ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437897171
##########
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##########
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+ /**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce <code>true</code> to enforce CSRF protections or
+ * <code>false</code> to log DEBUG messages and allow
+ * all requests.
+ */
+ public void setEnforce(boolean enforce) {
+ this.enforce = enforce;
+ }
+
+ /**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return <code>true</code> if CSRF protections will be enforced or
+ * <code>false</code> if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+ public boolean getEnforce() {
+ return this.enforce;
+ }
+
+ /**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By <i>not</i> adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ * have nonces added to them. Patterns may begin or end with a
+ * <code>*</code> character to denote a suffix-match or
+ * prefix-match. Any matched URL will not have a CSRF nonce
+ * added to it when passed through
+ * {@link HttpServletResponse#encodeURL(String)}.
+ */
+ public void setNoNonceURLPatterns(String patterns) {
+ this.noNoncePatterns = patterns;
+
+ if (null != context) {
+ this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+ }
+ }
+
+ /**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+ protected static Collection<Predicate<String>>
createNoNoncePredicates(ServletContext context, String patterns) {
+ if (null == patterns || 0 == patterns.trim().length()) {
+ return null;
Review Comment:
I think this is a matter of taste these days. I usually prefer `null` to
empty collections just because the null-check is far faster than creating an
iterator from an empty collection, then iterating zero times over it. All kinds
of control-flow is skipped with a simple null-check.
It does make the code a little cleaner, though. Does anyone else want to
weigh-in?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
