RestCsrfPreventionFilter (Apache Tomcat 9.0.14 API Documentation)

java.lang.Object
- org.apache.catalina.filters.FilterBase
- - org.apache.catalina.filters.CsrfPreventionFilterBase
  - - org.apache.catalina.filters.RestCsrfPreventionFilter

public class RestCsrfPreventionFilter
extends CsrfPreventionFilterBase

Provides basic CSRF protection for REST APIs. The filter assumes that the clients have adapted the transfer of the nonce through the 'X-CSRF-Token' header.

 Positive scenario:
           Client                            Server
              |                                 |
              | GET Fetch Request              \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair generation
              |/Response to Fetch Request       |
              |---------------------------------|
 JSESSIONID   |\                                |
 X-CSRF-Token |                                 |
 pair cached  | POST Request with valid nonce  \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/ Response to POST Request       |
              |---------------------------------|
              |\                                |

 Negative scenario:
           Client                            Server
              |                                 |
              | POST Request without nonce     \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/Request is rejected             |
              |---------------------------------|
              |\                                |

           Client                            Server
              |                                 |
              | POST Request with invalid nonce\| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/Request is rejected             |
              |---------------------------------|
              |\                                |

Field Summary
- Fields inherited from class org.apache.catalina.filters.FilterBase
  sm

Constructor Summary

Constructors
Constructor Description

RestCsrfPreventionFilter()

Constructors
Constructor	Description
`RestCsrfPreventionFilter()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`void`	`doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)`
`java.util.Set<java.lang.String>`	`getPathsAcceptingParams()`
`void`	`setPathsAcceptingParams(java.lang.String pathsList)`	A comma separated list of URLs that can accept nonces via request parameter 'X-CSRF-Token'.

Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase
generateNonce, getDenyStatus, getLogger, getRequestedPath, init, isConfigProblemFatal, setDenyStatus, setRandomClass

Methods inherited from interface javax.servlet.Filter
destroy

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - RestCsrfPreventionFilter
```
public RestCsrfPreventionFilter()
```
- Method Detail
  - doFilter
```
public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
```
    Throws:
    
    java.io.IOException
    
    javax.servlet.ServletException
  - setPathsAcceptingParams
```
public void setPathsAcceptingParams(java.lang.String pathsList)
```
    A comma separated list of URLs that can accept nonces via request parameter 'X-CSRF-Token'. For use cases when a nonce information cannot be provided via header, one can provide it via request parameters. If there is a X-CSRF-Token header, it will be taken with preference over any parameter with the same name in the request. Request parameters cannot be used to fetch new nonce, only header.
    
    Parameters:
    
    pathsList - Comma separated list of URLs to be configured as paths accepting request parameters with nonce information.
  - getPathsAcceptingParams
```
public java.util.Set<java.lang.String> getPathsAcceptingParams()
```

Class RestCsrfPreventionFilter

Field Summary

Fields inherited from class org.apache.catalina.filters.FilterBase

Constructor Summary

Method Summary

Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase

Methods inherited from interface javax.servlet.Filter

Methods inherited from class java.lang.Object

Constructor Detail

RestCsrfPreventionFilter

Method Detail

doFilter

setPathsAcceptingParams

getPathsAcceptingParams