You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/07/10 18:41:59 UTC
svn commit: r962881 - in /tomcat/trunk:
java/org/apache/catalina/filters/CsrfPreventionFilter.java
java/org/apache/catalina/filters/LocalStrings.properties
webapps/docs/changelog.xml webapps/docs/config/filter.xml
Author: markt
Date: Sat Jul 10 16:41:59 2010
New Revision: 962881
URL: http://svn.apache.org/viewvc?rev=962881&view=rev
Log:
Make the random source used for nonces user configurable
Modified:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/filter.xml
Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sat Jul 10 16:41:59 2010
@@ -26,6 +26,7 @@ import java.util.Random;
import java.util.Set;
import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
@@ -51,7 +52,9 @@ public class CsrfPreventionFilter extend
private static final Log log =
LogFactory.getLog(CsrfPreventionFilter.class);
- private final Random randomSource = new SecureRandom();
+ private String randomClass = SecureRandom.class.getName();
+
+ private Random randomSource;
private final Set<String> entryPoints = new HashSet<String>();
@@ -92,6 +95,39 @@ public class CsrfPreventionFilter extend
this.nonceCacheSize = nonceCacheSize;
}
+ /**
+ * Specify the class to use to generate the nonces. Must be in instance of
+ * {@link Random}.
+ *
+ * @param randomClass The name of the class to use
+ */
+ public void setRandomClass(String randomClass) {
+ this.randomClass = randomClass;
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ // Set the parameters
+ super.init(filterConfig);
+
+ try {
+ Class<?> clazz = Class.forName(randomClass);
+ randomSource = (Random) clazz.newInstance();
+ } catch (ClassNotFoundException e) {
+ ServletException se = new ServletException(sm.getString(
+ "csrfPrevention.invalidRandomClass", randomClass), e);
+ throw se;
+ } catch (InstantiationException e) {
+ ServletException se = new ServletException(sm.getString(
+ "csrfPrevention.invalidRandomClass", randomClass), e);
+ throw se;
+ } catch (IllegalAccessException e) {
+ ServletException se = new ServletException(sm.getString(
+ "csrfPrevention.invalidRandomClass", randomClass), e);
+ throw se;
+ }
+ }
+
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
Modified: tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties Sat Jul 10 16:41:59 2010
@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+csrfPrevention.invalidRandomClass=Unable to create Random source using class [{0}]
filterbase.noSuchProperty=The property "{0}" is not defined for filters of type "{1}"
-
+
http.403=Access to the specified resource ({0}) has been forbidden.
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 16:41:59 2010
@@ -132,7 +132,8 @@
</add>
<fix>
Improve the CSRF protection filter by using SecureRandom rather than
- Random to generate nonces. (markt)
+ Random to generate nonces. Also make the implementation class used user
+ configurable. (markt)
</fix>
</changelog>
</subsection>
Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 16:41:59 2010
@@ -135,6 +135,12 @@
value of 5 will be used.</p>
</attribute>
+ <attribute name="randomClass" required="false">
+ <p>The name of the class to use to generate nonces. The class must be an
+ instance of <code>java.util.Rnadom</code>. If not set, the default value
+ of <code>java.security.SecureRandom</code> will be used.</p>
+ </attribute>
+
</attributes>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r962881 - in /tomcat/trunk: java/org/apache/catalina/filters/CsrfPreventionFilter.java
java/org/apache/catalina/filters/LocalStrings.properties webapps/docs/changelog.xml
webapps/docs/config/filter.xml
Posted by Mark Thomas <ma...@apache.org>.
On 10/07/2010 19:31, Konstantin Kolinko wrote:
> 2010/7/10 <ma...@apache.org>:
>> Author: markt
>> Date: Sat Jul 10 16:41:59 2010
>> New Revision: 962881
>>
>
>> --- tomcat/trunk/webapps/docs/config/filter.xml (original)
>> +++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 16:41:59 2010
>> @@ -135,6 +135,12 @@
>> value of 5 will be used.</p>
>> </attribute>
>>
>> + <attribute name="randomClass" required="false">
>> + <p>The name of the class to use to generate nonces. The class must be an
>> + instance of <code>java.util.Rnadom</code>. If not set, the default value
>> + of <code>java.security.SecureRandom</code> will be used.</p>
>> + </attribute>
>> +
>> </attributes>
>
> A typo in the docs patch above. s/Rnadom/Random/
Thanks.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r962881 - in /tomcat/trunk: java/org/apache/catalina/filters/CsrfPreventionFilter.java
java/org/apache/catalina/filters/LocalStrings.properties webapps/docs/changelog.xml
webapps/docs/config/filter.xml
Posted by Konstantin Kolinko <kn...@gmail.com>.
2010/7/10 <ma...@apache.org>:
> Author: markt
> Date: Sat Jul 10 16:41:59 2010
> New Revision: 962881
>
> --- tomcat/trunk/webapps/docs/config/filter.xml (original)
> +++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 16:41:59 2010
> @@ -135,6 +135,12 @@
> value of 5 will be used.</p>
> </attribute>
>
> + <attribute name="randomClass" required="false">
> + <p>The name of the class to use to generate nonces. The class must be an
> + instance of <code>java.util.Rnadom</code>. If not set, the default value
> + of <code>java.security.SecureRandom</code> will be used.</p>
> + </attribute>
> +
> </attributes>
A typo in the docs patch above. s/Rnadom/Random/
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org