Package org.owasp.csrfguard.config
Class NullConfigurationProvider
- java.lang.Object
-
- org.owasp.csrfguard.config.NullConfigurationProvider
-
- All Implemented Interfaces:
ConfigurationProvider
public final class NullConfigurationProvider extends Object implements ConfigurationProvider
ConfigurationProviderwhich returns all null or empty values (except for the logger). Used before initialization has occurred.
-
-
Constructor Summary
Constructors Constructor Description NullConfigurationProvider()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description List<IAction>getActions()StringgetDomainOrigin()TODO Currently not configurable through the properties!StringgetJavascriptCacheControl()StringgetJavascriptDynamicNodeCreationEventName()PatterngetJavascriptRefererPattern()StringgetJavascriptTemplateCode()StringgetJavascriptUnprotectedExtensions()example: "js,css,gif,png,ico,jpg"StringgetJavascriptXrequestedWith()TODO documentLogicalSessionExtractorgetLogicalSessionExtractor()StringgetNewTokenLandingPage()DurationgetPageTokenSynchronizationTolerance()SecureRandomgetPrng()Set<String>getProtectedMethods()Set<String>getProtectedPages()TokenHoldergetTokenHolder()intgetTokenLength()This parameter controls how long a generated token should be.StringgetTokenName()Set<String>getUnprotectedMethods()if there are methods here, then all other HTTP methods are protected and these (e.g.Set<String>getUnprotectedPages()voidinitializeJavaScriptConfiguration()JavaScript configuration parameters can be set/overwritten via the servlet configuration.booleanisAjaxEnabled()booleanisCacheable()booleanisEnabled()if the filter is enabledbooleanisForceSynchronousAjax()booleanisJavascriptDomainStrict()booleanisJavascriptInjectFormAttributes()if the token should be injected in the action in forms note, if injectIntoForms is true, then this might not need to be truebooleanisJavascriptInjectGetForms()if the token should be injected in GET forms (which will be on the URL) if the HTTP method GET is unprotected, then this should likely be falsebooleanisJavascriptInjectIntoAttributes()booleanisJavascriptInjectIntoDynamicallyCreatedNodes()booleanisJavascriptInjectIntoForms()booleanisJavascriptRefererMatchDomain()if the referer to the javascript must match domainbooleanisJavascriptRefererMatchProtocol()if the referer to the javascript must match the protocol of the domainbooleanisPrintConfig()booleanisProtectEnabled()The default behavior of CSRFGuard is to protect all pages.booleanisRotateEnabled()booleanisTokenPerPageEnabled()booleanisTokenPerPagePrecreateEnabled()booleanisUseNewTokenLandingPage()booleanisValidateWhenNoSessionExists()If csrf guard filter should check even if there is no session for the user Note: this changed around 2014/04, the default behavior used to be to not check if there is no session.
-
-
-
Method Detail
-
isCacheable
public boolean isCacheable()
- Specified by:
isCacheablein interfaceConfigurationProvider- Returns:
- true when this configuration provider can be cached for a minute, i.e. it is all setup
-
isPrintConfig
public boolean isPrintConfig()
- Specified by:
isPrintConfigin interfaceConfigurationProvider- Returns:
- true if the display of the CSRF configuration at start-up was requested, false otherwise
-
getTokenName
public String getTokenName()
- Specified by:
getTokenNamein interfaceConfigurationProvider- Returns:
- the name of the CSRF token, used in the DOM
-
isValidateWhenNoSessionExists
public boolean isValidateWhenNoSessionExists()
Description copied from interface:ConfigurationProviderIf csrf guard filter should check even if there is no session for the user Note: this changed around 2014/04, the default behavior used to be to not check if there is no session. If you want the legacy behavior (if your app is not susceptible to CSRF if the user has no session), set this to false- Specified by:
isValidateWhenNoSessionExistsin interfaceConfigurationProvider- Returns:
- true when validation is performed even when no session exists
-
getTokenLength
public int getTokenLength()
Description copied from interface:ConfigurationProviderThis parameter controls how long a generated token should be.- Specified by:
getTokenLengthin interfaceConfigurationProvider- Returns:
- the configured length of the token
-
isRotateEnabled
public boolean isRotateEnabled()
- Specified by:
isRotateEnabledin interfaceConfigurationProvider- Returns:
- true if token rotation was configured, false otherwise
-
isTokenPerPageEnabled
public boolean isTokenPerPageEnabled()
- Specified by:
isTokenPerPageEnabledin interfaceConfigurationProvider- Returns:
- true if token-per-page was configured, false otherwise
-
isTokenPerPagePrecreateEnabled
public boolean isTokenPerPagePrecreateEnabled()
- Specified by:
isTokenPerPagePrecreateEnabledin interfaceConfigurationProvider- Returns:
- true if pre-generation of page tokens has been configured, false otherwise
-
getPrng
public SecureRandom getPrng()
- Specified by:
getPrngin interfaceConfigurationProvider- Returns:
- the pseudo-random number generator instance, which is used to generate CSRF tokens
-
getNewTokenLandingPage
public String getNewTokenLandingPage()
- Specified by:
getNewTokenLandingPagein interfaceConfigurationProvider- Returns:
- the path of a page to which a new user (with no logical session) will be redirected
-
isUseNewTokenLandingPage
public boolean isUseNewTokenLandingPage()
- Specified by:
isUseNewTokenLandingPagein interfaceConfigurationProvider- Returns:
- true if new users (without a logical session) should be redirected to a pre-configured page
- See Also:
ConfigurationProvider.getNewTokenLandingPage()
-
isAjaxEnabled
public boolean isAjaxEnabled()
- Specified by:
isAjaxEnabledin interfaceConfigurationProvider- Returns:
- true if Asynchronous JavaScript And XML (AJAX) support was configured, false otherwise
-
isProtectEnabled
public boolean isProtectEnabled()
Description copied from interface:ConfigurationProviderThe default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected. All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*), but you only want to protect a few pages.- Specified by:
isProtectEnabledin interfaceConfigurationProvider- Returns:
- false if all pages are protected, true if pages are required to be explicit protected
-
isForceSynchronousAjax
public boolean isForceSynchronousAjax()
- Specified by:
isForceSynchronousAjaxin interfaceConfigurationProvider- Returns:
- whether the legacy Synchronous AJAX requests are enabled
-
getProtectedPages
public Set<String> getProtectedPages()
- Specified by:
getProtectedPagesin interfaceConfigurationProvider- Returns:
- the configured set of all protected pages
-
getUnprotectedPages
public Set<String> getUnprotectedPages()
- Specified by:
getUnprotectedPagesin interfaceConfigurationProvider- Returns:
- the configured set of all un-protected pages
-
getProtectedMethods
public Set<String> getProtectedMethods()
- Specified by:
getProtectedMethodsin interfaceConfigurationProvider- Returns:
- the configured set of protected HTTP methods (verbs)
-
getUnprotectedMethods
public Set<String> getUnprotectedMethods()
Description copied from interface:ConfigurationProviderif there are methods here, then all other HTTP methods are protected and these (e.g. GET) are unprotected- Specified by:
getUnprotectedMethodsin interfaceConfigurationProvider- Returns:
- the unprotected methods
-
isEnabled
public boolean isEnabled()
Description copied from interface:ConfigurationProviderif the filter is enabled- Specified by:
isEnabledin interfaceConfigurationProvider- Returns:
- is csrf guard filter is enabled
-
getActions
public List<IAction> getActions()
- Specified by:
getActionsin interfaceConfigurationProvider- Returns:
- the configured list of actions to be executed in case of a potential CSRF attack
-
isJavascriptDomainStrict
public boolean isJavascriptDomainStrict()
- Specified by:
isJavascriptDomainStrictin interfaceConfigurationProvider- Returns:
- true if tokens should only be injected into links that have the same domain from which the HTML originates, false if subdomains are also permitted
-
getDomainOrigin
public String getDomainOrigin()
Description copied from interface:ConfigurationProviderTODO Currently not configurable through the properties!- Specified by:
getDomainOriginin interfaceConfigurationProvider- Returns:
- the configured domain, whose resources are intended be decorated with CSRF tokens
-
getJavascriptCacheControl
public String getJavascriptCacheControl()
- Specified by:
getJavascriptCacheControlin interfaceConfigurationProvider- Returns:
- the configured JavaScript cache control
-
getJavascriptRefererPattern
public Pattern getJavascriptRefererPattern()
- Specified by:
getJavascriptRefererPatternin interfaceConfigurationProvider- Returns:
- the configured JavaScript "Referer" pattern to be used
-
initializeJavaScriptConfiguration
public void initializeJavaScriptConfiguration()
Description copied from interface:ConfigurationProviderJavaScript configuration parameters can be set/overwritten via the servlet configuration. This method is intended to trigger the initialization of the JavaScript parameters, if/after the JavaScript servlet is initialized.- Specified by:
initializeJavaScriptConfigurationin interfaceConfigurationProvider
-
isJavascriptInjectGetForms
public boolean isJavascriptInjectGetForms()
Description copied from interface:ConfigurationProviderif the token should be injected in GET forms (which will be on the URL) if the HTTP method GET is unprotected, then this should likely be false- Specified by:
isJavascriptInjectGetFormsin interfaceConfigurationProvider- Returns:
- true if the token should be injected in GET forms via Javascript
-
isJavascriptInjectFormAttributes
public boolean isJavascriptInjectFormAttributes()
Description copied from interface:ConfigurationProviderif the token should be injected in the action in forms note, if injectIntoForms is true, then this might not need to be true- Specified by:
isJavascriptInjectFormAttributesin interfaceConfigurationProvider- Returns:
- if inject
-
isJavascriptInjectIntoForms
public boolean isJavascriptInjectIntoForms()
- Specified by:
isJavascriptInjectIntoFormsin interfaceConfigurationProvider- Returns:
- true if injecting tokens into JavaScript forms was configured
-
isJavascriptRefererMatchProtocol
public boolean isJavascriptRefererMatchProtocol()
Description copied from interface:ConfigurationProviderif the referer to the javascript must match the protocol of the domain- Specified by:
isJavascriptRefererMatchProtocolin interfaceConfigurationProvider- Returns:
- true if the javascript must match the protocol of the domain
-
isJavascriptRefererMatchDomain
public boolean isJavascriptRefererMatchDomain()
Description copied from interface:ConfigurationProviderif the referer to the javascript must match domain- Specified by:
isJavascriptRefererMatchDomainin interfaceConfigurationProvider- Returns:
- true if the javascript must match domain
-
isJavascriptInjectIntoAttributes
public boolean isJavascriptInjectIntoAttributes()
- Specified by:
isJavascriptInjectIntoAttributesin interfaceConfigurationProvider- Returns:
- true if injecting tokens into HTML attributes was configured
-
isJavascriptInjectIntoDynamicallyCreatedNodes
public boolean isJavascriptInjectIntoDynamicallyCreatedNodes()
- Specified by:
isJavascriptInjectIntoDynamicallyCreatedNodesin interfaceConfigurationProvider- Returns:
- true if injecting tokens into dynamically injected DOM nodes was configured
-
getJavascriptDynamicNodeCreationEventName
public String getJavascriptDynamicNodeCreationEventName()
- Specified by:
getJavascriptDynamicNodeCreationEventNamein interfaceConfigurationProvider- Returns:
- the name of the JavaScript dynamic node creation event, if the functionality was configured
-
getJavascriptXrequestedWith
public String getJavascriptXrequestedWith()
Description copied from interface:ConfigurationProviderTODO document- Specified by:
getJavascriptXrequestedWithin interfaceConfigurationProvider- Returns:
- the configured value of the "X-Requested-With" header
-
getJavascriptTemplateCode
public String getJavascriptTemplateCode()
- Specified by:
getJavascriptTemplateCodein interfaceConfigurationProvider- Returns:
- the content of the template JavaScript code, on which the JavaScript configurations will be applied
-
getJavascriptUnprotectedExtensions
public String getJavascriptUnprotectedExtensions()
Description copied from interface:ConfigurationProviderexample: "js,css,gif,png,ico,jpg"- Specified by:
getJavascriptUnprotectedExtensionsin interfaceConfigurationProvider- Returns:
- the configured list of un-protected, comma separated extensions
-
getTokenHolder
public TokenHolder getTokenHolder()
- Specified by:
getTokenHolderin interfaceConfigurationProvider- Returns:
- the configured TokenHolder instance
-
getLogicalSessionExtractor
public LogicalSessionExtractor getLogicalSessionExtractor()
- Specified by:
getLogicalSessionExtractorin interfaceConfigurationProvider- Returns:
- the configured LogicalSessionExtractor
-
getPageTokenSynchronizationTolerance
public Duration getPageTokenSynchronizationTolerance()
- Specified by:
getPageTokenSynchronizationTolerancein interfaceConfigurationProvider- Returns:
- the configured page token synchronization tolerance
-
-