Author: kkolinko
Date: Mon Nov 12 23:41:21 2012
New Revision: 1408508
URL: http://svn.apache.org/viewvc?rev=1408508&view=rev
Log:
Merged revision 1408504 from tomcat/trunk:
Allow to customize the HTTP status code used for denied requests in
CsrfPreventionFilter.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1408504
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1408508&r1=1408507&r2=1408508&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
Mon Nov 12 23:41:21 2012
@@ -57,6 +57,8 @@ public class CsrfPreventionFilter extend
private Random randomSource;
+ private int denyStatus = HttpServletResponse.SC_FORBIDDEN;
+
private final Set<String> entryPoints = new HashSet<String>();
private int nonceCacheSize = 5;
@@ -67,6 +69,24 @@ public class CsrfPreventionFilter extend
}
/**
+ * Return response status code that is used to reject denied request.
+ */
+ public int getDenyStatus() {
+ return denyStatus;
+ }
+
+ /**
+ * Set response status code that is used to reject denied request. If none
+ * set, the default value of 403 will be used.
+ *
+ * @param denyStatus
+ * HTTP status code
+ */
+ public void setDenyStatus(int denyStatus) {
+ this.denyStatus = denyStatus;
+ }
+
+ /**
* Entry points are URLs that will not be tested for the presence of a
valid
* nonce. They are used to provide a way to navigate back to a protected
* application after navigating away from it. Entry points will be limited
@@ -167,7 +187,7 @@ public class CsrfPreventionFilter extend
if (nonceCache == null || previousNonce == null ||
!nonceCache.contains(previousNonce)) {
- res.sendError(HttpServletResponse.SC_FORBIDDEN);
+ res.sendError(denyStatus);
return;
}
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1408508&r1=1408507&r2=1408508&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Nov 12 23:41:21 2012
@@ -143,6 +143,11 @@
<code>javax.servlet.async.request_uri</code> and add missing request
attribute <code>javax.servlet.async.path_info</code>. (markt)
</fix>
+ <add>
+ Add <code>denyStatus</code> initialization parameter to
+ <code>CsrfPreventionFilter</code>, allowing to customize the HTTP
+ status code used for denied requests. (kkolinko)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml?rev=1408508&r1=1408507&r2=1408508&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml Mon Nov 12 23:41:21 2012
@@ -131,6 +131,11 @@
<attributes>
+ <attribute name="denyStatus" required="false">
+ <p>HTTP response status code that is used when rejecting denied
+ request. The default value is <code>403</code>.</p>
+ </attribute>
+
<attribute name="entryPoints" required="false">
<p>A comma separated list of URLs that will not be tested for the
presence of a valid nonce. They are used to provide a way to navigate
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
