Hi,
I have recently been using
the org.apache.catalina.filters.CsrfPreventionFilter, and I notice that the
documentation for setNonceCacheSize states:
"Sets the number of previously issued nonces that will be cached on a
LRU basis to support parallel requests..."
However, looking at the implementation of the cache, it appears to be a
FIFO implementation rather than a LRU cache. I'm happy to raise a bug and
supply a patch for whichever is the desired implementation, but need to
determine what the original intention is first - based on the Javadoc it
would suggest that the intention is for the cache to be LRU, could anyone
here confirm that?
In order to act as an LRU cache, the LinkedHashMap(int initialCapacity,
float loadFactor, boolean accessOrder) constructor would need to be used
with accessOrder set to true. Also the add and contains methods would need
to be altered as follows, as "LinkedHashMap.containsKey" does not act as a
structural modification.
public void add(T key) {
synchronized(cache) {
cache.put(key, key);
}
}
public boolean contains(T key) {
synchronized(cache) {
return cache.get(key) != null;
}
}
Either cache implementation will work for the majority of cases, however I
came across this issue when issuing Ajax requests which repeatedly use the
same nonce string and after 5 requests the value I'm using is ejected from
the (FIFO) cache, changing the cache to LRU fixes this (although could
potentially result in the same token being used for N requests).
Thanks,
Pete
