Class CsrfPreventionFilter

java.lang.Object
All Implemented Interfaces:
Filter

public class CsrfPreventionFilter extends CsrfPreventionFilterBase
Provides basic CSRF protection for a web application. The filter assumes that:

CSRF protection is enabled by generating random nonce values which are stored in the client's HTTP session. Each URL encoded using HttpServletResponse.encodeURL(String) has a URL parameter added which, when sent to the server in a future request, will be checked against this stored set of nonces for validity.

Some URLs should be accessible even without a valid nonce parameter value. These URLs are known as "entry points" because clients should be able to "enter" the application without first establishing any valid tokens. These are configured with the entryPoints filter init-param.

Some URLs should not have nonce parameters added to them at all