filter.xml

markt Sat, 10 Jul 2010 09:42:58 -0700

Author: markt
Date: Sat Jul 10 16:41:59 2010
New Revision: 962881

URL: http://svn.apache.org/viewvc?rev=962881&view=rev
Log:
Make the random source used for nonces user configurable


Modified:
    tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/filter.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Sat 
Jul 10 16:41:59 2010
@@ -26,6 +26,7 @@ import java.util.Random;
 import java.util.Set;
 
 import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
@@ -51,7 +52,9 @@ public class CsrfPreventionFilter extend
     private static final Log log =
         LogFactory.getLog(CsrfPreventionFilter.class);
     
-    private final Random randomSource = new SecureRandom();
+    private String randomClass = SecureRandom.class.getName();
+    
+    private Random randomSource;
 
     private final Set<String> entryPoints = new HashSet<String>();
     
@@ -92,6 +95,39 @@ public class CsrfPreventionFilter extend
         this.nonceCacheSize = nonceCacheSize;
     }
     
+    /**
+     * Specify the class to use to generate the nonces. Must be in instance of
+     * {...@link Random}.
+     * 
+     * @param randomClass   The name of the class to use
+     */
+    public void setRandomClass(String randomClass) {
+        this.randomClass = randomClass;
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // Set the parameters
+        super.init(filterConfig);
+        
+        try {
+            Class<?> clazz = Class.forName(randomClass);
+            randomSource = (Random) clazz.newInstance();
+        } catch (ClassNotFoundException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        } catch (InstantiationException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        } catch (IllegalAccessException e) {
+            ServletException se = new ServletException(sm.getString(
+                    "csrfPrevention.invalidRandomClass", randomClass), e);
+            throw se;
+        }
+    }
+
     public void doFilter(ServletRequest request, ServletResponse response,
             FilterChain chain) throws IOException, ServletException {
 

Modified: tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties Sat 
Jul 10 16:41:59 2010
@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+csrfPrevention.invalidRandomClass=Unable to create Random source using class 
[{0}]
 filterbase.noSuchProperty=The property "{0}" is not defined for filters of 
type "{1}"
- 
+
 http.403=Access to the specified resource ({0}) has been forbidden.

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Jul 10 16:41:59 2010
@@ -132,7 +132,8 @@
       </add>
       <fix>
         Improve the CSRF protection filter by using SecureRandom rather than
-        Random to generate nonces. (markt)
+        Random to generate nonces. Also make the implementation class used user
+        configurable. (markt)
       </fix>
     </changelog>
   </subsection>

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=962881&r1=962880&r2=962881&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Sat Jul 10 16:41:59 2010
@@ -135,6 +135,12 @@
         value of 5 will be used.</p>
       </attribute>
       
+      <attribute name="randomClass" required="false">
+        <p>The name of the class to use to generate nonces. The class must be 
an
+        instance of <code>java.util.Rnadom</code>. If not set, the default 
value
+        of <code>java.security.SecureRandom</code> will be used.</p>
+      </attribute>
+      
     </attributes>
     
   </subsection>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r962881 - in /tomcat/trunk: java/org/apache/catalina/filters/CsrfPreventionFilter.java java/org/apache/catalina/filters/LocalStrings.properties webapps/docs/changelog.xml webapps/docs/config/filter.xml

Reply via email to