Package org.apache.catalina.filters
Class CsrfPreventionFilter
- java.lang.Object
- 
- org.apache.catalina.filters.FilterBase
- 
- org.apache.catalina.filters.CsrfPreventionFilterBase
- 
- org.apache.catalina.filters.CsrfPreventionFilter
 
 
 
- 
- All Implemented Interfaces:
- Filter
 
 public class CsrfPreventionFilter extends CsrfPreventionFilterBase Provides basic CSRF protection for a web application. The filter assumes that:- The filter is mapped to /*
- HttpServletResponse.encodeRedirectURL(String)and- HttpServletResponse.encodeURL(String)are used to encode all URLs returned to the client
 
- 
- 
Nested Class SummaryNested Classes Modifier and Type Class Description protected static classCsrfPreventionFilter.CsrfResponseWrapperprotected static classCsrfPreventionFilter.LruCache<T>Despite its name, this is a FIFO cache not an LRU cache.protected static interfaceCsrfPreventionFilter.NonceCache<T>
 - 
Field Summary- 
Fields inherited from class org.apache.catalina.filters.FilterBasesm
 
- 
 - 
Constructor SummaryConstructors Constructor Description CsrfPreventionFilter()
 - 
Method SummaryAll Methods Instance Methods Concrete Methods Modifier and Type Method Description protected CsrfPreventionFilter.NonceCache<java.lang.String>createNonceCache(HttpServletRequest request, HttpSession session)Create a newCsrfPreventionFilter.NonceCacheand store in theHttpSession.voiddoFilter(ServletRequest request, ServletResponse response, FilterChain chain)ThedoFiltermethod of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.protected CsrfPreventionFilter.NonceCache<java.lang.String>getNonceCache(HttpServletRequest request, HttpSession session)Obtain theCsrfPreventionFilter.NonceCacheassociated with the request and/or session.voidinit(FilterConfig filterConfig)Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.voidsetEntryPoints(java.lang.String entryPoints)Entry points are URLs that will not be tested for the presence of a valid nonce.voidsetNonceCacheSize(int nonceCacheSize)Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.voidsetNonceRequestParameterName(java.lang.String parameterName)Sets the request parameter name to use for CSRF nonces.protected booleanskipNonceCheck(HttpServletRequest request)protected booleanskipNonceGeneration(HttpServletRequest request)Determines whether a nonce should be created.- 
Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBasegenerateNonce, generateNonce, getDenyStatus, getLogger, getRequestedPath, isConfigProblemFatal, setDenyStatus, setRandomClass
 
- 
 
- 
- 
- 
Method Detail- 
setEntryPointspublic void setEntryPoints(java.lang.String entryPoints) Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.- Parameters:
- entryPoints- Comma separated list of URLs to be configured as entry points.
 
 - 
setNonceCacheSizepublic void setNonceCacheSize(int nonceCacheSize) Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.- Parameters:
- nonceCacheSize- The number of nonces to cache
 
 - 
setNonceRequestParameterNamepublic void setNonceRequestParameterName(java.lang.String parameterName) Sets the request parameter name to use for CSRF nonces.- Parameters:
- parameterName- The request parameter name to use for CSRF nonces.
 
 - 
initpublic void init(FilterConfig filterConfig) throws ServletException Description copied from class:FilterBaseIterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.- Specified by:
- initin interface- Filter
- Overrides:
- initin class- CsrfPreventionFilterBase
- Parameters:
- filterConfig- The configuration information associated with the filter instance being initialised
- Throws:
- ServletException- if- FilterBase.isConfigProblemFatal()returns- trueand a configured parameter does not have a matching setter
 
 - 
doFilterpublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws java.io.IOException, ServletException Description copied from interface:javax.servlet.FilterThedoFiltermethod of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.A typical implementation of this method would follow the following pattern:- 
 1. Examine the request
 2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
 3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
 4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
 4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
 5. Directly set headers on the response after invocation of the next entity in the filter chain.- Parameters:
- request- The request to process
- response- The response associated with the request
- chain- Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
- Throws:
- java.io.IOException- if an I/O error occurs during this filter's processing of the request
- ServletException- if the processing fails for any other reason
 
 - 
skipNonceCheckprotected boolean skipNonceCheck(HttpServletRequest request) 
 - 
skipNonceGenerationprotected boolean skipNonceGeneration(HttpServletRequest request) Determines whether a nonce should be created. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
- request- The request that triggered the need to potentially create the nonce.
- Returns:
- trueif a nonce should be created, otherwise- false
 
 - 
createNonceCacheprotected CsrfPreventionFilter.NonceCache<java.lang.String> createNonceCache(HttpServletRequest request, HttpSession session) Create a newCsrfPreventionFilter.NonceCacheand store in theHttpSession. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
- request- The request that triggered the need to create the nonce cache. Unused by the default implementation.
- session- The session associated with the request.
- Returns:
- A newly created CsrfPreventionFilter.NonceCache
 
 - 
getNonceCacheprotected CsrfPreventionFilter.NonceCache<java.lang.String> getNonceCache(HttpServletRequest request, HttpSession session) Obtain theCsrfPreventionFilter.NonceCacheassociated with the request and/or session. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
- request- The request that triggered the need to obtain the nonce cache. Unused by the default implementation.
- session- The session associated with the request.
- Returns:
- The CsrfPreventionFilter.NonceCachecurrently associated with the request and/or session
 
 
- 
 
-