filter.xml

kkolinko Mon, 12 Nov 2012 15:41:49 -0800

Author: kkolinko
Date: Mon Nov 12 23:41:21 2012
New Revision: 1408508

URL: http://svn.apache.org/viewvc?rev=1408508&view=rev
Log:
Merged revision 1408504 from tomcat/trunk:
Allow to customize the HTTP status code used for denied requests in 
CsrfPreventionFilter.


Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1408504

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1408508&r1=1408507&r2=1408508&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
Mon Nov 12 23:41:21 2012
@@ -57,6 +57,8 @@ public class CsrfPreventionFilter extend
     
     private Random randomSource;
 
+    private int denyStatus = HttpServletResponse.SC_FORBIDDEN;
+
     private final Set<String> entryPoints = new HashSet<String>();
     
     private int nonceCacheSize = 5;
@@ -67,6 +69,24 @@ public class CsrfPreventionFilter extend
     }
 
     /**
+     * Return response status code that is used to reject denied request.
+     */
+    public int getDenyStatus() {
+        return denyStatus;
+    }
+
+    /**
+     * Set response status code that is used to reject denied request. If none
+     * set, the default value of 403 will be used.
+     *
+     * @param denyStatus
+     *            HTTP status code
+     */
+    public void setDenyStatus(int denyStatus) {
+        this.denyStatus = denyStatus;
+    }
+
+    /**
      * Entry points are URLs that will not be tested for the presence of a 
valid
      * nonce. They are used to provide a way to navigate back to a protected
      * application after navigating away from it. Entry points will be limited
@@ -167,7 +187,7 @@ public class CsrfPreventionFilter extend
 
                 if (nonceCache == null || previousNonce == null ||
                         !nonceCache.contains(previousNonce)) {
-                    res.sendError(HttpServletResponse.SC_FORBIDDEN);
+                    res.sendError(denyStatus);
                     return;
                 }
             }

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1408508&r1=1408507&r2=1408508&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Nov 12 23:41:21 2012
@@ -143,6 +143,11 @@
         <code>javax.servlet.async.request_uri</code> and add missing request
         attribute <code>javax.servlet.async.path_info</code>. (markt)
       </fix>
+      <add>
+        Add <code>denyStatus</code> initialization parameter to
+        <code>CsrfPreventionFilter</code>, allowing to customize the HTTP
+        status code used for denied requests. (kkolinko)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml?rev=1408508&r1=1408507&r2=1408508&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml Mon Nov 12 23:41:21 2012
@@ -131,6 +131,11 @@
 
     <attributes>
 
+      <attribute name="denyStatus" required="false">
+        <p>HTTP response status code that is used when rejecting denied
+        request. The default value is <code>403</code>.</p>
+      </attribute>
+
       <attribute name="entryPoints" required="false">
         <p>A comma separated list of URLs that will not be tested for the
         presence of a valid nonce. They are used to provide a way to navigate



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1408508 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/filters/CsrfPreventionFilter.java webapps/docs/changelog.xml webapps/docs/config/filter.xml

Reply via email to