Apache Tomcat 6.0.39

org.apache.catalina.filters
Class CsrfPreventionFilter

java.lang.Object
  extended by org.apache.catalina.filters.FilterBase
      extended by org.apache.catalina.filters.CsrfPreventionFilter
All Implemented Interfaces:
javax.servlet.Filter

public class CsrfPreventionFilter
extends FilterBase

Provides basic CSRF protection for a web application. The filter assumes that:


Nested Class Summary
protected static class CsrfPreventionFilter.CsrfResponseWrapper
           
protected static class CsrfPreventionFilter.LruCache<T>
           
 
Field Summary
 
Fields inherited from class org.apache.catalina.filters.FilterBase
sm
 
Constructor Summary
CsrfPreventionFilter()
           
 
Method Summary
 void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
          The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.
protected  java.lang.String generateNonce()
          Generate a once time token (nonce) for authenticating subsequent requests.
protected  Log getLogger()
           
 void init(javax.servlet.FilterConfig filterConfig)
          Called by the web container to indicate to a filter that it is being placed into service.
protected  boolean isConfigProblemFatal()
          Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.
 void setEntryPoints(java.lang.String entryPoints)
          Entry points are URLs that will not be tested for the presence of a valid nonce.
 void setNonceCacheSize(int nonceCacheSize)
          Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.
 void setRandomClass(java.lang.String randomClass)
          Specify the class to use to generate the nonces.
 
Methods inherited from class org.apache.catalina.filters.FilterBase
destroy
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CsrfPreventionFilter

public CsrfPreventionFilter()
Method Detail

getLogger

protected Log getLogger()
Specified by:
getLogger in class FilterBase

setEntryPoints

public void setEntryPoints(java.lang.String entryPoints)
Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.

Parameters:
entryPoints - Comma separated list of URLs to be configured as entry points.

setNonceCacheSize

public void setNonceCacheSize(int nonceCacheSize)
Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.

Parameters:
nonceCacheSize - The number of nonces to cache

setRandomClass

public void setRandomClass(java.lang.String randomClass)
Specify the class to use to generate the nonces. Must be in instance of Random.

Parameters:
randomClass - The name of the class to use

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
Description copied from interface: javax.servlet.Filter
Called by the web container to indicate to a filter that it is being placed into service. The servlet container calls the init method exactly once after instantiating the filter. The init method must complete successfully before the filter is asked to do any filtering work.

The web container cannot place the filter into service if the init method either
1.Throws a ServletException
2.Does not return within a time period defined by the web container

Specified by:
init in interface javax.servlet.Filter
Overrides:
init in class FilterBase
Throws:
javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
Description copied from interface: javax.servlet.Filter
The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.

Throws:
java.io.IOException
javax.servlet.ServletException

isConfigProblemFatal

protected boolean isConfigProblemFatal()
Description copied from class: FilterBase
Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.

Overrides:
isConfigProblemFatal in class FilterBase
Returns:
true if a problem should trigger the failure of this filter, else false

generateNonce

protected java.lang.String generateNonce()
Generate a once time token (nonce) for authenticating subsequent requests. This will also add the token to the session. The nonce generation is a simplified version of ManagerBase.generateSessionId().


Apache Tomcat 6.0.39

Copyright © 2000-2014 Apache Software Foundation. All Rights Reserved.