Package org.owasp.csrfguard

Class CsrfGuard

  • public class CsrfGuard
extends Object

    • Constructor Detail

      • CsrfGuard

        public CsrfGuard()

    • Method Detail

      • getInstance

        public static CsrfGuard getInstance()

      • load

        public static void load​(Properties theProperties)

      • getTokenName

        public String getTokenName()

      • getTokenLength

        public int getTokenLength()

      • isRotateEnabled

        public boolean isRotateEnabled()

      • isTokenPerPageEnabled

        public boolean isTokenPerPageEnabled()

      • isTokenPerPagePrecreate

        public boolean isTokenPerPagePrecreate()

      • isValidateWhenNoSessionExists

        public boolean isValidateWhenNoSessionExists()
        If csrf guard filter should check even if there is no session for the user Note: this changed in 2014/04/20, the default behavior used to be to not check if there is no session. If you want the legacy behavior (if your app is not susceptible to CSRF if the user has no session), set this to false
        Returns:
        if true

      • getNewTokenLandingPage

        public String getNewTokenLandingPage()

      • isUseNewTokenLandingPage

        public boolean isUseNewTokenLandingPage()

      • isAjaxEnabled

        public boolean isAjaxEnabled()

      • isForceSynchronousAjax

        public boolean isForceSynchronousAjax()

      • getProtectedPages

        public Set<String> getProtectedPages()

      • getUnprotectedPages

        public Set<String> getUnprotectedPages()

      • getProtectedMethods

        public Set<String> getProtectedMethods()

      • isJavascriptDomainStrict

        public boolean isJavascriptDomainStrict()

      • isJavascriptRefererMatchProtocol

        public boolean isJavascriptRefererMatchProtocol()

      • isJavascriptRefererMatchDomain

        public boolean isJavascriptRefererMatchDomain()

      • getJavascriptCacheControl

        public String getJavascriptCacheControl()

      • getJavascriptRefererPattern

        public Pattern getJavascriptRefererPattern()

      • isJavascriptInjectIntoForms

        public boolean isJavascriptInjectIntoForms()

      • isJavascriptInjectIntoAttributes

        public boolean isJavascriptInjectIntoAttributes()

      • isJavascriptInjectIntoDynamicallyCreatedNodes

        public boolean isJavascriptInjectIntoDynamicallyCreatedNodes()

      • getJavascriptDynamicNodeCreationEventName

        public String getJavascriptDynamicNodeCreationEventName()

      • getJavascriptXrequestedWith

        public String getJavascriptXrequestedWith()

      • getJavascriptTemplateCode

        public String getJavascriptTemplateCode()

      • getJavascriptUnprotectedExtensions

        public String getJavascriptUnprotectedExtensions()

      • isPrintConfig

        public boolean isPrintConfig()

      • getDomainOrigin

        public String getDomainOrigin()

      • getPageTokenSynchronizationTolerance

        public Duration getPageTokenSynchronizationTolerance()

      • getUnprotectedMethods

        public Set<String> getUnprotectedMethods()
        if there are methods specified, then they (e.g. GET) are unprotected, and all others are protected
        Returns:
        the unprotected HTTP methods

      • isRotateEnabled

        public boolean isRotateEnabled​(javax.servlet.http.HttpServletRequest request)
        Rotation in case of AJAX requests is not supported currently because of possible race conditions.

        A Single Page Application can fire multiple simultaneous requests. If rotation is enabled for AJAX requests, the first request could trigger a token change before the validation of the second request with the same token, causing false-positive CSRF intrusion exceptions.

        Parameters:
        request - the current request
        Returns:
        True if rotation is enabled and possible

      • onSessionCreated

        public void onSessionCreated​(LogicalSession logicalSession)
        Method to be called by a logical session implementation when a new session is created.

        Example: HttpSessionListener.sessionCreated(javax.servlet.http.HttpSessionEvent)

        Parameters:
        logicalSession - a logical session implementation

      • onSessionDestroyed

        public void onSessionDestroyed​(LogicalSession logicalSession)
        Method to be called by a logical session implementation when a session is destroyed.

        Example: HttpSessionListener.sessionDestroyed(javax.servlet.http.HttpSessionEvent)

        Parameters:
        logicalSession - a logical session implementation

      • writeLandingPage

        public void writeLandingPage​(javax.servlet.http.HttpServletResponse response,
                             String logicalSessionKey)
                      throws IOException
        Throws:
        IOException