Author: kkolinko Date: Mon Nov 12 23:25:57 2012 New Revision: 1408504 URL: http://svn.apache.org/viewvc?rev=1408504&view=rev Log: Allow to customize the HTTP status code used for denied requests in CsrfPreventionFilter.
Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java tomcat/trunk/webapps/docs/config/filter.xml Modified: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1408504&r1=1408503&r2=1408504&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java (original) +++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Mon Nov 12 23:25:57 2012 @@ -57,6 +57,8 @@ public class CsrfPreventionFilter extend private Random randomSource; + private int denyStatus = HttpServletResponse.SC_FORBIDDEN; + private final Set<String> entryPoints = new HashSet<>(); private int nonceCacheSize = 5; @@ -67,6 +69,24 @@ public class CsrfPreventionFilter extend } /** + * Return response status code that is used to reject denied request. + */ + public int getDenyStatus() { + return denyStatus; + } + + /** + * Set response status code that is used to reject denied request. If none + * set, the default value of 403 will be used. + * + * @param denyStatus + * HTTP status code + */ + public void setDenyStatus(int denyStatus) { + this.denyStatus = denyStatus; + } + + /** * Entry points are URLs that will not be tested for the presence of a valid * nonce. They are used to provide a way to navigate back to a protected * application after navigating away from it. Entry points will be limited @@ -166,7 +186,7 @@ public class CsrfPreventionFilter extend if (nonceCache == null || previousNonce == null || !nonceCache.contains(previousNonce)) { - res.sendError(HttpServletResponse.SC_FORBIDDEN); + res.sendError(denyStatus); return; } } Modified: tomcat/trunk/webapps/docs/config/filter.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1408504&r1=1408503&r2=1408504&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/filter.xml (original) +++ tomcat/trunk/webapps/docs/config/filter.xml Mon Nov 12 23:25:57 2012 @@ -131,6 +131,11 @@ <attributes> + <attribute name="denyStatus" required="false"> + <p>HTTP response status code that is used when rejecting denied + request. The default value is <code>403</code>.</p> + </attribute> + <attribute name="entryPoints" required="false"> <p>A comma separated list of URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org