Make the random source used for nonces user configurable

author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Sat, 10 Jul 2010 16:41:59 +0000 (16:41 +0000)

committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Sat, 10 Jul 2010 16:41:59 +0000 (16:41 +0000)
author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sat, 10 Jul 2010 16:41:59 +0000 (16:41 +0000)
committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sat, 10 Jul 2010 16:41:59 +0000 (16:41 +0000)
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java

index 60a650c..44a4d21 100644 (file)
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -26,6 +26,7 @@ import java.util.Random;
  import java.util.Set;
  
  import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
  import javax.servlet.ServletException;
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
@@ -51,7 +52,9 @@ public class CsrfPreventionFilter extends FilterBase {
      private static final Log log =
          LogFactory.getLog(CsrfPreventionFilter.class);
      
-    private final Random randomSource = new SecureRandom();
+    private String randomClass = SecureRandom.class.getName();
+    
+    private Random randomSource;
  
      private final Set<String> entryPoints = new HashSet<String>();
      
@@ -92,6 +95,39 @@ public class CsrfPreventionFilter extends FilterBase {
          this.nonceCacheSize = nonceCacheSize;
      }
      
+    /**
+     * Specify the class to use to generate the nonces. Must be in instance of
+     * {@link Random}.
+     * 
+     * @param randomClass   The name of the class to use
+     */
+    public void setRandomClass(String randomClass) {
+        this.randomClass = randomClass;
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // Set the parameters
+        super.init(filterConfig);
+        
+        try {
+            Class<?> clazz = Class.forName(randomClass);
+            randomSource = (Random) clazz.newInstance();
+        } catch (ClassNotFoundException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        } catch (InstantiationException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        } catch (IllegalAccessException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        }
+    }
+
      public void doFilter(ServletRequest request, ServletResponse response,
              FilterChain chain) throws IOException, ServletException {
  
diff --git a/java/org/apache/catalina/filters/LocalStrings.properties b/java/org/apache/catalina/filters/LocalStrings.properties

index 4475c17..66de38c 100644 (file)
--- a/java/org/apache/catalina/filters/LocalStrings.properties
+++ b/java/org/apache/catalina/filters/LocalStrings.properties
@@ -13,6 +13,7 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
+csrfPrevention.invalidRandomClass=Unable to create Random source using class [{0}]
  filterbase.noSuchProperty=The property "{0}" is not defined for filters of type "{1}"
- 
+
  http.403=Access to the specified resource ({0}) has been forbidden.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml

index f68d887..605330e 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,7 +132,8 @@
        </add>
        <fix>
          Improve the CSRF protection filter by using SecureRandom rather than
-        Random to generate nonces. (markt)
+        Random to generate nonces. Also make the implementation class used user
+        configurable. (markt)
        </fix>
      </changelog>
    </subsection>
diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml

index b1fdea6..a36eb47 100644 (file)
--- a/webapps/docs/config/filter.xml
+++ b/webapps/docs/config/filter.xml
@@ -135,6 +135,12 @@
          value of 5 will be used.</p>
        </attribute>
        
+      <attribute name="randomClass" required="false">
+        <p>The name of the class to use to generate nonces. The class must be an
+        instance of <code>java.util.Rnadom</code>. If not set, the default value
+        of <code>java.security.SecureRandom</code> will be used.</p>
+      </attribute>
+      
      </attributes>
      
    </subsection>
author	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Sat, 10 Jul 2010 16:41:59 +0000 (16:41 +0000)
committer	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Sat, 10 Jul 2010 16:41:59 +0000 (16:41 +0000)
java/org/apache/catalina/filters/CsrfPreventionFilter.java		patch \| blob \| history
java/org/apache/catalina/filters/LocalStrings.properties		patch \| blob \| history
webapps/docs/changelog.xml		patch \| blob \| history
webapps/docs/config/filter.xml		patch \| blob \| history