org.owasp.csrfguard

Class CsrfGuard

java.lang.Object

org.owasp.csrfguard.CsrfGuard

public final class CsrfGuard
extends Object

Method Summary

Modifier and Type	Method and Description
List<IAction>	getActions()
Set<String>	getBannedUserAgentProperties()
String	getDomainOrigin()
static CsrfGuard	getInstance()
String	getJavascriptCacheControl()
String	getJavascriptDynamicNodeCreationEventName()
Pattern	getJavascriptRefererPattern()
String	getJavascriptTaggedCacheControl()
String	getJavascriptTemplateCode()
String	getJavascriptUnprotectedExtensions()
String	getJavascriptXrequestedWith()
LogicalSessionExtractor	getLogicalSessionExtractor()
String	getNewTokenLandingPage()
Duration	getPageTokenSynchronizationTolerance()
SecureRandom	getPrng()
Set<String>	getProtectedMethods()
Set<String>	getProtectedPages()
Map<String,Pattern>	getRegexPatternCache()
TokenHolder	getTokenHolder()
int	getTokenLength()
String	getTokenName()
TokenService	getTokenService()
Set<String>	getUnprotectedMethods() if there are methods specified, then they (e.g.
Set<String>	getUnprotectedPages()
void	initializeJavaScriptConfiguration()
boolean	isAjaxEnabled()
boolean	isEnabled()
boolean	isForceSynchronousAjax()
boolean	isJavascriptDomainStrict()
boolean	isJavascriptInjectFormAttributes()
boolean	isJavascriptInjectGetForms()
boolean	isJavascriptInjectIntoAttributes()
boolean	isJavascriptInjectIntoDynamicallyCreatedNodes()
boolean	isJavascriptInjectIntoForms()
boolean	isJavascriptRefererMatchDomain()
boolean	isJavascriptRefererMatchProtocol()
boolean	isPrintConfig()
boolean	isProtectEnabled()
boolean	isRotateEnabled()
boolean	isRotateEnabled(javax.servlet.http.HttpServletRequest request) Rotation in case of AJAX requests is not supported currently because of possible race conditions.
boolean	isTokenPerPageEnabled()
boolean	isTokenPerPagePrecreate()
boolean	isUseNewTokenLandingPage()
boolean	isValidateWhenNoSessionExists() If csrf guard filter should check even if there is no session for the user Note: this changed in 2014/04/20, the default behavior used to be to not check if there is no session.
static void	load(Properties theProperties)
void	onSessionCreated(LogicalSession logicalSession) Method to be called by a logical session implementation when a new session is created.
void	onSessionDestroyed(LogicalSession logicalSession) Method to be called by a logical session implementation when a session is destroyed.
String	toString()
void	writeLandingPage(javax.servlet.http.HttpServletResponse response, String logicalSessionKey)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Method Detail

getInstance

public static CsrfGuard getInstance()

load

public static void load(Properties theProperties)

getRegexPatternCache

public Map<String,Pattern> getRegexPatternCache()

getTokenName

public String getTokenName()

getTokenLength

public int getTokenLength()

isRotateEnabled

public boolean isRotateEnabled()

isTokenPerPageEnabled

public boolean isTokenPerPageEnabled()

isTokenPerPagePrecreate

public boolean isTokenPerPagePrecreate()

isValidateWhenNoSessionExists

public boolean isValidateWhenNoSessionExists()

If csrf guard filter should check even if there is no session for the user Note: this changed in 2014/04/20, the default behavior used to be to not check if there is no session. If you want the legacy behavior (if your app is not susceptible to CSRF if the user has no session), set this to false

Returns:

if true

getPrng

public SecureRandom getPrng()

getNewTokenLandingPage

public String getNewTokenLandingPage()

isUseNewTokenLandingPage

public boolean isUseNewTokenLandingPage()

isAjaxEnabled

public boolean isAjaxEnabled()

isForceSynchronousAjax

public boolean isForceSynchronousAjax()

isProtectEnabled

public boolean isProtectEnabled()

Returns:

if protect is enabled

See Also:

ConfigurationProvider.isProtectEnabled()

isEnabled

public boolean isEnabled()

Returns:

if enabled

See Also:

ConfigurationProvider.isEnabled()

getProtectedPages

public Set<String> getProtectedPages()

getUnprotectedPages

public Set<String> getUnprotectedPages()

getTokenHolder

public TokenHolder getTokenHolder()

getLogicalSessionExtractor

public LogicalSessionExtractor getLogicalSessionExtractor()

getProtectedMethods

public Set<String> getProtectedMethods()

getActions

public List<IAction> getActions()

initializeJavaScriptConfiguration

public void initializeJavaScriptConfiguration()

See Also:

ConfigurationProvider.initializeJavaScriptConfiguration()

isJavascriptInjectFormAttributes

public boolean isJavascriptInjectFormAttributes()

Returns:

if inject

See Also:

ConfigurationProvider.isJavascriptInjectFormAttributes()

isJavascriptInjectGetForms

public boolean isJavascriptInjectGetForms()

Returns:

if inject

See Also:

ConfigurationProvider.isJavascriptInjectGetForms()

isJavascriptDomainStrict

public boolean isJavascriptDomainStrict()

isJavascriptRefererMatchProtocol

public boolean isJavascriptRefererMatchProtocol()

isJavascriptRefererMatchDomain

public boolean isJavascriptRefererMatchDomain()

getJavascriptCacheControl

public String getJavascriptCacheControl()

getJavascriptTaggedCacheControl

public String getJavascriptTaggedCacheControl()

getJavascriptRefererPattern

public Pattern getJavascriptRefererPattern()

isJavascriptInjectIntoForms

public boolean isJavascriptInjectIntoForms()

isJavascriptInjectIntoAttributes

public boolean isJavascriptInjectIntoAttributes()

isJavascriptInjectIntoDynamicallyCreatedNodes

public boolean isJavascriptInjectIntoDynamicallyCreatedNodes()

getJavascriptDynamicNodeCreationEventName

public String getJavascriptDynamicNodeCreationEventName()

getJavascriptXrequestedWith

public String getJavascriptXrequestedWith()

getJavascriptTemplateCode

public String getJavascriptTemplateCode()

getJavascriptUnprotectedExtensions

public String getJavascriptUnprotectedExtensions()

getTokenService

public TokenService getTokenService()

isPrintConfig

public boolean isPrintConfig()

getDomainOrigin

public String getDomainOrigin()

getPageTokenSynchronizationTolerance

public Duration getPageTokenSynchronizationTolerance()

getUnprotectedMethods

public Set<String> getUnprotectedMethods()

if there are methods specified, then they (e.g. GET) are unprotected, and all others are protected

Returns:

the unprotected HTTP methods

getBannedUserAgentProperties

public Set<String> getBannedUserAgentProperties()

toString

public String toString()

Overrides:

toString in class Object

isRotateEnabled

public boolean isRotateEnabled(javax.servlet.http.HttpServletRequest request)

Rotation in case of AJAX requests is not supported currently because of possible race conditions.

A Single Page Application can fire multiple simultaneous requests. If rotation is enabled for AJAX requests, the first request could trigger a token change before the validation of the second request with the same token, causing false-positive CSRF intrusion exceptions.

Parameters:

request - the current request

Returns:

True if rotation is enabled and possible

onSessionCreated

public void onSessionCreated(LogicalSession logicalSession)

Method to be called by a logical session implementation when a new session is created.

Example: HttpSessionListener.sessionCreated(javax.servlet.http.HttpSessionEvent)

Parameters:

logicalSession - a logical session implementation

onSessionDestroyed

public void onSessionDestroyed(LogicalSession logicalSession)

Method to be called by a logical session implementation when a session is destroyed.

Example: HttpSessionListener.sessionDestroyed(javax.servlet.http.HttpSessionEvent)

Parameters:

logicalSession - a logical session implementation

writeLandingPage

public void writeLandingPage(javax.servlet.http.HttpServletResponse response,
                             String logicalSessionKey)
                      throws IOException

Throws:

IOException