CsrfPreventionFilter (Apache Tomcat 9.0.14 API Documentation)

Skip navigation links

Apache Tomcat 9.0.14

All Classes

SEARCH:

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

java.lang.Object
- org.apache.catalina.filters.FilterBase
- - org.apache.catalina.filters.CsrfPreventionFilterBase
  - - org.apache.catalina.filters.CsrfPreventionFilter

```
public class CsrfPreventionFilter
extends CsrfPreventionFilterBase
```
Provides basic CSRF protection for a web application. The filter assumes that:
- The filter is mapped to /*
- HttpServletResponse.encodeRedirectURL(String) and HttpServletResponse.encodeURL(String) are used to encode all URLs returned to the client

Nested Class Summary

Nested Classes
Modifier and Type Class Description

protected static class CsrfPreventionFilter.CsrfResponseWrapper

protected static class CsrfPreventionFilter.LruCache<T>

Field Summary
- Fields inherited from class org.apache.catalina.filters.FilterBase
  sm

Constructor Summary

Constructors
Constructor Description

CsrfPreventionFilter()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`void`	`doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)`
`void`	`setEntryPoints(java.lang.String entryPoints)`	Entry points are URLs that will not be tested for the presence of a valid nonce.
`void`	`setNonceCacheSize(int nonceCacheSize)`	Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one.

Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase
generateNonce, getDenyStatus, getLogger, getRequestedPath, init, isConfigProblemFatal, setDenyStatus, setRandomClass

Methods inherited from interface javax.servlet.Filter
destroy

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - CsrfPreventionFilter
```
public CsrfPreventionFilter()
```
- Method Detail
  - setEntryPoints
```
public void setEntryPoints(java.lang.String entryPoints)
```
    Entry points are URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after navigating away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.
    
    Parameters:
    
    entryPoints - Comma separated list of URLs to be configured as entry points.
  - setNonceCacheSize
```
public void setNonceCacheSize(int nonceCacheSize)
```
    Sets the number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.
    
    Parameters:
    
    nonceCacheSize - The number of nonces to cache
  - doFilter
```
public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
```
    Throws:
    
    java.io.IOException
    
    javax.servlet.ServletException

Skip navigation links

Apache Tomcat 9.0.14

All Classes

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

Copyright © 2000-2019 Apache Software Foundation. All Rights Reserved.