Package org.apache.catalina.filters

Class CsrfPreventionFilter

  • All Implemented Interfaces:
    jakarta.servlet.Filter
    public class CsrfPreventionFilter
extends FilterBase
    Provides basic CSRF protection for a web application. The filter assumes that:
    • The filter is mapped to /*
    • HttpServletResponse.encodeRedirectURL(String) and HttpServletResponse.encodeURL(String) are used to encode all URLs returned to the client

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected static Logger log  

      • Fields inherited from class org.apache.catalina.filters.FilterBase

        rb

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void doFilter​(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain)  
      protected String generateNonce()
      Generate a once time token (nonce) for authenticating subsequent requests.
      protected Logger getLogger()  
      void init​(jakarta.servlet.FilterConfig filterConfig)  
      protected boolean isConfigProblemFatal()
      Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.
      void setEntryPoints​(String entryPoints)
      Entry points are URLs that will not be tested for the presence of a valid nonce.
      void setNonceCacheSize​(int nonceCacheSize)
      Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.
      void setRandomClass​(String randomClass)
      Specify the class to use to generate the nonces.

    • Field Detail

      • log

        protected static final Logger log

    • Constructor Detail

      • CsrfPreventionFilter

        public CsrfPreventionFilter()

    • Method Detail

      • setEntryPoints

        public void setEntryPoints​(String entryPoints)
        Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.
        Parameters:
        entryPoints - Comma separated list of URLs to be configured as entry points.

      • setNonceCacheSize

        public void setNonceCacheSize​(int nonceCacheSize)
        Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.
        Parameters:
        nonceCacheSize - The number of nonces to cache

      • setRandomClass

        public void setRandomClass​(String randomClass)
        Specify the class to use to generate the nonces. Must be in instance of Random.
        Parameters:
        randomClass - The name of the class to use

      • init

        public void init​(jakarta.servlet.FilterConfig filterConfig)
          throws jakarta.servlet.ServletException
        Specified by:
        init in interface jakarta.servlet.Filter
        Overrides:
        init in class FilterBase
        Throws:
        jakarta.servlet.ServletException

      • doFilter

        public void doFilter​(jakarta.servlet.ServletRequest request,
                     jakarta.servlet.ServletResponse response,
                     jakarta.servlet.FilterChain chain)
              throws IOException,
                     jakarta.servlet.ServletException
        Throws:
        IOException
        jakarta.servlet.ServletException

      • isConfigProblemFatal

        protected boolean isConfigProblemFatal()
        Description copied from class: FilterBase
        Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.
        Overrides:
        isConfigProblemFatal in class FilterBase
        Returns:
        true if a problem should trigger the failure of this filter, else false

      • generateNonce

        protected String generateNonce()
        Generate a once time token (nonce) for authenticating subsequent requests. This will also add the token to the session. The nonce generation is a simplified version of ManagerBase.generateSessionId().