Package org.apache.catalina.filters
Class CsrfPreventionFilter
- java.lang.Object
-
- org.apache.catalina.filters.FilterBase
-
- org.apache.catalina.filters.CsrfPreventionFilterBase
-
- org.apache.catalina.filters.CsrfPreventionFilter
-
- All Implemented Interfaces:
Filter
public class CsrfPreventionFilter extends CsrfPreventionFilterBase
Provides basic CSRF protection for a web application. The filter assumes that:- The filter is mapped to /*
HttpServletResponse.encodeRedirectURL(String)
andHttpServletResponse.encodeURL(String)
are used to encode all URLs returned to the client
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static class
CsrfPreventionFilter.CsrfResponseWrapper
protected static class
CsrfPreventionFilter.LruCache<T>
protected static interface
CsrfPreventionFilter.NonceCache<T>
-
Field Summary
-
Fields inherited from class org.apache.catalina.filters.FilterBase
sm
-
-
Constructor Summary
Constructors Constructor Description CsrfPreventionFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected CsrfPreventionFilter.NonceCache<java.lang.String>
createNonceCache(HttpServletRequest request, HttpSession session)
Create a newCsrfPreventionFilter.NonceCache
and store in theHttpSession
.void
doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
ThedoFilter
method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.protected CsrfPreventionFilter.NonceCache<java.lang.String>
getNonceCache(HttpServletRequest request, HttpSession session)
Obtain theCsrfPreventionFilter.NonceCache
associated with the request and/or session.void
init(FilterConfig filterConfig)
Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.void
setEntryPoints(java.lang.String entryPoints)
Entry points are URLs that will not be tested for the presence of a valid nonce.void
setNonceCacheSize(int nonceCacheSize)
Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.void
setNonceRequestParameterName(java.lang.String parameterName)
Sets the request parameter name to use for CSRF nonces.protected boolean
skipNonceCheck(HttpServletRequest request)
protected boolean
skipNonceGeneration(HttpServletRequest request)
Determines whether a nonce should be created.-
Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase
generateNonce, generateNonce, getDenyStatus, getLogger, getRequestedPath, isConfigProblemFatal, setDenyStatus, setRandomClass
-
-
-
-
Method Detail
-
setEntryPoints
public void setEntryPoints(java.lang.String entryPoints)
Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.- Parameters:
entryPoints
- Comma separated list of URLs to be configured as entry points.
-
setNonceCacheSize
public void setNonceCacheSize(int nonceCacheSize)
Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.- Parameters:
nonceCacheSize
- The number of nonces to cache
-
setNonceRequestParameterName
public void setNonceRequestParameterName(java.lang.String parameterName)
Sets the request parameter name to use for CSRF nonces.- Parameters:
parameterName
- The request parameter name to use for CSRF nonces.
-
init
public void init(FilterConfig filterConfig) throws ServletException
Description copied from class:FilterBase
Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.- Specified by:
init
in interfaceFilter
- Overrides:
init
in classCsrfPreventionFilterBase
- Parameters:
filterConfig
- The configuration information associated with the filter instance being initialised- Throws:
ServletException
- ifFilterBase.isConfigProblemFatal()
returnstrue
and a configured parameter does not have a matching setter
-
doFilter
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws java.io.IOException, ServletException
Description copied from interface:jakarta.servlet.Filter
ThedoFilter
method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()
),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.- Parameters:
request
- The request to processresponse
- The response associated with the requestchain
- Provides access to the next filter in the chain for this filter to pass the request and response to for further processing- Throws:
java.io.IOException
- if an I/O error occurs during this filter's processing of the requestServletException
- if the processing fails for any other reason
-
skipNonceCheck
protected boolean skipNonceCheck(HttpServletRequest request)
-
skipNonceGeneration
protected boolean skipNonceGeneration(HttpServletRequest request)
Determines whether a nonce should be created. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
request
- The request that triggered the need to potentially create the nonce.- Returns:
true
if a nonce should be created, otherwisefalse
-
createNonceCache
protected CsrfPreventionFilter.NonceCache<java.lang.String> createNonceCache(HttpServletRequest request, HttpSession session)
Create a newCsrfPreventionFilter.NonceCache
and store in theHttpSession
. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
request
- The request that triggered the need to create the nonce cache. Unused by the default implementation.session
- The session associated with the request.- Returns:
- A newly created
CsrfPreventionFilter.NonceCache
-
getNonceCache
protected CsrfPreventionFilter.NonceCache<java.lang.String> getNonceCache(HttpServletRequest request, HttpSession session)
Obtain theCsrfPreventionFilter.NonceCache
associated with the request and/or session. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
request
- The request that triggered the need to obtain the nonce cache. Unused by the default implementation.session
- The session associated with the request.- Returns:
- The
CsrfPreventionFilter.NonceCache
currently associated with the request and/or session
-
-