Package org.apache.catalina.filters

Class CsrfPreventionFilter

java.lang.Object

org.apache.catalina.filters.FilterBase

org.apache.catalina.filters.CsrfPreventionFilterBase

org.apache.catalina.filters.CsrfPreventionFilter

All Implemented Interfaces:

Filter

public class CsrfPreventionFilter
extends CsrfPreventionFilterBase

Provides basic CSRF protection for a web application. The filter assumes that:

• The filter is mapped to /*
• HttpServletResponse.encodeRedirectURL(String) and HttpServletResponse.encodeURL(String) are used to encode all URLs returned to the client

CSRF protection is enabled by generating random nonce values which are stored in the client's HTTP session. Each URL encoded using HttpServletResponse.encodeURL(String) has a URL parameter added which, when sent to the server in a future request, will be checked against this stored set of nonces for validity.

Some URLs should be accessible even without a valid nonce parameter value. These URLs are known as "entry points" because clients should be able to "enter" the application without first establishing any valid tokens. These are configured with the entryPoints filter init-param.

Some URLs should not have nonce parameters added to them at all

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static class	CsrfPreventionFilter.CsrfResponseWrapper
protected static class	CsrfPreventionFilter.LruCache<T>	Despite its name, this is a FIFO cache not an LRU cache.
protected static class	CsrfPreventionFilter.MimePredicate	A no-nonce Predicate that evaluates a MIME type instead of a URL.
protected static interface	CsrfPreventionFilter.NonceCache<T>
protected static class	CsrfPreventionFilter.PatternPredicate	A no-nonce Predicate that matches a regular expression.
protected static class	CsrfPreventionFilter.PrefixPredicate	A no-nonce Predicate that matches a prefix.
protected static class	CsrfPreventionFilter.SuffixPredicate	A no-nonce Predicate that matches a suffix.

Field Summary

Fields inherited from class org.apache.catalina.filters.FilterBase

sm

Constructor Summary

Constructors

Constructor	Description
CsrfPreventionFilter()

Method Summary

Modifier and Type	Method	Description
protected CsrfPreventionFilter.NonceCache<String>	createNonceCache(HttpServletRequest request, HttpSession session)	Create a new CsrfPreventionFilter.NonceCache and store in the HttpSession.
protected static Predicate<String>	createNoNoncePredicate(ServletContext context, String pattern)	Creates a predicate that can match the specified type of pattern.
protected static Collection<Predicate<String>>	createNoNoncePredicates(ServletContext context, String patterns)	Creates a collection of matchers from a comma-separated string of patterns.
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain)	The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.
protected boolean	enforce(HttpServletRequest req, String requestedPath)	Check to see if the request and path should be enforced or only observed and reported.
protected CsrfPreventionFilter.NonceCache<String>	getNonceCache(HttpServletRequest request, HttpSession session)	Obtain the CsrfPreventionFilter.NonceCache associated with the request and/or session.
void	init(FilterConfig filterConfig)	Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.
boolean	isEnforce()	Gets the flag to enforce CSRF protection or just log failures as DEBUG messages.
void	setEnforce(boolean enforce)	Sets the flag to enforce CSRF protection or just log failures as DEBUG messages.
void	setEntryPoints(String entryPoints)	Entry points are URLs that will not be tested for the presence of a valid nonce.
void	setNonceCacheSize(int nonceCacheSize)	Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.
void	setNonceRequestParameterName(String parameterName)	Sets the request parameter name to use for CSRF nonces.
void	setNoNonceURLPatterns(String patterns)	Sets the list of URL patterns to suppress nonce-addition for.
protected boolean	skipNonceCheck(HttpServletRequest request)
protected boolean	skipNonceGeneration(HttpServletRequest request)	Determines whether a nonce should be created.

Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase

generateNonce, getDenyStatus, getLogger, getRequestedPath, isConfigProblemFatal, setDenyStatus, setRandomClass

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface jakarta.servlet.Filter

destroy

Constructor Details

CsrfPreventionFilter

public CsrfPreventionFilter()

Method Details

setEntryPoints

public void setEntryPoints(String entryPoints)

Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.

Parameters:

entryPoints - Comma separated list of URLs to be configured as entry points.

setNonceCacheSize

public void setNonceCacheSize(int nonceCacheSize)

Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.

Parameters:

nonceCacheSize - The number of nonces to cache

setNonceRequestParameterName

public void setNonceRequestParameterName(String parameterName)

Sets the request parameter name to use for CSRF nonces.

Parameters:

parameterName - The request parameter name to use for CSRF nonces.

setEnforce

public void setEnforce(boolean enforce)

Sets the flag to enforce CSRF protection or just log failures as DEBUG messages.

Parameters:

enforce - true to enforce CSRF protection or false to log DEBUG messages and allow all requests.

isEnforce

public boolean isEnforce()

Gets the flag to enforce CSRF protection or just log failures as DEBUG messages.

Returns:

true if CSRF protection will be enforced or false if all requests will be allowed and failures will be logged as DEBUG messages.

setNoNonceURLPatterns

public void setNoNonceURLPatterns(String patterns)

Sets the list of URL patterns to suppress nonce-addition for. Some URLs do not need nonces added to them such as static resources. By not adding nonces to those URLs, HTTP caches can be more effective because the CSRF prevention filter won't generate what look like unique URLs for those commonly-reused resources.

Parameters:

patterns - A comma-separated list of URL patterns that will not have nonces added to them. Patterns may begin or end with a * character to denote a suffix-match or prefix-match. Any matched URL will not have a CSRF nonce added to it when passed through HttpServletResponse.encodeURL(String).

createNoNoncePredicates

protected static Collection<Predicate<String>> createNoNoncePredicates(ServletContext context,
 String patterns)

Creates a collection of matchers from a comma-separated string of patterns.

Parameters:

context - the Servlet context

patterns - A comma-separated string of URL matching patterns.

Returns:

A collection of predicates representing the URL patterns.

createNoNoncePredicate

protected static Predicate<String> createNoNoncePredicate(ServletContext context,
 String pattern)

Creates a predicate that can match the specified type of pattern.

Parameters:

context - the Servlet context

pattern - The pattern to match e.g. *.foo or /bar/*.

Returns:

A Predicate which can match the specified pattern, or null if the pattern is null or blank.

init

public void init(FilterConfig filterConfig)
          throws ServletException

Description copied from class: FilterBase

Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.

Specified by:

init in interface Filter

Overrides:

init in class CsrfPreventionFilterBase

Parameters:

filterConfig - The configuration information associated with the filter instance being initialised

Throws:

ServletException - if FilterBase.isConfigProblemFatal() returns true and a configured parameter does not have a matching setter

doFilter

public void doFilter(ServletRequest request,
 ServletResponse response,
 FilterChain chain)
              throws IOException,
ServletException

Description copied from interface: jakarta.servlet.Filter

The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.

Parameters:

request - The request to process

response - The response associated with the request

chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing

Throws:

IOException - if an I/O error occurs during this filter's processing of the request

ServletException - if the processing fails for any other reason

enforce

protected boolean enforce(HttpServletRequest req,
 String requestedPath)

Check to see if the request and path should be enforced or only observed and reported. Note that the requestedPath parameter is purely a performance optimization to avoid calling CsrfPreventionFilterBase.getRequestedPath(HttpServletRequest) multiple times.

Parameters:

req - The request.

requestedPath - The path of the request being evaluated.

Returns:

true if the CSRF prevention should be enforced, false if the CSRF prevention should only be logged in DEBUG mode.

skipNonceCheck

protected boolean skipNonceCheck(HttpServletRequest request)

skipNonceGeneration

protected boolean skipNonceGeneration(HttpServletRequest request)

Determines whether a nonce should be created. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.

Parameters:

request - The request that triggered the need to potentially create the nonce.

Returns:

true if a nonce should be created, otherwise false

createNonceCache

protected CsrfPreventionFilter.NonceCache<String> createNonceCache(HttpServletRequest request,
 HttpSession session)

Create a new CsrfPreventionFilter.NonceCache and store in the HttpSession. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.

Parameters:

request - The request that triggered the need to create the nonce cache. Unused by the default implementation.

session - The session associated with the request.

Returns:

A newly created CsrfPreventionFilter.NonceCache

getNonceCache

protected CsrfPreventionFilter.NonceCache<String> getNonceCache(HttpServletRequest request,
 HttpSession session)

Obtain the CsrfPreventionFilter.NonceCache associated with the request and/or session. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.

Parameters:

request - The request that triggered the need to obtain the nonce cache. Unused by the default implementation.

session - The session associated with the request.

Returns:

The CsrfPreventionFilter.NonceCache currently associated with the request and/or session