Package org.apache.catalina.filters
Class CsrfPreventionFilterBase
- java.lang.Object
-
- org.apache.catalina.filters.FilterBase
-
- org.apache.catalina.filters.CsrfPreventionFilterBase
-
- All Implemented Interfaces:
Filter
- Direct Known Subclasses:
CsrfPreventionFilter
,RestCsrfPreventionFilter
public abstract class CsrfPreventionFilterBase extends FilterBase
-
-
Field Summary
-
Fields inherited from class org.apache.catalina.filters.FilterBase
sm
-
-
Constructor Summary
Constructors Constructor Description CsrfPreventionFilterBase()
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description protected java.lang.String
generateNonce()
Deprecated.UsegenerateNonce(HttpServletRequest)
instead.protected java.lang.String
generateNonce(HttpServletRequest request)
Generate a once time token (nonce) for authenticating subsequent requests.int
getDenyStatus()
protected Log
getLogger()
protected java.lang.String
getRequestedPath(HttpServletRequest request)
void
init(FilterConfig filterConfig)
Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.protected boolean
isConfigProblemFatal()
Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.void
setDenyStatus(int denyStatus)
Set response status code that is used to reject denied request.void
setRandomClass(java.lang.String randomClass)
Specify the class to use to generate the nonces.
-
-
-
Method Detail
-
getLogger
protected Log getLogger()
- Specified by:
getLogger
in classFilterBase
-
getDenyStatus
public int getDenyStatus()
- Returns:
- response status code that is used to reject denied request.
-
setDenyStatus
public void setDenyStatus(int denyStatus)
Set response status code that is used to reject denied request. If none set, the default value of 403 will be used.- Parameters:
denyStatus
- HTTP status code
-
setRandomClass
public void setRandomClass(java.lang.String randomClass)
Specify the class to use to generate the nonces. Must be in instance ofRandom
.- Parameters:
randomClass
- The name of the class to use
-
init
public void init(FilterConfig filterConfig) throws ServletException
Description copied from class:FilterBase
Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.- Specified by:
init
in interfaceFilter
- Overrides:
init
in classFilterBase
- Parameters:
filterConfig
- The configuration information associated with the filter instance being initialised- Throws:
ServletException
- ifFilterBase.isConfigProblemFatal()
returnstrue
and a configured parameter does not have a matching setter
-
isConfigProblemFatal
protected boolean isConfigProblemFatal()
Description copied from class:FilterBase
Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.- Overrides:
isConfigProblemFatal
in classFilterBase
- Returns:
true
if a problem should trigger the failure of this filter, elsefalse
-
generateNonce
protected java.lang.String generateNonce(HttpServletRequest request)
Generate a once time token (nonce) for authenticating subsequent requests. The nonce generation is a simplified version of ManagerBase.generateSessionId().- Parameters:
request
- The request. Unused in this method but present for the the benefit of sub-classes.- Returns:
- the generated nonce
-
generateNonce
@Deprecated protected java.lang.String generateNonce()
Deprecated.UsegenerateNonce(HttpServletRequest)
instead. This method will be removed in Apache Tomcat 10.1.x onwards.Generate a once time token (nonce) for authenticating subsequent requests. The nonce generation is a simplified version of ManagerBase.generateSessionId().- Returns:
- the generated nonce
-
getRequestedPath
protected java.lang.String getRequestedPath(HttpServletRequest request)
-
-