Author: violetagg
Date: Fri Oct 16 11:16:35 2015
New Revision: 1708957
URL: http://svn.apache.org/viewvc?rev=1708957&view=rev
Log:
Extract common functionality from CsrfPreventionFilter to
CsrfPreventionFilterBase
Added:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
Modified:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1708957&r1=1708956&r2=1708957&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Fri
Oct 16 11:16:35 2015
@@ -18,15 +18,12 @@ package org.apache.catalina.filters;
import java.io.IOException;
import java.io.Serializable;
-import java.security.SecureRandom;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
-import java.util.Random;
import java.util.Set;
import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
@@ -35,9 +32,6 @@ import javax.servlet.http.HttpServletRes
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
-import org.apache.juli.logging.Log;
-import org.apache.juli.logging.LogFactory;
-
/**
* Provides basic CSRF protection for a web application. The filter assumes
* that:
@@ -48,44 +42,12 @@ import org.apache.juli.logging.LogFactor
* returned to the client
* </ul>
*/
-public class CsrfPreventionFilter extends FilterBase {
-
- private static final Log log =
- LogFactory.getLog(CsrfPreventionFilter.class);
-
- private String randomClass = SecureRandom.class.getName();
-
- private Random randomSource;
-
- private int denyStatus = HttpServletResponse.SC_FORBIDDEN;
+public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
private final Set<String> entryPoints = new HashSet<>();
private int nonceCacheSize = 5;
- @Override
- protected Log getLogger() {
- return log;
- }
-
- /**
- * Return response status code that is used to reject denied request.
- */
- public int getDenyStatus() {
- return denyStatus;
- }
-
- /**
- * Set response status code that is used to reject denied request. If none
- * set, the default value of 403 will be used.
- *
- * @param denyStatus
- * HTTP status code
- */
- public void setDenyStatus(int denyStatus) {
- this.denyStatus = denyStatus;
- }
-
/**
* Entry points are URLs that will not be tested for the presence of a
valid
* nonce. They are used to provide a way to navigate back to a protected
@@ -116,39 +78,6 @@ public class CsrfPreventionFilter extend
this.nonceCacheSize = nonceCacheSize;
}
- /**
- * Specify the class to use to generate the nonces. Must be in instance of
- * {@link Random}.
- *
- * @param randomClass The name of the class to use
- */
- public void setRandomClass(String randomClass) {
- this.randomClass = randomClass;
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- // Set the parameters
- super.init(filterConfig);
-
- try {
- Class<?> clazz = Class.forName(randomClass);
- randomSource = (Random) clazz.newInstance();
- } catch (ClassNotFoundException e) {
- ServletException se = new ServletException(sm.getString(
- "csrfPrevention.invalidRandomClass", randomClass), e);
- throw se;
- } catch (InstantiationException e) {
- ServletException se = new ServletException(sm.getString(
- "csrfPrevention.invalidRandomClass", randomClass), e);
- throw se;
- } catch (IllegalAccessException e) {
- ServletException se = new ServletException(sm.getString(
- "csrfPrevention.invalidRandomClass", randomClass), e);
- throw se;
- }
- }
-
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@@ -187,7 +116,7 @@ public class CsrfPreventionFilter extend
if (nonceCache == null || previousNonce == null ||
!nonceCache.contains(previousNonce)) {
- res.sendError(denyStatus);
+ res.sendError(getDenyStatus());
return;
}
}
@@ -214,44 +143,6 @@ public class CsrfPreventionFilter extend
}
- @Override
- protected boolean isConfigProblemFatal() {
- return true;
- }
-
-
- /**
- * Generate a once time token (nonce) for authenticating subsequent
- * requests. This will also add the token to the session. The nonce
- * generation is a simplified version of ManagerBase.generateSessionId().
- *
- */
- protected String generateNonce() {
- byte random[] = new byte[16];
-
- // Render the result as a String of hexadecimal digits
- StringBuilder buffer = new StringBuilder();
-
- randomSource.nextBytes(random);
-
- for (int j = 0; j < random.length; j++) {
- byte b1 = (byte) ((random[j] & 0xf0) >> 4);
- byte b2 = (byte) (random[j] & 0x0f);
- if (b1 < 10) {
- buffer.append((char) ('0' + b1));
- } else {
- buffer.append((char) ('A' + (b1 - 10)));
- }
- if (b2 < 10) {
- buffer.append((char) ('0' + b2));
- } else {
- buffer.append((char) ('A' + (b2 - 10)));
- }
- }
-
- return buffer.toString();
- }
-
protected static class CsrfResponseWrapper
extends HttpServletResponseWrapper {
Added:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java?rev=1708957&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
(added)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
Fri Oct 16 11:16:35 2015
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.filters;
+
+import java.security.SecureRandom;
+import java.util.Random;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
+public abstract class CsrfPreventionFilterBase extends FilterBase {
+
+ private static final Log log =
LogFactory.getLog(CsrfPreventionFilterBase.class);
+
+ private String randomClass = SecureRandom.class.getName();
+
+ private Random randomSource;
+
+ private int denyStatus = HttpServletResponse.SC_FORBIDDEN;
+
+ @Override
+ protected Log getLogger() {
+ return log;
+ }
+
+ /**
+ * Return response status code that is used to reject denied request.
+ */
+ public int getDenyStatus() {
+ return denyStatus;
+ }
+
+ /**
+ * Set response status code that is used to reject denied request. If none
+ * set, the default value of 403 will be used.
+ *
+ * @param denyStatus
+ * HTTP status code
+ */
+ public void setDenyStatus(int denyStatus) {
+ this.denyStatus = denyStatus;
+ }
+
+ /**
+ * Specify the class to use to generate the nonces. Must be in instance of
+ * {@link Random}.
+ *
+ * @param randomClass
+ * The name of the class to use
+ */
+ public void setRandomClass(String randomClass) {
+ this.randomClass = randomClass;
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ // Set the parameters
+ super.init(filterConfig);
+
+ try {
+ Class<?> clazz = Class.forName(randomClass);
+ randomSource = (Random) clazz.newInstance();
+ } catch (ClassNotFoundException | InstantiationException |
IllegalAccessException e) {
+ ServletException se = new ServletException(sm.getString(
+ "csrfPrevention.invalidRandomClass", randomClass), e);
+ throw se;
+ }
+ }
+
+ @Override
+ protected boolean isConfigProblemFatal() {
+ return true;
+ }
+
+ /**
+ * Generate a once time token (nonce) for authenticating subsequent
+ * requests. The nonce generation is a simplified version of
+ * ManagerBase.generateSessionId().
+ */
+ protected String generateNonce() {
+ byte random[] = new byte[16];
+
+ // Render the result as a String of hexadecimal digits
+ StringBuilder buffer = new StringBuilder();
+
+ randomSource.nextBytes(random);
+
+ for (int j = 0; j < random.length; j++) {
+ byte b1 = (byte) ((random[j] & 0xf0) >> 4);
+ byte b2 = (byte) (random[j] & 0x0f);
+ if (b1 < 10) {
+ buffer.append((char) ('0' + b1));
+ } else {
+ buffer.append((char) ('A' + (b1 - 10)));
+ }
+ if (b2 < 10) {
+ buffer.append((char) ('0' + b2));
+ } else {
+ buffer.append((char) ('A' + (b2 - 10)));
+ }
+ }
+
+ return buffer.toString();
+ }
+
+}
Propchange:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
------------------------------------------------------------------------------
svn:eol-style = native
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
