From: markt Date: Sat, 10 Jul 2010 16:41:59 +0000 (+0000) Subject: Make the random source used for nonces user configurable X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=68f6268fff02ca0ac72ae6c508ac9ae8c8ffde72;p=tomcat7.0 Make the random source used for nonces user configurable git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@962881 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java b/java/org/apache/catalina/filters/CsrfPreventionFilter.java index 60a650c62..44a4d21fa 100644 --- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java +++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java @@ -26,6 +26,7 @@ import java.util.Random; import java.util.Set; import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; @@ -51,7 +52,9 @@ public class CsrfPreventionFilter extends FilterBase { private static final Log log = LogFactory.getLog(CsrfPreventionFilter.class); - private final Random randomSource = new SecureRandom(); + private String randomClass = SecureRandom.class.getName(); + + private Random randomSource; private final Set entryPoints = new HashSet(); @@ -92,6 +95,39 @@ public class CsrfPreventionFilter extends FilterBase { this.nonceCacheSize = nonceCacheSize; } + /** + * Specify the class to use to generate the nonces. Must be in instance of + * {@link Random}. + * + * @param randomClass The name of the class to use + */ + public void setRandomClass(String randomClass) { + this.randomClass = randomClass; + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + // Set the parameters + super.init(filterConfig); + + try { + Class clazz = Class.forName(randomClass); + randomSource = (Random) clazz.newInstance(); + } catch (ClassNotFoundException e) { + ServletException se = new ServletException(sm.getString( + "csrfPrevention.invalidRandomClass", randomClass), e); + throw se; + } catch (InstantiationException e) { + ServletException se = new ServletException(sm.getString( + "csrfPrevention.invalidRandomClass", randomClass), e); + throw se; + } catch (IllegalAccessException e) { + ServletException se = new ServletException(sm.getString( + "csrfPrevention.invalidRandomClass", randomClass), e); + throw se; + } + } + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { diff --git a/java/org/apache/catalina/filters/LocalStrings.properties b/java/org/apache/catalina/filters/LocalStrings.properties index 4475c1730..66de38cd7 100644 --- a/java/org/apache/catalina/filters/LocalStrings.properties +++ b/java/org/apache/catalina/filters/LocalStrings.properties @@ -13,6 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +csrfPrevention.invalidRandomClass=Unable to create Random source using class [{0}] filterbase.noSuchProperty=The property "{0}" is not defined for filters of type "{1}" - + http.403=Access to the specified resource ({0}) has been forbidden. diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index f68d8871e..605330e1f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -132,7 +132,8 @@ Improve the CSRF protection filter by using SecureRandom rather than - Random to generate nonces. (markt) + Random to generate nonces. Also make the implementation class used user + configurable. (markt) diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml index b1fdea615..a36eb47f5 100644 --- a/webapps/docs/config/filter.xml +++ b/webapps/docs/config/filter.xml @@ -135,6 +135,12 @@ value of 5 will be used.

+ +

The name of the class to use to generate nonces. The class must be an + instance of java.util.Rnadom. If not set, the default value + of java.security.SecureRandom will be used.

+ +