Package org.owasp.csrfguard.config

Interface ConfigurationProvider

    • Method Detail

      • isCacheable

        boolean isCacheable()
        Returns:
        true when this configuration provider can be cached for a minute, i.e. it is all setup

      • isPrintConfig

        boolean isPrintConfig()
        Returns:
        true if the display of the CSRF configuration at start-up was requested, false otherwise

      • getTokenName

        String getTokenName()
        Returns:
        the name of the CSRF token, used in the DOM

      • isValidateWhenNoSessionExists

        boolean isValidateWhenNoSessionExists()
        If csrf guard filter should check even if there is no session for the user Note: this changed around 2014/04, the default behavior used to be to not check if there is no session. If you want the legacy behavior (if your app is not susceptible to CSRF if the user has no session), set this to false
        Returns:
        true when validation is performed even when no session exists

      • getTokenLength

        int getTokenLength()
        This parameter controls how long a generated token should be.
        Returns:
        the configured length of the token

      • isRotateEnabled

        boolean isRotateEnabled()
        Returns:
        true if token rotation was configured, false otherwise

      • isTokenPerPageEnabled

        boolean isTokenPerPageEnabled()
        Returns:
        true if token-per-page was configured, false otherwise

      • isTokenPerPagePrecreateEnabled

        boolean isTokenPerPagePrecreateEnabled()
        Returns:
        true if pre-generation of page tokens has been configured, false otherwise

      • getPrng

        SecureRandom getPrng()
        Returns:
        the pseudo-random number generator instance, which is used to generate CSRF tokens

      • getNewTokenLandingPage

        String getNewTokenLandingPage()
        Returns:
        the path of a page to which a new user (with no logical session) will be redirected

      • isUseNewTokenLandingPage

        boolean isUseNewTokenLandingPage()
        Returns:
        true if new users (without a logical session) should be redirected to a pre-configured page
        See Also:
        getNewTokenLandingPage()

      • isAjaxEnabled

        boolean isAjaxEnabled()
        Returns:
        true if Asynchronous JavaScript And XML (AJAX) support was configured, false otherwise

      • isProtectEnabled

        boolean isProtectEnabled()
        The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
        If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected. All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*), but you only want to protect a few pages.
        Returns:
        false if all pages are protected, true if pages are required to be explicit protected

      • isForceSynchronousAjax

        boolean isForceSynchronousAjax()
        Returns:
        whether the legacy Synchronous AJAX requests are enabled

      • getProtectedPages

        Set<String> getProtectedPages()
        Returns:
        the configured set of all protected pages

      • getUnprotectedPages

        Set<String> getUnprotectedPages()
        Returns:
        the configured set of all un-protected pages

      • getProtectedMethods

        Set<String> getProtectedMethods()
        Returns:
        the configured set of protected HTTP methods (verbs)

      • getUnprotectedMethods

        Set<String> getUnprotectedMethods()
        if there are methods here, then all other HTTP methods are protected and these (e.g. GET) are unprotected
        Returns:
        the unprotected methods

      • isEnabled

        boolean isEnabled()
        if the filter is enabled
        Returns:
        is csrf guard filter is enabled

      • getActions

        List<IAction> getActions()
        Returns:
        the configured list of actions to be executed in case of a potential CSRF attack

      • isJavascriptDomainStrict

        boolean isJavascriptDomainStrict()
        Returns:
        true if tokens should only be injected into links that have the same domain from which the HTML originates, false if subdomains are also permitted

      • getDomainOrigin

        String getDomainOrigin()
        TODO Currently not configurable through the properties!
        Returns:
        the configured domain, whose resources are intended be decorated with CSRF tokens

      • getJavascriptCacheControl

        String getJavascriptCacheControl()
        Returns:
        the configured JavaScript cache control

      • getJavascriptRefererPattern

        Pattern getJavascriptRefererPattern()
        Returns:
        the configured JavaScript "Referer" pattern to be used

      • initializeJavaScriptConfiguration

        void initializeJavaScriptConfiguration()
        JavaScript configuration parameters can be set/overwritten via the servlet configuration. This method is intended to trigger the initialization of the JavaScript parameters, if/after the JavaScript servlet is initialized.

      • isJavascriptInjectGetForms

        boolean isJavascriptInjectGetForms()
        if the token should be injected in GET forms (which will be on the URL) if the HTTP method GET is unprotected, then this should likely be false
        Returns:
        true if the token should be injected in GET forms via Javascript

      • isJavascriptInjectFormAttributes

        boolean isJavascriptInjectFormAttributes()
        if the token should be injected in the action in forms note, if injectIntoForms is true, then this might not need to be true
        Returns:
        if inject

      • isJavascriptInjectIntoForms

        boolean isJavascriptInjectIntoForms()
        Returns:
        true if injecting tokens into JavaScript forms was configured

      • isJavascriptRefererMatchProtocol

        boolean isJavascriptRefererMatchProtocol()
        if the referer to the javascript must match the protocol of the domain
        Returns:
        true if the javascript must match the protocol of the domain

      • isJavascriptRefererMatchDomain

        boolean isJavascriptRefererMatchDomain()
        if the referer to the javascript must match domain
        Returns:
        true if the javascript must match domain

      • isJavascriptInjectIntoAttributes

        boolean isJavascriptInjectIntoAttributes()
        Returns:
        true if injecting tokens into HTML attributes was configured

      • isJavascriptInjectIntoDynamicallyCreatedNodes

        boolean isJavascriptInjectIntoDynamicallyCreatedNodes()
        Returns:
        true if injecting tokens into dynamically injected DOM nodes was configured

      • getJavascriptDynamicNodeCreationEventName

        String getJavascriptDynamicNodeCreationEventName()
        Returns:
        the name of the JavaScript dynamic node creation event, if the functionality was configured

      • getJavascriptXrequestedWith

        String getJavascriptXrequestedWith()
        TODO document
        Returns:
        the configured value of the "X-Requested-With" header

      • getJavascriptTemplateCode

        String getJavascriptTemplateCode()
        Returns:
        the content of the template JavaScript code, on which the JavaScript configurations will be applied

      • getJavascriptUnprotectedExtensions

        String getJavascriptUnprotectedExtensions()
        example: "js,css,gif,png,ico,jpg"
        Returns:
        the configured list of un-protected, comma separated extensions

      • getTokenHolder

        TokenHolder getTokenHolder()
        Returns:
        the configured TokenHolder instance

      • getLogicalSessionExtractor

        LogicalSessionExtractor getLogicalSessionExtractor()
        Returns:
        the configured LogicalSessionExtractor

      • getPageTokenSynchronizationTolerance

        Duration getPageTokenSynchronizationTolerance()
        Returns:
        the configured page token synchronization tolerance