRF_TOKEN,
+			request.getRequestURI(),
+			request.getMethod(),
+			SecurityContextUtils.getUserId(),
+			request.getRemoteAddr(),
+			request.getHeader("referer"),
+			request.getHeader("user-agent"),
+			new Date()
+		);
+		
+	}
+	
+	/**
+	 * @author Sergey Chechenev
+	 */
+	@Override
+	@Transactional
+	public void logAboutInvalidCsrfToken(HttpServletRequest request) {
+		
+		logEvent(
+			INVALID_CSRF_TOKEN,
+			request.getRequestURI(),
+			request.getMethod(),
+			SecurityContextUtils.getUserId(),
+			request.getRemoteAddr(),
+			request.getHeader("referer"),
+			request.getHeader("user-agent"),
+			new Date()
+		);
+		
+	}
+	
 	@SuppressWarnings({"PMD.UseObjectForClearerAPI", "checkstyle:parameternumber"})
 	private void logEvent(
 			String type,

src/main/java/ru/mystamps/web/support/spring/security/LogCsrfEventAndShow403PageForAccessDenied.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2009-2016 Slava Semushin <slava.semushin@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package ru.mystamps.web.support.spring.security;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.csrf.InvalidCsrfTokenException;
+import org.springframework.security.web.csrf.MissingCsrfTokenException;
+
+import ru.mystamps.web.service.SiteService;
+
+/**
+ * @author Sergey Chechenev
+ */
+public class LogCsrfEventAndShow403PageForAccessDenied extends AccessDeniedHandlerImpl {
+	private final SiteService siteService;
+	
+	public LogCsrfEventAndShow403PageForAccessDenied(SiteService siteService, String errorPage) {
+		super();
+		super.setErrorPage(errorPage);
+		this.siteService = siteService;
+	}
+	
+	@Override
+	public void handle(
+		HttpServletRequest request,
+		HttpServletResponse response,
+		AccessDeniedException exception)
+		throws IOException, ServletException {
+		
+		if (exception instanceof MissingCsrfTokenException) {
+			siteService.logAboutMissingCsrfToken(request);
+		} else if (exception instanceof InvalidCsrfTokenException) {
+			siteService.logAboutInvalidCsrfToken(request);
+		}
+
+		super.handle(request, response, exception);
+	}
+	
+}

src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java

@@ -39,6 +39,7 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 import ru.mystamps.web.Url;
@@ -88,7 +89,7 @@ protected void configure(HttpSecurity http) throws Exception {
 				.permitAll()
 				.and()
 			.exceptionHandling()
-				.accessDeniedPage(Url.UNAUTHORIZED_PAGE)
+				.accessDeniedHandler(getAccessDeniedHandler())
 				// This entry point handles when you request a protected page and you are
 				// not yet authenticated (defaults to Http403ForbiddenEntryPoint)
 				.authenticationEntryPoint(new Http401UnauthorizedEntryPoint())
@@ -121,6 +122,14 @@ public ApplicationListener<AuthenticationFailureBadCredentialsEvent> getApplicat
 		return new AuthenticationFailureListener();
 	}
 
+	@Bean
+	public AccessDeniedHandler getAccessDeniedHandler() {
+		return new LogCsrfEventAndShow403PageForAccessDenied(
+			servicesConfig.getSiteService(),
+			Url.FORBIDDEN_PAGE
+		);
+	}
+	
 	private UserDetailsService getUserDetailsService() {
 		return new CustomUserDetailsService(servicesConfig.getUserService());
 	}

src/main/java/ru/mystamps/web/support/spring/security/SecurityContextUtils.java

@@ -17,10 +17,16 @@
  */
 package ru.mystamps.web.support.spring.security;
 
+import java.util.Optional;
+
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
 
+import ru.mystamps.web.entity.User;
+
 public final class SecurityContextUtils {
 
 	private SecurityContextUtils() {
@@ -30,4 +36,18 @@ public static boolean hasAuthority(HttpServletRequest request, String authority)
 		return new SecurityContextHolderAwareRequestWrapper(request, null).isUserInRole(authority);
 	}
 
+	/**
+	 * @author Sergey Chechenev
+	 */
+	public static Integer getUserId() {
+			return Optional
+			.ofNullable(SecurityContextHolder.getContext().getAuthentication())
+			.map(Authentication::getPrincipal)
+			.filter(CustomUserDetails.class::isInstance)
+			.map(CustomUserDetails.class::cast)
+			.map(CustomUserDetails::getUser)
+			.map(User::getId)
+			.orElse(null);
+	}
+	
 }

src/main/resources/liquibase/version/0.4.xml

@@ -12,5 +12,6 @@
 	<include file="0.4/2015-11-13--nullable_columns.xml" relativeToChangelogFile="true" />
 	<include file="0.4/2016-01-02--non_unique_catalog_numbers.xml" relativeToChangelogFile="true" />
 	<include file="0.4/2016-01-04--unique_series_in_collection.xml" relativeToChangelogFile="true" />
+	<include file="0.4/2016-02-19--csrf_events.xml" relativeToChangelogFile="true" />
 
 </databaseChangeLog>

src/main/resources/liquibase/version/0.4/2016-02-19--csrf_events.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.0.xsd">
+
+    <changeSet id="add-types-for-csrf-tokens-to-suspicious_activities_types-table" author="cssru" context="init-data">
+        <insert tableName="suspicious_activities_types">
+            <column name="name" value="MissingCsrfToken" />
+        </insert>
+        <insert tableName="suspicious_activities_types">
+            <column name="name" value="InvalidCsrfToken" />
+        </insert>
+    </changeSet>
+
+</databaseChangeLog>