[HUDSON-7518] Add an option to allow exclusion of HTTP client information from

the crumb calculation. This can be enabled for users who sit behind a proxy
that strips this information off, resulting in crumbs varying across requests.



git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@35570 71c3de6d-444a-0410-be80-ed276b4c234a

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java

 /**
- * Copyright (c) 2008-2009 Yahoo! Inc. 
+ * Copyright (c) 2008-2010 Yahoo! Inc.
  * All rights reserved. 
  * The copyrights to the contents of this file are licensed under the MIT License (http://www.opensource.org/licenses/mit-license.php)
  */
@@ -20,6 +20,7 @@ import javax.servlet.http.HttpServletRequest;
 import net.sf.json.JSONObject;
 
 import org.acegisecurity.Authentication;
+import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.StaplerRequest;
 
 /**
@@ -29,17 +30,36 @@ import org.kohsuke.stapler.StaplerRequest;
  */
 public class DefaultCrumbIssuer extends CrumbIssuer {
     
-    private MessageDigest md;
+    private transient MessageDigest md;
+    private boolean excludeClientIPFromCrumb;
 
-    DefaultCrumbIssuer() {
+    @DataBoundConstructor
+    public DefaultCrumbIssuer(boolean excludeClientIPFromCrumb) {
         try {
             this.md = MessageDigest.getInstance("MD5");
+            this.excludeClientIPFromCrumb = excludeClientIPFromCrumb;
         } catch (NoSuchAlgorithmException e) {
             this.md = null;
+            this.excludeClientIPFromCrumb = false;
             LOGGER.log(Level.SEVERE, "Can't find MD5", e);
         }
     }
 
+    public boolean isExcludeClientIPFromCrumb() {
+        return this.excludeClientIPFromCrumb;
+    }
+    
+    private Object readResolve() {
+        try {
+            this.md = MessageDigest.getInstance("MD5");
+        } catch (NoSuchAlgorithmException e) {
+            this.md = null;
+            LOGGER.log(Level.SEVERE, "Can't find MD5", e);
+        }
+        
+        return this;
+    }
+    
     /**
      * {@inheritDoc}
      */
@@ -54,7 +74,9 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
                     buffer.append(a.getName());
                 }
                 buffer.append(';');
-                buffer.append(getClientIP(req));
+                if (!isExcludeClientIPFromCrumb()) {
+                    buffer.append(getClientIP(req));
+                }
 
                 md.update(buffer.toString().getBytes());
                 byte[] crumbBytes = md.digest(salt.getBytes());
@@ -116,7 +138,7 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
 
         @Override
         public DefaultCrumbIssuer newInstance(StaplerRequest req, JSONObject formData) throws FormException {
-            return new DefaultCrumbIssuer();
+            return req.bindJSON(DefaultCrumbIssuer.class, formData);
         }
     }
     

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/config.jelly

+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+    <f:entry title="" field="excludeClientIPFromCrumb">
+        <f:checkbox checked="${instance.isExcludeClientIPFromCrumb()}" />
+        <label class="attach-previous">${%Enable proxy compatibility}</label>
+    </f:entry>
+</j:jelly>

core/src/main/resources/hudson/security/csrf/DefaultCrumbIssuer/help-excludeClientIPFromCrumb.html

+<div>
+    Some HTTP proxies filter out information that the default crumb issuer uses
+    to calculate the nonce value. If an HTTP proxy sits between your browser client
+    and your Hudson server and you receive a 403 response when submitting a form
+    to Hudson, checking this option may help. Using this option makes the nonce
+    value easier to forge.
+</div>
\ No newline at end of file

test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java

-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
+/**
+ * Copyright (c) 2008-2010 Yahoo! Inc.
+ * All rights reserved.
+ * The copyrights to the contents of this file are licensed under the MIT License (http://www.opensource.org/licenses/mit-license.php)
  */
 
 package hudson.security.csrf;
@@ -18,9 +19,7 @@ public class DefaultCrumbIssuerTest extends HudsonTestCase {
     protected void setUp() throws Exception {
         super.setUp();
         assertNotNull(hudson);
-        CrumbIssuerDescriptor<CrumbIssuer> descriptor = (CrumbIssuerDescriptor<CrumbIssuer>)hudson.getDescriptor(DefaultCrumbIssuer.class);
-        assertNotNull(descriptor);
-        CrumbIssuer issuer = descriptor.newInstance(null,null);
+        CrumbIssuer issuer = new DefaultCrumbIssuer(false);
         assertNotNull(issuer);
         hudson.setCrumbIssuer(issuer);
     }
@@ -81,4 +80,19 @@ public class DefaultCrumbIssuerTest extends HudsonTestCase {
         HtmlPage p = wc.goTo("configure");
         submit(p.getFormByName("config"));
     }
+
+    @Bug(7518)
+    public void testProxyCompatibilityMode() throws Exception {
+        CrumbIssuer issuer = new DefaultCrumbIssuer(true);
+        assertNotNull(issuer);
+        hudson.setCrumbIssuer(issuer);
+
+        WebClient wc = new WebClient();
+        wc.addRequestHeader(HEADER_NAME, testData[0]);
+        HtmlPage p = wc.goTo("configure");
+
+        wc.removeRequestHeader(HEADER_NAME);
+        // The crumb should still match if we remove the proxy info
+        submit(p.getFormByName("config"));
+   }
 }