ConfigurationProvider (OWASP CSRFGuard 4.5.0 API)

All Known Implementing Classes:

NullConfigurationProvider, PropertiesConfigurationProvider
```
public interface ConfigurationProvider
```
Interface that enables interaction with configuration providers

Method Summary

All Methods Instance Methods Abstract Methods
Modifier and Type	Method and Description
`List<IAction>`	`getActions()`
`Set<String>`	`getBannedUserAgentProperties()`
`String`	`getDomainOrigin()` TODO Currently not configurable through the properties!
`String`	`getJavascriptCacheControl()`
`String`	`getJavascriptDynamicNodeCreationEventName()`
`Pattern`	`getJavascriptRefererPattern()`
`String`	`getJavascriptTaggedCacheControl()`
`String`	`getJavascriptTemplateCode()`
`String`	`getJavascriptUnprotectedExtensions()` example: "js,css,gif,png,ico,jpg"
`String`	`getJavascriptXrequestedWith()` TODO document
`LogicalSessionExtractor`	`getLogicalSessionExtractor()`
`String`	`getNewTokenLandingPage()`
`Duration`	`getPageTokenSynchronizationTolerance()`
`SecureRandom`	`getPrng()`
`Set<String>`	`getProtectedMethods()`
`Set<String>`	`getProtectedPages()`
`TokenHolder`	`getTokenHolder()`
`int`	`getTokenLength()` This parameter controls how long a generated token should be.
`String`	`getTokenName()`
`Set<String>`	`getUnprotectedMethods()` if there are methods here, then all other HTTP methods are protected and these (e.g.
`Set<String>`	`getUnprotectedPages()`
`void`	`initializeJavaScriptConfiguration()` JavaScript configuration parameters can be set/overwritten via the servlet configuration.
`boolean`	`isAjaxEnabled()`
`boolean`	`isCacheable()`
`boolean`	`isEnabled()` if the filter is enabled
`boolean`	`isForceSynchronousAjax()`
`boolean`	`isJavascriptDomainStrict()`
`boolean`	`isJavascriptInjectFormAttributes()` if the token should be injected in the action in forms note, if injectIntoForms is true, then this might not need to be true
`boolean`	`isJavascriptInjectGetForms()` if the token should be injected in GET forms (which will be on the URL) if the HTTP method GET is unprotected, then this should likely be false
`boolean`	`isJavascriptInjectIntoAttributes()`
`boolean`	`isJavascriptInjectIntoDynamicallyCreatedNodes()`
`boolean`	`isJavascriptInjectIntoForms()`
`boolean`	`isJavascriptRefererMatchDomain()` if the referer to the javascript must match domain
`boolean`	`isJavascriptRefererMatchProtocol()` if the referer to the javascript must match the protocol of the domain
`boolean`	`isPrintConfig()`
`boolean`	`isProtectEnabled()` The default behavior of CSRFGuard is to protect all pages.
`boolean`	`isRotateEnabled()`
`boolean`	`isTokenPerPageEnabled()`
`boolean`	`isTokenPerPagePrecreateEnabled()`
`boolean`	`isUseNewTokenLandingPage()`
`boolean`	`isValidateWhenNoSessionExists()` If csrf guard filter should check even if there is no session for the user Note: this changed around 2014/04, the default behavior used to be to not check if there is no session.

- Method Detail
  - isCacheable
```
boolean isCacheable()
```
    Returns:
    
    true when this configuration provider can be cached for a minute, i.e. it is all setup
  - isPrintConfig
```
boolean isPrintConfig()
```
    Returns:
    
    true if the display of the CSRF configuration at start-up was requested, false otherwise
  - getTokenName
```
String getTokenName()
```
    Returns:
    
    the name of the CSRF token, used in the DOM
  - isValidateWhenNoSessionExists
```
boolean isValidateWhenNoSessionExists()
```
    If csrf guard filter should check even if there is no session for the user Note: this changed around 2014/04, the default behavior used to be to not check if there is no session. If you want the legacy behavior (if your app is not susceptible to CSRF if the user has no session), set this to false
    
    Returns:
    
    true when validation is performed even when no session exists
  - getTokenLength
```
int getTokenLength()
```
    This parameter controls how long a generated token should be.
    
    Returns:
    
    the configured length of the token
  - isRotateEnabled
```
boolean isRotateEnabled()
```
    Returns:
    
    true if token rotation was configured, false otherwise
  - isTokenPerPageEnabled
```
boolean isTokenPerPageEnabled()
```
    Returns:
    
    true if token-per-page was configured, false otherwise
  - isTokenPerPagePrecreateEnabled
```
boolean isTokenPerPagePrecreateEnabled()
```
    Returns:
    
    true if pre-generation of page tokens has been configured, false otherwise
  - getPrng
```
SecureRandom getPrng()
```
    Returns:
    
    the pseudo-random number generator instance, which is used to generate CSRF tokens
  - getNewTokenLandingPage
```
String getNewTokenLandingPage()
```
    Returns:
    
    the path of a page to which a new user (with no logical session) will be redirected
  - isUseNewTokenLandingPage
```
boolean isUseNewTokenLandingPage()
```
    Returns:
    
    true if new users (without a logical session) should be redirected to a pre-configured page
    
    See Also:
    
    getNewTokenLandingPage()
  - isAjaxEnabled
```
boolean isAjaxEnabled()
```
    Returns:
    
    true if Asynchronous JavaScript And XML (AJAX) support was configured, false otherwise
  - isProtectEnabled
```
boolean isProtectEnabled()
```
    The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
    If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected. All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*), but you only want to protect a few pages.
    
    Returns:
    
    false if all pages are protected, true if pages are required to be explicit protected
  - isForceSynchronousAjax
```
boolean isForceSynchronousAjax()
```
    Returns:
    
    whether the legacy Synchronous AJAX requests are enabled
  - getProtectedPages
```
Set<String> getProtectedPages()
```
    Returns:
    
    the configured set of all protected pages
  - getUnprotectedPages
```
Set<String> getUnprotectedPages()
```
    Returns:
    
    the configured set of all un-protected pages
  - getProtectedMethods
```
Set<String> getProtectedMethods()
```
    Returns:
    
    the configured set of protected HTTP methods (verbs)
  - getUnprotectedMethods
```
Set<String> getUnprotectedMethods()
```
    if there are methods here, then all other HTTP methods are protected and these (e.g. GET) are unprotected
    
    Returns:
    
    the unprotected methods
  - getBannedUserAgentProperties
```
Set<String> getBannedUserAgentProperties()
```
    Returns:
    
    a set of User-Agent snippets to be used for filtering out certain HTTP clients
  - isEnabled
```
boolean isEnabled()
```
    if the filter is enabled
    
    Returns:
    
    is csrf guard filter is enabled
  - getActions
```
List<IAction> getActions()
```
    Returns:
    
    the configured list of actions to be executed in case of a potential CSRF attack
  - isJavascriptDomainStrict
```
boolean isJavascriptDomainStrict()
```
    Returns:
    
    true if tokens should only be injected into links that have the same domain from which the HTML originates, false if subdomains are also permitted
  - getDomainOrigin
```
String getDomainOrigin()
```
    TODO Currently not configurable through the properties!
    
    Returns:
    
    the configured domain, whose resources are intended be decorated with CSRF tokens
  - getJavascriptCacheControl
```
String getJavascriptCacheControl()
```
    Returns:
    
    the configured JavaScript cache control
  - getJavascriptTaggedCacheControl
```
String getJavascriptTaggedCacheControl()
```
    Returns:
    
    the configured JavaScript cache control when queried using a tag query param
  - getJavascriptRefererPattern
```
Pattern getJavascriptRefererPattern()
```
    Returns:
    
    the configured JavaScript "Referer" pattern to be used
  - initializeJavaScriptConfiguration
```
void initializeJavaScriptConfiguration()
```
    JavaScript configuration parameters can be set/overwritten via the servlet configuration. This method is intended to trigger the initialization of the JavaScript parameters, if/after the JavaScript servlet is initialized.
  - isJavascriptInjectGetForms
```
boolean isJavascriptInjectGetForms()
```
    if the token should be injected in GET forms (which will be on the URL) if the HTTP method GET is unprotected, then this should likely be false
    
    Returns:
    
    true if the token should be injected in GET forms via Javascript
  - isJavascriptInjectFormAttributes
```
boolean isJavascriptInjectFormAttributes()
```
    if the token should be injected in the action in forms note, if injectIntoForms is true, then this might not need to be true
    
    Returns:
    
    if inject
  - isJavascriptInjectIntoForms
```
boolean isJavascriptInjectIntoForms()
```
    Returns:
    
    true if injecting tokens into JavaScript forms was configured
  - isJavascriptRefererMatchProtocol
```
boolean isJavascriptRefererMatchProtocol()
```
    if the referer to the javascript must match the protocol of the domain
    
    Returns:
    
    true if the javascript must match the protocol of the domain
  - isJavascriptRefererMatchDomain
```
boolean isJavascriptRefererMatchDomain()
```
    if the referer to the javascript must match domain
    
    Returns:
    
    true if the javascript must match domain
  - isJavascriptInjectIntoAttributes
```
boolean isJavascriptInjectIntoAttributes()
```
    Returns:
    
    true if injecting tokens into HTML attributes was configured
  - isJavascriptInjectIntoDynamicallyCreatedNodes
```
boolean isJavascriptInjectIntoDynamicallyCreatedNodes()
```
    Returns:
    
    true if injecting tokens into dynamically injected DOM nodes was configured
  - getJavascriptDynamicNodeCreationEventName
```
String getJavascriptDynamicNodeCreationEventName()
```
    Returns:
    
    the name of the JavaScript dynamic node creation event, if the functionality was configured
  - getJavascriptXrequestedWith
```
String getJavascriptXrequestedWith()
```
    TODO document
    
    Returns:
    
    the configured value of the "X-Requested-With" header
  - getJavascriptTemplateCode
```
String getJavascriptTemplateCode()
```
    Returns:
    
    the content of the template JavaScript code, on which the JavaScript configurations will be applied
  - getJavascriptUnprotectedExtensions
```
String getJavascriptUnprotectedExtensions()
```
    example: "js,css,gif,png,ico,jpg"
    
    Returns:
    
    the configured list of un-protected, comma separated extensions
  - getTokenHolder
```
TokenHolder getTokenHolder()
```
    Returns:
    
    the configured TokenHolder instance
  - getLogicalSessionExtractor
```
LogicalSessionExtractor getLogicalSessionExtractor()
```
    Returns:
    
    the configured LogicalSessionExtractor
  - getPageTokenSynchronizationTolerance
```
Duration getPageTokenSynchronizationTolerance()
```
    Returns:
    
    the configured page token synchronization tolerance

Interface ConfigurationProvider

Method Summary

Method Detail

isCacheable

isPrintConfig

getTokenName

isValidateWhenNoSessionExists

getTokenLength

isRotateEnabled

isTokenPerPageEnabled

isTokenPerPagePrecreateEnabled

getPrng

getNewTokenLandingPage

isUseNewTokenLandingPage

isAjaxEnabled

isProtectEnabled

isForceSynchronousAjax

getProtectedPages

getUnprotectedPages

getProtectedMethods

getUnprotectedMethods

getBannedUserAgentProperties

isEnabled

getActions

isJavascriptDomainStrict

getDomainOrigin

getJavascriptCacheControl

getJavascriptTaggedCacheControl

getJavascriptRefererPattern

initializeJavaScriptConfiguration

isJavascriptInjectGetForms

isJavascriptInjectFormAttributes

isJavascriptInjectIntoForms

isJavascriptRefererMatchProtocol

isJavascriptRefererMatchDomain

isJavascriptInjectIntoAttributes

isJavascriptInjectIntoDynamicallyCreatedNodes

getJavascriptDynamicNodeCreationEventName

getJavascriptXrequestedWith

getJavascriptTemplateCode

getJavascriptUnprotectedExtensions

getTokenHolder

getLogicalSessionExtractor

getPageTokenSynchronizationTolerance