CsrfPreventionFilter (Payara Project 4.1.2.174 API)

java.lang.Object
- org.apache.catalina.filters.FilterBase
- - org.apache.catalina.filters.CsrfPreventionFilter

All Implemented Interfaces:

javax.servlet.Filter
```
public class CsrfPreventionFilter
extends FilterBase
```
Provides basic CSRF protection for a web application. The filter assumes that:
- The filter is mapped to /*
- HttpServletResponse.encodeRedirectURL(String) and HttpServletResponse.encodeURL(String) are used to encode all URLs returned to the client

Nested Class Summary

Nested Classes
Modifier and Type Class and Description

protected static class CsrfPreventionFilter.CsrfResponseWrapper

protected static class CsrfPreventionFilter.LruCache<T>

Nested Classes
Modifier and Type	Class and Description
`protected static class`	`CsrfPreventionFilter.CsrfResponseWrapper`
`protected static class`	`CsrfPreventionFilter.LruCache<T>`

Field Summary

Fields
Modifier and Type Field and Description

protected static Logger log
- Fields inherited from class org.apache.catalina.filters.FilterBase
  rb

Fields
Modifier and Type	Field and Description
`protected static Logger`	`log`

Constructor Summary

Constructors
Constructor and Description

CsrfPreventionFilter()

Constructors
Constructor and Description
`CsrfPreventionFilter()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)`
`protected String`	`generateNonce()` Generate a once time token (nonce) for authenticating subsequent requests.
`protected Logger`	`getLogger()`
`void`	`init(javax.servlet.FilterConfig filterConfig)`
`protected boolean`	`isConfigProblemFatal()` Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.
`void`	`setEntryPoints(String entryPoints)` Entry points are URLs that will not be tested for the presence of a valid nonce.
`void`	`setNonceCacheSize(int nonceCacheSize)` Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.
`void`	`setRandomClass(String randomClass)` Specify the class to use to generate the nonces.

Methods inherited from class org.apache.catalina.filters.FilterBase
destroy

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - log
```
protected static final Logger log
```
- Constructor Detail
  - CsrfPreventionFilter
```
public CsrfPreventionFilter()
```
- Method Detail
  - getLogger
```
protected Logger getLogger()
```
    Specified by:
    
    getLogger in class FilterBase
  - setEntryPoints
```
public void setEntryPoints(String entryPoints)
```
    Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.
    
    Parameters:
    
    entryPoints - Comma separated list of URLs to be configured as entry points.
  - setNonceCacheSize
```
public void setNonceCacheSize(int nonceCacheSize)
```
    Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.
    
    Parameters:
    
    nonceCacheSize - The number of nonces to cache
  - setRandomClass
```
public void setRandomClass(String randomClass)
```
    Specify the class to use to generate the nonces. Must be in instance of Random.
    
    Parameters:
    
    randomClass - The name of the class to use
  - init
```
public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
```
    Specified by:
    
    init in interface javax.servlet.Filter
    
    Overrides:
    
    init in class FilterBase
    
    Throws:
    
    javax.servlet.ServletException
  - doFilter
```
public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
```
    Throws:
    
    IOException
    
    javax.servlet.ServletException
  - isConfigProblemFatal
```
protected boolean isConfigProblemFatal()
```
    Description copied from class: FilterBase
    
    Determines if an exception when calling a setter or an unknown configuration attribute triggers the failure of the this filter which in turn will prevent the web application from starting.
    
    Overrides:
    
    isConfigProblemFatal in class FilterBase
    
    Returns:
    
    true if a problem should trigger the failure of this filter, else false
  - generateNonce
```
protected String generateNonce()
```
    Generate a once time token (nonce) for authenticating subsequent requests. This will also add the token to the session. The nonce generation is a simplified version of ManagerBase.generateSessionId().

Class CsrfPreventionFilter

Nested Class Summary

Field Summary

Fields inherited from class org.apache.catalina.filters.FilterBase

Constructor Summary

Method Summary

Methods inherited from class org.apache.catalina.filters.FilterBase

Methods inherited from class java.lang.Object

Field Detail

log

Constructor Detail

CsrfPreventionFilter

Method Detail

getLogger

setEntryPoints

setNonceCacheSize

setRandomClass

init

doFilter

isConfigProblemFatal

generateNonce