Class CsrfPreventionFilter
- All Implemented Interfaces:
Filter
- The filter is mapped to /*
HttpServletResponse.encodeRedirectURL(String)
andHttpServletResponse.encodeURL(String)
are used to encode all URLs returned to the client
CSRF protection is enabled by generating random nonce values which are stored in the client's HTTP session. Each URL
encoded using HttpServletResponse.encodeURL(String)
has a URL parameter added which, when sent to the server
in a future request, will be checked against this stored set of nonces for validity.
Some URLs should be accessible even without a valid nonce parameter value. These URLs are known as "entry points"
because clients should be able to "enter" the application without first establishing any valid tokens. These are
configured with the entryPoints
filter init-param
.
Some URLs should not have nonce parameters added to them at all
-
Nested Class Summary
Modifier and TypeClassDescriptionprotected static class
protected static class
Despite its name, this is a FIFO cache not an LRU cache.protected static class
A no-nonce Predicate that evaluates a MIME type instead of a URL.protected static interface
protected static class
A no-nonce Predicate that matches a regular expression.protected static class
A no-nonce Predicate that matches a prefix.protected static class
A no-nonce Predicate that matches a suffix. -
Field Summary
Fields inherited from class org.apache.catalina.filters.FilterBase
sm
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected CsrfPreventionFilter.NonceCache<String>
createNonceCache
(HttpServletRequest request, HttpSession session) Create a newCsrfPreventionFilter.NonceCache
and store in theHttpSession
.createNoNoncePredicate
(ServletContext context, String pattern) Creates a predicate that can match the specified type of pattern.protected static Collection<Predicate<String>>
createNoNoncePredicates
(ServletContext context, String patterns) Creates a collection of matchers from a comma-separated string of patterns.void
doFilter
(ServletRequest request, ServletResponse response, FilterChain chain) ThedoFilter
method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.protected boolean
enforce
(HttpServletRequest req, String requestedPath) Check to see if the request and path should be enforced or only observed and reported.protected CsrfPreventionFilter.NonceCache<String>
getNonceCache
(HttpServletRequest request, HttpSession session) Obtain theCsrfPreventionFilter.NonceCache
associated with the request and/or session.void
init
(FilterConfig filterConfig) Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.boolean
Gets the flag to enforce CSRF protection or just log failures as DEBUG messages.void
setEnforce
(boolean enforce) Sets the flag to enforce CSRF protection or just log failures as DEBUG messages.void
setEntryPoints
(String entryPoints) Entry points are URLs that will not be tested for the presence of a valid nonce.void
setNonceCacheSize
(int nonceCacheSize) Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.void
setNonceRequestParameterName
(String parameterName) Sets the request parameter name to use for CSRF nonces.void
setNoNonceURLPatterns
(String patterns) Sets the list of URL patterns to suppress nonce-addition for.protected boolean
skipNonceCheck
(HttpServletRequest request) protected boolean
skipNonceGeneration
(HttpServletRequest request) Determines whether a nonce should be created.Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase
generateNonce, generateNonce, getDenyStatus, getLogger, getRequestedPath, isConfigProblemFatal, setDenyStatus, setRandomClass
-
Constructor Details
-
CsrfPreventionFilter
public CsrfPreventionFilter()
-
-
Method Details
-
setEntryPoints
Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.- Parameters:
entryPoints
- Comma separated list of URLs to be configured as entry points.
-
setNonceCacheSize
public void setNonceCacheSize(int nonceCacheSize) Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.- Parameters:
nonceCacheSize
- The number of nonces to cache
-
setNonceRequestParameterName
Sets the request parameter name to use for CSRF nonces.- Parameters:
parameterName
- The request parameter name to use for CSRF nonces.
-
setEnforce
public void setEnforce(boolean enforce) Sets the flag to enforce CSRF protection or just log failures as DEBUG messages.- Parameters:
enforce
-true
to enforce CSRF protection orfalse
to log DEBUG messages and allow all requests.
-
isEnforce
public boolean isEnforce()Gets the flag to enforce CSRF protection or just log failures as DEBUG messages.- Returns:
true
if CSRF protection will be enforced orfalse
if all requests will be allowed and failures will be logged as DEBUG messages.
-
setNoNonceURLPatterns
Sets the list of URL patterns to suppress nonce-addition for. Some URLs do not need nonces added to them such as static resources. By not adding nonces to those URLs, HTTP caches can be more effective because the CSRF prevention filter won't generate what look like unique URLs for those commonly-reused resources.- Parameters:
patterns
- A comma-separated list of URL patterns that will not have nonces added to them. Patterns may begin or end with a*
character to denote a suffix-match or prefix-match. Any matched URL will not have a CSRF nonce added to it when passed throughHttpServletResponse.encodeURL(String)
.
-
createNoNoncePredicates
protected static Collection<Predicate<String>> createNoNoncePredicates(ServletContext context, String patterns) Creates a collection of matchers from a comma-separated string of patterns.- Parameters:
context
- the Servlet contextpatterns
- A comma-separated string of URL matching patterns.- Returns:
- A collection of predicates representing the URL patterns.
-
createNoNoncePredicate
Creates a predicate that can match the specified type of pattern.- Parameters:
context
- the Servlet contextpattern
- The pattern to match e.g.*.foo
or/bar/*
.- Returns:
- A Predicate which can match the specified pattern, or
null
if the pattern is null or blank.
-
init
Description copied from class:FilterBase
Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.- Specified by:
init
in interfaceFilter
- Overrides:
init
in classCsrfPreventionFilterBase
- Parameters:
filterConfig
- The configuration information associated with the filter instance being initialised- Throws:
ServletException
- ifFilterBase.isConfigProblemFatal()
returnstrue
and a configured parameter does not have a matching setter
-
doFilter
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException Description copied from interface:javax.servlet.Filter
ThedoFilter
method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()
),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.- Parameters:
request
- The request to processresponse
- The response associated with the requestchain
- Provides access to the next filter in the chain for this filter to pass the request and response to for further processing- Throws:
IOException
- if an I/O error occurs during this filter's processing of the requestServletException
- if the processing fails for any other reason
-
enforce
Check to see if the request and path should be enforced or only observed and reported. Note that therequestedPath
parameter is purely a performance optimization to avoid callingCsrfPreventionFilterBase.getRequestedPath(HttpServletRequest)
multiple times.- Parameters:
req
- The request.requestedPath
- The path of the request being evaluated.- Returns:
true
if the CSRF prevention should be enforced,false
if the CSRF prevention should only be logged in DEBUG mode.
-
skipNonceCheck
-
skipNonceGeneration
Determines whether a nonce should be created. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
request
- The request that triggered the need to potentially create the nonce.- Returns:
true
if a nonce should be created, otherwisefalse
-
createNonceCache
protected CsrfPreventionFilter.NonceCache<String> createNonceCache(HttpServletRequest request, HttpSession session) Create a newCsrfPreventionFilter.NonceCache
and store in theHttpSession
. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
request
- The request that triggered the need to create the nonce cache. Unused by the default implementation.session
- The session associated with the request.- Returns:
- A newly created
CsrfPreventionFilter.NonceCache
-
getNonceCache
protected CsrfPreventionFilter.NonceCache<String> getNonceCache(HttpServletRequest request, HttpSession session) Obtain theCsrfPreventionFilter.NonceCache
associated with the request and/or session. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
request
- The request that triggered the need to obtain the nonce cache. Unused by the default implementation.session
- The session associated with the request.- Returns:
- The
CsrfPreventionFilter.NonceCache
currently associated with the request and/or session
-