public class CsrfPreventionFilter extends Object implements javax.servlet.Filter
Positive scenario: Client Server | | | GET Fetch Request \| JSESSIONID |---------------------------------| X-CSRF-Token | /| pair generation |/Response to Fetch Request | |---------------------------------| JSESSIONID |\ | X-CSRF-Token | | pair cached | POST Request with valid token \| JSESSIONID | header | |---------------------------------| X-CSRF-Token | /| pair validation |/ Response to POST Request | |---------------------------------| |\ | Negative scenario: Client Server | | | POST Request without token | JSESSIONID | header \| X-CSRF-Token |---------------------------------| pair validation | /| |/Request is rejected | |---------------------------------| |\ | Client Server | | | POST Request with invalid token\| JSESSIONID |---------------------------------| X-CSRF-Token | /| pair validation |/Request is rejected | |---------------------------------| |\ |Parts of this code were ported from the
CsrfPreventionFilter
class
of Apache Tomcat. Furthermore, the RestCsrfPreventionFilter
class from
the same codebase was used as a guideline.Modifier and Type | Field and Description |
---|---|
protected CookieConfigurator |
cookieConfigurator |
protected Set<String> |
entryPoints |
Constructor and Description |
---|
CsrfPreventionFilter() |
Modifier and Type | Method and Description |
---|---|
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain filterChain) |
protected boolean |
doSameOriginStandardHeadersVerification(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Validates if the Origin/Referer header matches the provided target origin.
|
protected boolean |
doTokenValidation(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Validates the provided CSRF token value from
the request with the session CSRF token value.
|
protected String |
generateCSRFToken()
Generate a one-time token for authenticating subsequent
requests.
|
protected String |
getCookiePath(javax.servlet.http.HttpServletRequest request) |
int |
getDenyStatus() |
String |
getRandomClass() |
URL |
getTargetOrigin() |
void |
init(javax.servlet.FilterConfig filterConfig) |
protected boolean |
isNonModifyingRequest(javax.servlet.http.HttpServletRequest request)
Determine if the request a non-modifying request.
|
protected void |
setCSRFToken(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Generates a new CSRF Token which is persisted in the session.
|
void |
setDenyStatus(int denyStatus)
Sets the response status code that is used to reject denied request.
|
void |
setEntryPoints(String entryPoints)
Entry points are URLs that will not be tested for the presence of a valid
token.
|
void |
setRandomClass(String randomClass)
Sets the name of the class to use to generate tokens.
|
void |
setTargetOrigin(String targetOrigin)
Target origin is the application expected deployment domain, i.e.
|
protected CookieConfigurator cookieConfigurator
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
init
in interface javax.servlet.Filter
javax.servlet.ServletException
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
IOException
javax.servlet.ServletException
protected boolean doTokenValidation(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException
request
- response
- IOException
protected boolean doSameOriginStandardHeadersVerification(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException
request
- response
- IOException
protected void setCSRFToken(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
request
- protected String getCookiePath(javax.servlet.http.HttpServletRequest request)
public URL getTargetOrigin()
public void setTargetOrigin(String targetOrigin) throws MalformedURLException
targetOrigin
- The application's domain name together with the protocol
and port (ex. http://example.com:8080)MalformedURLException
public void setEntryPoints(String entryPoints)
entryPoints
- Comma separated list of URLs to be configured as
entry points.public int getDenyStatus()
public void setDenyStatus(int denyStatus)
denyStatus
- HTTP status codepublic String getRandomClass()
public void setRandomClass(String randomClass)
randomClass
- The name of the classpublic void destroy()
destroy
in interface javax.servlet.Filter
protected boolean isNonModifyingRequest(javax.servlet.http.HttpServletRequest request)
protected String generateCSRFToken()
Copyright © 2022. All rights reserved.