Class CsrfPreventionFilter
- All Implemented Interfaces:
- Filter
- The filter is mapped to /*
- HttpServletResponse.encodeRedirectURL(String)and- HttpServletResponse.encodeURL(String)are used to encode all URLs returned to the client
   CSRF protection is enabled by generating random nonce values which are
   stored in the client's HTTP session. Each URL encoded using
   HttpServletResponse.encodeURL(String) has a URL parameter added
   which, when sent to the server in a future request, will be checked
   against this stored set of nonces for validity.
 
   Some URLs should be accessible even without a valid nonce parameter value.
   These URLs are known as "entry points" because clients should be able to
   "enter" the application without first establishing any valid tokens. These
   are configured with the entryPoints filter
   init-param.
 
Some URLs should not have nonce parameters added to them at all
- 
Nested Class SummaryNested ClassesModifier and TypeClassDescriptionprotected static classprotected static classDespite its name, this is a FIFO cache not an LRU cache.protected static classA no-nonce Predicate that evaluates a MIME type instead of a URL.protected static interfaceprotected static classA no-nonce Predicate that matches a regular expression.protected static classA no-nonce Predicate that matches a prefix.protected static classA no-nonce Predicate that matches a suffix.
- 
Field SummaryFields inherited from class org.apache.catalina.filters.FilterBasesm
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionprotected CsrfPreventionFilter.NonceCache<String>createNonceCache(HttpServletRequest request, HttpSession session) Create a newCsrfPreventionFilter.NonceCacheand store in theHttpSession.createNoNoncePredicate(ServletContext context, String pattern) Creates a predicate that can match the specified type of pattern.protected static Collection<Predicate<String>>createNoNoncePredicates(ServletContext context, String patterns) Creates a collection of matchers from a comma-separated string of patterns.voiddoFilter(ServletRequest request, ServletResponse response, FilterChain chain) ThedoFiltermethod of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.protected booleanenforce(HttpServletRequest req, String requestedPath) Check to see if the request and path should be enforced or only observed and reported.protected CsrfPreventionFilter.NonceCache<String>getNonceCache(HttpServletRequest request, HttpSession session) Obtain theCsrfPreventionFilter.NonceCacheassociated with the request and/or session.voidinit(FilterConfig filterConfig) Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.booleanGets the flag to enforce CSRF protection or just log failures as DEBUG messages.voidsetEnforce(boolean enforce) Sets the flag to enforce CSRF protection or just log failures as DEBUG messages.voidsetEntryPoints(String entryPoints) Entry points are URLs that will not be tested for the presence of a valid nonce.voidsetNonceCacheSize(int nonceCacheSize) Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.voidsetNonceRequestParameterName(String parameterName) Sets the request parameter name to use for CSRF nonces.voidsetNoNonceURLPatterns(String patterns) Sets the list of URL patterns to suppress nonce-addition for.protected booleanskipNonceCheck(HttpServletRequest request) protected booleanskipNonceGeneration(HttpServletRequest request) Determines whether a nonce should be created.Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBasegenerateNonce, getDenyStatus, getLogger, getRequestedPath, isConfigProblemFatal, setDenyStatus, setRandomClass
- 
Constructor Details- 
CsrfPreventionFilterpublic CsrfPreventionFilter()
 
- 
- 
Method Details- 
setEntryPointsEntry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.- Parameters:
- entryPoints- Comma separated list of URLs to be configured as entry points.
 
- 
setNonceCacheSizepublic void setNonceCacheSize(int nonceCacheSize) Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.- Parameters:
- nonceCacheSize- The number of nonces to cache
 
- 
setNonceRequestParameterNameSets the request parameter name to use for CSRF nonces.- Parameters:
- parameterName- The request parameter name to use for CSRF nonces.
 
- 
setEnforcepublic void setEnforce(boolean enforce) Sets the flag to enforce CSRF protection or just log failures as DEBUG messages.- Parameters:
- enforce-- trueto enforce CSRF protection or- falseto log DEBUG messages and allow all requests.
 
- 
isEnforcepublic boolean isEnforce()Gets the flag to enforce CSRF protection or just log failures as DEBUG messages.- Returns:
- trueif CSRF protection will be enforced or- falseif all requests will be allowed and failures will be logged as DEBUG messages.
 
- 
setNoNonceURLPatternsSets the list of URL patterns to suppress nonce-addition for. Some URLs do not need nonces added to them such as static resources. By not adding nonces to those URLs, HTTP caches can be more effective because the CSRF prevention filter won't generate what look like unique URLs for those commonly-reused resources.- Parameters:
- patterns- A comma-separated list of URL patterns that will not have nonces added to them. Patterns may begin or end with a- *character to denote a suffix-match or prefix-match. Any matched URL will not have a CSRF nonce added to it when passed through- HttpServletResponse.encodeURL(String).
 
- 
createNoNoncePredicatesprotected static Collection<Predicate<String>> createNoNoncePredicates(ServletContext context, String patterns) Creates a collection of matchers from a comma-separated string of patterns.- Parameters:
- context- the Servlet context
- patterns- A comma-separated string of URL matching patterns.
- Returns:
- A collection of predicates representing the URL patterns.
 
- 
createNoNoncePredicateCreates a predicate that can match the specified type of pattern.- Parameters:
- context- the Servlet context
- pattern- The pattern to match e.g.- *.fooor- /bar/*.
- Returns:
- A Predicate which can match the specified pattern, or
         nullif the pattern is null or blank.
 
- 
initDescription copied from class:FilterBaseIterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.- Specified by:
- initin interface- Filter
- Overrides:
- initin class- CsrfPreventionFilterBase
- Parameters:
- filterConfig- The configuration information associated with the filter instance being initialised
- Throws:
- ServletException- if- FilterBase.isConfigProblemFatal()returns- trueand a configured parameter does not have a matching setter
 
- 
doFilterpublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException Description copied from interface:jakarta.servlet.FilterThedoFiltermethod of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.A typical implementation of this method would follow the following pattern:- 
 1. Examine the request
 2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
 3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
 4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
 4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
 5. Directly set headers on the response after invocation of the next entity in the filter chain.- Parameters:
- request- The request to process
- response- The response associated with the request
- chain- Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
- Throws:
- IOException- if an I/O error occurs during this filter's processing of the request
- ServletException- if the processing fails for any other reason
 
- 
enforceCheck to see if the request and path should be enforced or only observed and reported. Note that therequestedPathparameter is purely a performance optimization to avoid callingCsrfPreventionFilterBase.getRequestedPath(HttpServletRequest)multiple times.- Parameters:
- req- The request.
- requestedPath- The path of the request being evaluated.
- Returns:
- trueif the CSRF prevention should be enforced,- falseif the CSRF prevention should only be logged in DEBUG mode.
 
- 
skipNonceCheck
- 
skipNonceGenerationDetermines whether a nonce should be created. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
- request- The request that triggered the need to potentially create the nonce.
- Returns:
- trueif a nonce should be created, otherwise- false
 
- 
createNonceCacheprotected CsrfPreventionFilter.NonceCache<String> createNonceCache(HttpServletRequest request, HttpSession session) Create a newCsrfPreventionFilter.NonceCacheand store in theHttpSession. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
- request- The request that triggered the need to create the nonce cache. Unused by the default implementation.
- session- The session associated with the request.
- Returns:
- A newly created CsrfPreventionFilter.NonceCache
 
- 
getNonceCacheprotected CsrfPreventionFilter.NonceCache<String> getNonceCache(HttpServletRequest request, HttpSession session) Obtain theCsrfPreventionFilter.NonceCacheassociated with the request and/or session. This method is provided primarily for the benefit of sub-classes that wish to customise this behaviour.- Parameters:
- request- The request that triggered the need to obtain the nonce cache. Unused by the default implementation.
- session- The session associated with the request.
- Returns:
- The CsrfPreventionFilter.NonceCachecurrently associated with the request and/or session
 
 
-