public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase
Positive scenario:
Client Server
| |
| GET Fetch Request \| JSESSIONID
|---------------------------------| X-CSRF-Token
| /| pair generation
|/Response to Fetch Request |
|---------------------------------|
JSESSIONID |\ |
X-CSRF-Token | |
pair cached | POST Request with valid nonce \| JSESSIONID
|---------------------------------| X-CSRF-Token
| /| pair validation
|/ Response to POST Request |
|---------------------------------|
|\ |
Negative scenario:
Client Server
| |
| POST Request without nonce \| JSESSIONID
|---------------------------------| X-CSRF-Token
| /| pair validation
|/Request is rejected |
|---------------------------------|
|\ |
Client Server
| |
| POST Request with invalid nonce\| JSESSIONID
|---------------------------------| X-CSRF-Token
| /| pair validation
|/Request is rejected |
|---------------------------------|
|\ |
sm| Constructor and Description |
|---|
RestCsrfPreventionFilter() |
| Modifier and Type | Method and Description |
|---|---|
void |
doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
The
doFilter method of the Filter is called by the container
each time a request/response pair is passed through the chain due to a
client request for a resource at the end of the chain. |
Set<String> |
getPathsAcceptingParams() |
void |
init(FilterConfig filterConfig)
Iterates over the configuration parameters and either logs a warning,
or throws an exception for any parameter that does not have a matching
setter in this filter.
|
void |
setPathsAcceptingParams(String pathsList)
A comma separated list of URLs that can accept nonces via request
parameter 'X-CSRF-Token'.
|
generateNonce, getDenyStatus, getLogger, getRequestedPath, isConfigProblemFatal, setDenyStatus, setRandomClassdestroypublic void init(FilterConfig filterConfig) throws ServletException
FilterBaseinit in interface Filterinit in class CsrfPreventionFilterBasefilterConfig - The configuration information associated with the
filter instance being initialisedServletException - if FilterBase.isConfigProblemFatal() returns
true and a configured parameter does not
have a matching setterpublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
javax.servlet.FilterdoFilter method of the Filter is called by the container
each time a request/response pair is passed through the chain due to a
client request for a resource at the end of the chain. The FilterChain
passed in to this method allows the Filter to pass on the request and
response to the next entity in the chain.
A typical implementation of this method would follow the following
pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to
filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to
filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using
the FilterChain object (chain.doFilter()),
4. b) or not pass on the request/response pair to the
next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next
entity in the filter chain.
request - The request to processresponse - The response associated with the requestchain - Provides access to the next filter in the chain for this
filter to pass the request and response to for further
processingIOException - if an I/O error occurs during this filter's
processing of the requestServletException - if the processing fails for any other reasonpublic void setPathsAcceptingParams(String pathsList)
pathsList - Comma separated list of URLs to be configured as paths
accepting request parameters with nonce information.Copyright © 2000-2020 Apache Software Foundation. All Rights Reserved.