RestCsrfPreventionFilter (Apache Tomcat 9.0.87.redhat-00013 API Documentation)

java.lang.Object
- org.apache.catalina.filters.FilterBase
- - org.apache.catalina.filters.CsrfPreventionFilterBase
  - - org.apache.catalina.filters.RestCsrfPreventionFilter

All Implemented Interfaces:: Filter

public class RestCsrfPreventionFilter
extends CsrfPreventionFilterBase

Provides basic CSRF protection for REST APIs. The filter assumes that the clients have adapted the transfer of the nonce through the 'X-CSRF-Token' header.

 Positive scenario:
           Client                            Server
              |                                 |
              | GET Fetch Request              \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair generation
              |/Response to Fetch Request       |
              |---------------------------------|
 JSESSIONID   |\                                |
 X-CSRF-Token |                                 |
 pair cached  | POST Request with valid nonce  \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/ Response to POST Request       |
              |---------------------------------|
              |\                                |

 Negative scenario:
           Client                            Server
              |                                 |
              | POST Request without nonce     \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/Request is rejected             |
              |---------------------------------|
              |\                                |

           Client                            Server
              |                                 |
              | POST Request with invalid nonce\| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/Request is rejected             |
              |---------------------------------|
              |\                                |

Field Summary
- Fields inherited from class org.apache.catalina.filters.FilterBase
  sm

Constructor Summary

Constructors
Constructor and Description

RestCsrfPreventionFilter()

Constructors
Constructor and Description
`RestCsrfPreventionFilter()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`doFilter(ServletRequest request, ServletResponse response, FilterChain chain)` The `doFilter` method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.
`java.util.Set<java.lang.String>`	`getPathsAcceptingParams()`
`void`	`init(FilterConfig filterConfig)` Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.
`void`	`setPathsAcceptingParams(java.lang.String pathsList)` A comma separated list of URLs that can accept nonces via request parameter 'X-CSRF-Token'.

Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase
generateNonce, generateNonce, getDenyStatus, getLogger, getRequestedPath, isConfigProblemFatal, setDenyStatus, setRandomClass

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.servlet.Filter
destroy

- Constructor Detail
  - RestCsrfPreventionFilter
```
public RestCsrfPreventionFilter()
```
- Method Detail
  - init
```
public void init(FilterConfig filterConfig)
          throws ServletException
```
    Description copied from class: FilterBase
    
    Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.
    
    Specified by:
    
    init in interface Filter
    
    Overrides:
    
    init in class CsrfPreventionFilterBase
    
    Parameters:
    
    filterConfig - The configuration information associated with the filter instance being initialised
    
    Throws:
    
    ServletException - if FilterBase.isConfigProblemFatal() returns true and a configured parameter does not have a matching setter
  - doFilter
```
public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws java.io.IOException,
                     ServletException
```
    Description copied from interface: javax.servlet.Filter
    
    The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.
    A typical implementation of this method would follow the following pattern:-
    1. Examine the request
    2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
    3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
    4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
    4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
    5. Directly set headers on the response after invocation of the next entity in the filter chain.
    
    Parameters:
    
    request - The request to process
    
    response - The response associated with the request
    
    chain - Provides access to the next filter in the chain for this filter to pass the request and response to for further processing
    
    Throws:
    
    java.io.IOException - if an I/O error occurs during this filter's processing of the request
    
    ServletException - if the processing fails for any other reason
  - setPathsAcceptingParams
```
public void setPathsAcceptingParams(java.lang.String pathsList)
```
    A comma separated list of URLs that can accept nonces via request parameter 'X-CSRF-Token'. For use cases when a nonce information cannot be provided via header, one can provide it via request parameters. If there is a X-CSRF-Token header, it will be taken with preference over any parameter with the same name in the request. Request parameters cannot be used to fetch new nonce, only header.
    
    Parameters:
    
    pathsList - Comma separated list of URLs to be configured as paths accepting request parameters with nonce information.
  - getPathsAcceptingParams
```
public java.util.Set<java.lang.String> getPathsAcceptingParams()
```

Copyright © 2000-2024 Apache Software Foundation.
Apache Tomcat, Tomcat, Apache, the Apache Tomcat logo and the Apache logo are either registered trademarks or trademarks of the Apache Software Foundation.

Class RestCsrfPreventionFilter

Field Summary

Fields inherited from class org.apache.catalina.filters.FilterBase

Constructor Summary

Method Summary

Methods inherited from class org.apache.catalina.filters.CsrfPreventionFilterBase

Methods inherited from class java.lang.Object

Methods inherited from interface javax.servlet.Filter

Constructor Detail

RestCsrfPreventionFilter

Method Detail

init

doFilter

setPathsAcceptingParams

getPathsAcceptingParams