package org.apache.catalina.filters;
import java.io.IOException;
+import java.util.HashSet;
import java.util.Random;
+import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
private final Random randomSource = new Random();
+ private final Set<String> entryPoints = new HashSet<String>();
+
@Override
protected Log getLogger() {
return log;
}
+ /**
+ * Entry points are URLs that will not be tested for the presence of a valid
+ * nonce. They are used to provide a way to navigate back to a protected
+ * application after navigating away from it. Entry points will be limited
+ * to HTTP GET requests and should not trigger any security sensitive
+ * actions.
+ *
+ * @param entryPoints Comma separated list of URLs to be configured as
+ * entry points.
+ */
+ public void setEntryPoints(String entryPoints) {
+ String values[] = entryPoints.split(",");
+ for (String value : values) {
+ this.entryPoints.add(value);
+ }
+ }
+
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
- String previousNonce =
- req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
- String expectedNonce = (String) req.getSession(true).getAttribute(
- Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+ boolean skipNonceCheck = false;
- if (expectedNonce != null && !expectedNonce.equals(previousNonce)) {
- res.sendError(HttpServletResponse.SC_FORBIDDEN);
- return;
+ if (Constants.METHOD_GET.equals(req.getMethod())) {
+ String path = req.getServletPath();
+ if (req.getPathInfo() != null) {
+ path = path + req.getPathInfo();
+ }
+
+ if (entryPoints.contains(path)) {
+ skipNonceCheck = true;
+ }
+ }
+
+ if (!skipNonceCheck) {
+ String previousNonce =
+ req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+ String expectedNonce =
+ (String) req.getSession(true).getAttribute(
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
+ if (expectedNonce != null &&
+ !expectedNonce.equals(previousNonce)) {
+ res.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
}
String newNonce = generateNonce();
<subsection name="Initialisation parameters">
- <p>The CSRF Prevention Filter does not support any initialization
- parameters.</p>
+ <p>The CSRF Prevention Filter supports the following initialisation
+ parameters:</p>
+
+ <attributes>
+ <attribute name="entryPoints" required="false">
+ <p>A comma separated list of URLs that will not be tested for the
+ presence of a valid nonce. They are used to provide a way to navigate
+ back to a protected application after having navigated away from it.
+ Entry points will be limited to HTTP GET requests and should not trigger
+ any security sensitive actions.</p>
+ </attribute>
+
+ </attributes>
+
</subsection>
</section>
projects / tomcat7.0 / commitdiff