Package org.apache.catalina.filters
Class CsrfPreventionFilter
- java.lang.Object
-
- org.apache.catalina.filters.FilterBase
-
- org.apache.catalina.filters.CsrfPreventionFilter
-
- All Implemented Interfaces:
jakarta.servlet.Filter
public class CsrfPreventionFilter extends FilterBase
Provides basic CSRF protection for a web application. The filter assumes that:- The filter is mapped to /*
HttpServletResponse.encodeRedirectURL(String)
andHttpServletResponse.encodeURL(String)
are used to encode all URLs returned to the client
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static class
CsrfPreventionFilter.CsrfResponseWrapper
protected static class
CsrfPreventionFilter.LruCache<T>
-
Field Summary
Fields Modifier and Type Field Description protected static Logger
log
-
Fields inherited from class org.apache.catalina.filters.FilterBase
rb
-
-
Constructor Summary
Constructors Constructor Description CsrfPreventionFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain)
protected String
generateNonce()
Generate a once time token (nonce) for authenticating subsequent requests.protected Logger
getLogger()
void
init(jakarta.servlet.FilterConfig filterConfig)
protected boolean
isConfigProblemFatal()
Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.void
setEntryPoints(String entryPoints)
Entry points are URLs that will not be tested for the presence of a valid nonce.void
setNonceCacheSize(int nonceCacheSize)
Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.void
setRandomClass(String randomClass)
Specify the class to use to generate the nonces.-
Methods inherited from class org.apache.catalina.filters.FilterBase
destroy
-
-
-
-
Field Detail
-
log
protected static final Logger log
-
-
Method Detail
-
getLogger
protected Logger getLogger()
- Specified by:
getLogger
in classFilterBase
-
setEntryPoints
public void setEntryPoints(String entryPoints)
Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.- Parameters:
entryPoints
- Comma separated list of URLs to be configured as entry points.
-
setNonceCacheSize
public void setNonceCacheSize(int nonceCacheSize)
Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.- Parameters:
nonceCacheSize
- The number of nonces to cache
-
setRandomClass
public void setRandomClass(String randomClass)
Specify the class to use to generate the nonces. Must be in instance ofRandom
.- Parameters:
randomClass
- The name of the class to use
-
init
public void init(jakarta.servlet.FilterConfig filterConfig) throws jakarta.servlet.ServletException
- Specified by:
init
in interfacejakarta.servlet.Filter
- Overrides:
init
in classFilterBase
- Throws:
jakarta.servlet.ServletException
-
doFilter
public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
- Throws:
IOException
jakarta.servlet.ServletException
-
isConfigProblemFatal
protected boolean isConfigProblemFatal()
Description copied from class:FilterBase
Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.- Overrides:
isConfigProblemFatal
in classFilterBase
- Returns:
true
if a problem should trigger the failure of this filter, elsefalse
-
generateNonce
protected String generateNonce()
Generate a once time token (nonce) for authenticating subsequent requests. This will also add the token to the session. The nonce generation is a simplified version of ManagerBase.generateSessionId().
-
-