Class CsrfPreventionFilter

All Implemented Interfaces:
Filter

public class CsrfPreventionFilter extends CsrfPreventionFilterBase
Provides basic CSRF protection for a web application. The filter assumes that:

CSRF protection is enabled by generating random nonce values which are stored in the client's HTTP session. Each URL encoded using HttpServletResponse.encodeURL(String) has a URL parameter added which, when sent to the server in a future request, will be checked against this stored set of nonces for validity.

Some URLs should be accessible even without a valid nonce parameter value. These URLs are known as "entry points" because clients should be able to "enter" the application without first establishing any valid tokens. These are configured with the entryPoints filter init-param.

Some URLs should not have nonce parameters added to them at all

  • Constructor Details

    • CsrfPreventionFilter

      public CsrfPreventionFilter()
  • Method Details

    • setEntryPoints

      public void setEntryPoints(String entryPoints)
      Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.
      Parameters:
      entryPoints - Comma separated list of URLs to be configured as entry points.
    • setNonceCacheSize

      public void setNonceCacheSize(int nonceCacheSize)
      Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.
      Parameters:
      nonceCacheSize - The number of nonces to cache
    • setNonceRequestParameterName

      public void setNonceRequestParameterName(String parameterName)
      Sets the request parameter name to use for CSRF nonces.
      Parameters:
      parameterName - The request parameter name to use for CSRF nonces.
    • setEnforce

      public void setEnforce(boolean enforce)
      Sets the flag to enforce CSRF protection or just log failures as DEBUG messages.
      Parameters:
      enforce - true to enforce CSRF protection or false to log DEBUG messages and allow all requests.
    • isEnforce

      public boolean isEnforce()
      Gets the flag to enforce CSRF protection or just log failures as DEBUG messages.
      Returns:
      true if CSRF protection will be enforced or false if all requests will be allowed and failures will be logged as DEBUG messages.
    • setNoNonceURLPatterns

      public void setNoNonceURLPatterns(String patterns)
      Sets the list of URL patterns to suppress nonce-addition for. Some URLs do not need nonces added to them such as static resources. By not adding nonces to those URLs, HTTP caches can be more effective because the CSRF prevention filter won't generate what look like unique URLs for those commonly-reused resources.
      Parameters:
      patterns - A comma-separated list of URL patterns that will not have nonces added to them. Patterns may begin or end with a * character to denote a suffix-match or prefix-match. Any matched URL will not have a CSRF nonce added to it when passed through HttpServletResponse.encodeURL(String).
    • createNoNoncePredicates

      protected static Collection<Predicate<String>> createNoNoncePredicates(ServletContext context, String patterns)
      Creates a collection of matchers from a comma-separated string of patterns.
      Parameters:
      context - the Servlet context
      patterns - A comma-separated string of URL matching patterns.
      Returns:
      A collection of predicates representing the URL patterns.
    • createNoNoncePredicate

      protected static Predicate<String> createNoNoncePredicate(ServletContext context, String pattern)
      Creates a predicate that can match the specified type of pattern.
      Parameters:
      context - the Servlet context
      pattern - The pattern to match e.g. *.foo or /bar/*.
      Returns:
      A Predicate which can match the specified pattern, or null if the pattern is null or blank.
    • init

      public void init(FilterConfig filterConfig) throws ServletException
      Description copied from class: FilterBase
      Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.
      Specified by:
      init in interface Filter
      Overrides:
      init in class CsrfPreventionFilterBase
      Parameters:
      filterConfig - The configuration information associated with the filter instance being initialised
      Throws:
      ServletException - if FilterBase.isConfigProblemFatal() returns true and a configured parameter does not have a matching setter
    • doFilter

      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
      Description copied from interface: jakarta.servlet.Filter
      The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

      A typical implementation of this method would follow the following pattern:-
      1. Examine the request
      2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
      3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
      4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
      4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
      5. Directly set headers on the response after invocation of the next entity in the filter chain.

      Parameters:
      request - The request to process
      response - The response associated with the request
      chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
      Throws:
      IOException - if an I/O error occurs during this filter's processing of the request
      ServletException - if the processing fails for any other reason
    • enforce

      protected boolean enforce(HttpServletRequest req, String requestedPath)
      Check to see if the request and path should be enforced or only observed and reported. Note that the requestedPath parameter is purely a performance optimization to avoid calling CsrfPreventionFilterBase.getRequestedPath(HttpServletRequest) multiple times.
      Parameters:
      req - The request.
      requestedPath - The path of the request being evaluated.
      Returns:
      true if the CSRF prevention should be enforced, false if the CSRF prevention should only be logged in DEBUG mode.
    • skipNonceCheck

      protected boolean skipNonceCheck(HttpServletRequest request)
    • skipNonceGeneration

      protected boolean skipNonceGeneration(HttpServletRequest request)
      Determines whether a nonce should be created. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.
      Parameters:
      request - The request that triggered the need to potentially create the nonce.
      Returns:
      true if a nonce should be created, otherwise false
    • createNonceCache

      protected CsrfPreventionFilter.NonceCache<String> createNonceCache(HttpServletRequest request, HttpSession session)
      Create a new CsrfPreventionFilter.NonceCache and store in the HttpSession. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.
      Parameters:
      request - The request that triggered the need to create the nonce cache. Unused by the default implementation.
      session - The session associated with the request.
      Returns:
      A newly created CsrfPreventionFilter.NonceCache
    • getNonceCache

      protected CsrfPreventionFilter.NonceCache<String> getNonceCache(HttpServletRequest request, HttpSession session)
      Obtain the CsrfPreventionFilter.NonceCache associated with the request and/or session. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.
      Parameters:
      request - The request that triggered the need to obtain the nonce cache. Unused by the default implementation.
      session - The session associated with the request.
      Returns:
      The CsrfPreventionFilter.NonceCache currently associated with the request and/or session