isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435943366
##########
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##########
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+ /**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce <code>true</code> to enforce CSRF protections or
+ * <code>false</code> to log DEBUG messages and allow
+ * all requests.
+ */
+ public void setEnforce(boolean enforce) {
+ this.enforce = enforce;
+ }
+
+ /**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return <code>true</code> if CSRF protections will be enforced or
+ * <code>false</code> if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+ public boolean getEnforce() {
+ return this.enforce;
+ }
+
+ /**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By <i>not</i> adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ * have nonces added to them. Patterns may begin or end with a
+ * <code>*</code> character to denote a suffix-match or
+ * prefix-match. Any matched URL will not have a CSRF nonce
+ * added to it when passed through
+ * {@link HttpServletResponse#encodeURL(String)}.
+ */
+ public void setNoNonceURLPatterns(String patterns) {
+ this.noNoncePatterns = patterns;
+
+ if (null != context) {
+ this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+ }
+ }
+
+ /**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+ protected static Collection<Predicate<String>>
createNoNoncePredicates(ServletContext context, String patterns) {
+ if (null == patterns || 0 == patterns.trim().length()) {
Review Comment:
In Java 11+ you can use `patterns.isBlank()` which will return true if the
string is empty or contains only whitespace
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
