You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/06/20 20:59:51 UTC
svn commit: r956385 - in /tomcat/trunk:
java/org/apache/catalina/filters/Constants.java
java/org/apache/catalina/filters/CsrfPreventionFilter.java
webapps/docs/changelog.xml webapps/docs/config/filter.xml
Author: markt
Date: Sun Jun 20 18:59:51 2010
New Revision: 956385
URL: http://svn.apache.org/viewvc?rev=956385&view=rev
Log:
Add entryPoint support to the CSRF prevention filter.
Modified:
tomcat/trunk/java/org/apache/catalina/filters/Constants.java
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/filter.xml
Modified: tomcat/trunk/java/org/apache/catalina/filters/Constants.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/Constants.java?rev=956385&r1=956384&r2=956385&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/Constants.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/Constants.java Sun Jun 20 18:59:51 2010
@@ -36,4 +36,6 @@ public final class Constants {
public static final String CSRF_NONCE_REQUEST_PARAM =
"org.apache.catalina.filters.CSRF_NONCE";
+
+ public static final String METHOD_GET = "GET";
}
Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=956385&r1=956384&r2=956385&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sun Jun 20 18:59:51 2010
@@ -18,7 +18,9 @@
package org.apache.catalina.filters;
import java.io.IOException;
+import java.util.HashSet;
import java.util.Random;
+import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
@@ -48,11 +50,30 @@ public class CsrfPreventionFilter extend
private final Random randomSource = new Random();
+ private final Set<String> entryPoints = new HashSet<String>();
+
@Override
protected Log getLogger() {
return log;
}
+ /**
+ * Entry points are URLs that will not be tested for the presence of a valid
+ * nonce. They are used to provide a way to navigate back to a protected
+ * application after navigating away from it. Entry points will be limited
+ * to HTTP GET requests and should not trigger any security sensitive
+ * actions.
+ *
+ * @param entryPoints Comma separated list of URLs to be configured as
+ * entry points.
+ */
+ public void setEntryPoints(String entryPoints) {
+ String values[] = entryPoints.split(",");
+ for (String value : values) {
+ this.entryPoints.add(value);
+ }
+ }
+
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@@ -64,14 +85,31 @@ public class CsrfPreventionFilter extend
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
- String previousNonce =
- req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
- String expectedNonce = (String) req.getSession(true).getAttribute(
- Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+ boolean skipNonceCheck = false;
- if (expectedNonce != null && !expectedNonce.equals(previousNonce)) {
- res.sendError(HttpServletResponse.SC_FORBIDDEN);
- return;
+ if (Constants.METHOD_GET.equals(req.getMethod())) {
+ String path = req.getServletPath();
+ if (req.getPathInfo() != null) {
+ path = path + req.getPathInfo();
+ }
+
+ if (entryPoints.contains(path)) {
+ skipNonceCheck = true;
+ }
+ }
+
+ if (!skipNonceCheck) {
+ String previousNonce =
+ req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+ String expectedNonce =
+ (String) req.getSession(true).getAttribute(
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
+ if (expectedNonce != null &&
+ !expectedNonce.equals(previousNonce)) {
+ res.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
}
String newNonce = generateNonce();
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=956385&r1=956384&r2=956385&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sun Jun 20 18:59:51 2010
@@ -52,6 +52,9 @@
class in an external repository should not prevent searching of the
local repositories. (markt)
</fix>
+ <add>
+ Add entryPoint support to the CSRF prevention filter. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=956385&r1=956384&r2=956385&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sun Jun 20 18:59:51 2010
@@ -114,9 +114,21 @@
<subsection name="Initialisation parameters">
- <p>The CSRF Prevention Filter does not support any initialization
- parameters.</p>
+ <p>The CSRF Prevention Filter supports the following initialisation
+ parameters:</p>
+
+ <attributes>
+ <attribute name="entryPoints" required="false">
+ <p>A comma separated list of URLs that will not be tested for the
+ presence of a valid nonce. They are used to provide a way to navigate
+ back to a protected application after having navigated away from it.
+ Entry points will be limited to HTTP GET requests and should not trigger
+ any security sensitive actions.</p>
+ </attribute>
+
+ </attributes>
+
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org