Package org.apache.catalina.filters

Class CsrfPreventionFilter

    • Constructor Detail

      • CsrfPreventionFilter

        public CsrfPreventionFilter()

    • Method Detail

      • setEntryPoints

        public void setEntryPoints​(String entryPoints)
        Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.
        Parameters:
        entryPoints - Comma separated list of URLs to be configured as entry points.

      • setNonceCacheSize

        public void setNonceCacheSize​(int nonceCacheSize)
        Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.
        Parameters:
        nonceCacheSize - The number of nonces to cache

      • setNonceRequestParameterName

        public void setNonceRequestParameterName​(String parameterName)
        Sets the request parameter name to use for CSRF nonces.
        Parameters:
        parameterName - The request parameter name to use for CSRF nonces.

      • init

        public void init​(FilterConfig filterConfig)
          throws ServletException
        Description copied from class: FilterBase
        Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.
        Specified by:
        init in interface Filter
        Overrides:
        init in class CsrfPreventionFilterBase
        Parameters:
        filterConfig - The configuration information associated with the filter instance being initialised
        Throws:
        ServletException - if FilterBase.isConfigProblemFatal() returns true and a configured parameter does not have a matching setter

      • doFilter

        public void doFilter​(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws IOException,
                     ServletException
        Description copied from interface: javax.servlet.Filter
        The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.

        A typical implementation of this method would follow the following pattern:-
        1. Examine the request
        2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
        3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
        4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
        4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
        5. Directly set headers on the response after invocation of the next entity in the filter chain.

        Parameters:
        request - The request to process
        response - The response associated with the request
        chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
        Throws:
        IOException - if an I/O error occurs during this filter's processing of the request
        ServletException - if the processing fails for any other reason

      • skipNonceGeneration

        protected boolean skipNonceGeneration​(HttpServletRequest request)
        Determines whether a nonce should be created. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.
        Parameters:
        request - The request that triggered the need to potentially create the nonce.
        Returns:
        true if a nonce should be created, otherwise false