NullConfigurationProvider (OWASP CSRFGuard 4.5.0 API)

java.lang.Object
- org.owasp.csrfguard.config.NullConfigurationProvider

All Implemented Interfaces:

ConfigurationProvider
```
public final class NullConfigurationProvider
extends Object
implements ConfigurationProvider
```
ConfigurationProvider which returns all null or empty values (except for the logger). Used before initialization has occurred.

Constructor Summary

Constructors
Constructor and Description

NullConfigurationProvider()

Constructors
Constructor and Description
`NullConfigurationProvider()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`List<IAction>`	`getActions()`
`Set<String>`	`getBannedUserAgentProperties()`
`String`	`getDomainOrigin()` TODO Currently not configurable through the properties!
`String`	`getJavascriptCacheControl()`
`String`	`getJavascriptDynamicNodeCreationEventName()`
`Pattern`	`getJavascriptRefererPattern()`
`String`	`getJavascriptTaggedCacheControl()`
`String`	`getJavascriptTemplateCode()`
`String`	`getJavascriptUnprotectedExtensions()` example: "js,css,gif,png,ico,jpg"
`String`	`getJavascriptXrequestedWith()` TODO document
`LogicalSessionExtractor`	`getLogicalSessionExtractor()`
`String`	`getNewTokenLandingPage()`
`Duration`	`getPageTokenSynchronizationTolerance()`
`SecureRandom`	`getPrng()`
`Set<String>`	`getProtectedMethods()`
`Set<String>`	`getProtectedPages()`
`TokenHolder`	`getTokenHolder()`
`int`	`getTokenLength()` This parameter controls how long a generated token should be.
`String`	`getTokenName()`
`Set<String>`	`getUnprotectedMethods()` if there are methods here, then all other HTTP methods are protected and these (e.g.
`Set<String>`	`getUnprotectedPages()`
`void`	`initializeJavaScriptConfiguration()` JavaScript configuration parameters can be set/overwritten via the servlet configuration.
`boolean`	`isAjaxEnabled()`
`boolean`	`isCacheable()`
`boolean`	`isEnabled()` if the filter is enabled
`boolean`	`isForceSynchronousAjax()`
`boolean`	`isJavascriptDomainStrict()`
`boolean`	`isJavascriptInjectFormAttributes()` if the token should be injected in the action in forms note, if injectIntoForms is true, then this might not need to be true
`boolean`	`isJavascriptInjectGetForms()` if the token should be injected in GET forms (which will be on the URL) if the HTTP method GET is unprotected, then this should likely be false
`boolean`	`isJavascriptInjectIntoAttributes()`
`boolean`	`isJavascriptInjectIntoDynamicallyCreatedNodes()`
`boolean`	`isJavascriptInjectIntoForms()`
`boolean`	`isJavascriptRefererMatchDomain()` if the referer to the javascript must match domain
`boolean`	`isJavascriptRefererMatchProtocol()` if the referer to the javascript must match the protocol of the domain
`boolean`	`isPrintConfig()`
`boolean`	`isProtectEnabled()` The default behavior of CSRFGuard is to protect all pages.
`boolean`	`isRotateEnabled()`
`boolean`	`isTokenPerPageEnabled()`
`boolean`	`isTokenPerPagePrecreateEnabled()`
`boolean`	`isUseNewTokenLandingPage()`
`boolean`	`isValidateWhenNoSessionExists()` If csrf guard filter should check even if there is no session for the user Note: this changed around 2014/04, the default behavior used to be to not check if there is no session.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - NullConfigurationProvider
```
public NullConfigurationProvider()
```
- Method Detail
  - isCacheable
```
public boolean isCacheable()
```
    Specified by:
    
    isCacheable in interface ConfigurationProvider
    
    Returns:
    
    true when this configuration provider can be cached for a minute, i.e. it is all setup
  - isPrintConfig
```
public boolean isPrintConfig()
```
    Specified by:
    
    isPrintConfig in interface ConfigurationProvider
    
    Returns:
    
    true if the display of the CSRF configuration at start-up was requested, false otherwise
  - getTokenName
```
public String getTokenName()
```
    Specified by:
    
    getTokenName in interface ConfigurationProvider
    
    Returns:
    
    the name of the CSRF token, used in the DOM
  - isValidateWhenNoSessionExists
```
public boolean isValidateWhenNoSessionExists()
```
    Description copied from interface: ConfigurationProvider
    
    If csrf guard filter should check even if there is no session for the user Note: this changed around 2014/04, the default behavior used to be to not check if there is no session. If you want the legacy behavior (if your app is not susceptible to CSRF if the user has no session), set this to false
    
    Specified by:
    
    isValidateWhenNoSessionExists in interface ConfigurationProvider
    
    Returns:
    
    true when validation is performed even when no session exists
  - getTokenLength
```
public int getTokenLength()
```
    Description copied from interface: ConfigurationProvider
    
    This parameter controls how long a generated token should be.
    
    Specified by:
    
    getTokenLength in interface ConfigurationProvider
    
    Returns:
    
    the configured length of the token
  - isRotateEnabled
```
public boolean isRotateEnabled()
```
    Specified by:
    
    isRotateEnabled in interface ConfigurationProvider
    
    Returns:
    
    true if token rotation was configured, false otherwise
  - isTokenPerPageEnabled
```
public boolean isTokenPerPageEnabled()
```
    Specified by:
    
    isTokenPerPageEnabled in interface ConfigurationProvider
    
    Returns:
    
    true if token-per-page was configured, false otherwise
  - isTokenPerPagePrecreateEnabled
```
public boolean isTokenPerPagePrecreateEnabled()
```
    Specified by:
    
    isTokenPerPagePrecreateEnabled in interface ConfigurationProvider
    
    Returns:
    
    true if pre-generation of page tokens has been configured, false otherwise
  - getPrng
```
public SecureRandom getPrng()
```
    Specified by:
    
    getPrng in interface ConfigurationProvider
    
    Returns:
    
    the pseudo-random number generator instance, which is used to generate CSRF tokens
  - getNewTokenLandingPage
```
public String getNewTokenLandingPage()
```
    Specified by:
    
    getNewTokenLandingPage in interface ConfigurationProvider
    
    Returns:
    
    the path of a page to which a new user (with no logical session) will be redirected
  - isUseNewTokenLandingPage
```
public boolean isUseNewTokenLandingPage()
```
    Specified by:
    
    isUseNewTokenLandingPage in interface ConfigurationProvider
    
    Returns:
    
    true if new users (without a logical session) should be redirected to a pre-configured page
    
    See Also:
    
    ConfigurationProvider.getNewTokenLandingPage()
  - isAjaxEnabled
```
public boolean isAjaxEnabled()
```
    Specified by:
    
    isAjaxEnabled in interface ConfigurationProvider
    
    Returns:
    
    true if Asynchronous JavaScript And XML (AJAX) support was configured, false otherwise
  - isProtectEnabled
```
public boolean isProtectEnabled()
```
    Description copied from interface: ConfigurationProvider
    
    The default behavior of CSRFGuard is to protect all pages. Pages marked as unprotected will not be protected.
    If the Protect property is enabled, this behavior is reversed. Pages must be marked as protected to be protected. All other pages will not be protected. This is useful when the CsrfGuardFilter is aggressively mapped (ex: /*), but you only want to protect a few pages.
    
    Specified by:
    
    isProtectEnabled in interface ConfigurationProvider
    
    Returns:
    
    false if all pages are protected, true if pages are required to be explicit protected
  - isForceSynchronousAjax
```
public boolean isForceSynchronousAjax()
```
    Specified by:
    
    isForceSynchronousAjax in interface ConfigurationProvider
    
    Returns:
    
    whether the legacy Synchronous AJAX requests are enabled
  - getProtectedPages
```
public Set<String> getProtectedPages()
```
    Specified by:
    
    getProtectedPages in interface ConfigurationProvider
    
    Returns:
    
    the configured set of all protected pages
  - getUnprotectedPages
```
public Set<String> getUnprotectedPages()
```
    Specified by:
    
    getUnprotectedPages in interface ConfigurationProvider
    
    Returns:
    
    the configured set of all un-protected pages
  - getProtectedMethods
```
public Set<String> getProtectedMethods()
```
    Specified by:
    
    getProtectedMethods in interface ConfigurationProvider
    
    Returns:
    
    the configured set of protected HTTP methods (verbs)
  - getUnprotectedMethods
```
public Set<String> getUnprotectedMethods()
```
    Description copied from interface: ConfigurationProvider
    
    if there are methods here, then all other HTTP methods are protected and these (e.g. GET) are unprotected
    
    Specified by:
    
    getUnprotectedMethods in interface ConfigurationProvider
    
    Returns:
    
    the unprotected methods
  - getBannedUserAgentProperties
```
public Set<String> getBannedUserAgentProperties()
```
    Specified by:
    
    getBannedUserAgentProperties in interface ConfigurationProvider
    
    Returns:
    
    a set of User-Agent snippets to be used for filtering out certain HTTP clients
  - isEnabled
```
public boolean isEnabled()
```
    Description copied from interface: ConfigurationProvider
    
    if the filter is enabled
    
    Specified by:
    
    isEnabled in interface ConfigurationProvider
    
    Returns:
    
    is csrf guard filter is enabled
  - getActions
```
public List<IAction> getActions()
```
    Specified by:
    
    getActions in interface ConfigurationProvider
    
    Returns:
    
    the configured list of actions to be executed in case of a potential CSRF attack
  - isJavascriptDomainStrict
```
public boolean isJavascriptDomainStrict()
```
    Specified by:
    
    isJavascriptDomainStrict in interface ConfigurationProvider
    
    Returns:
    
    true if tokens should only be injected into links that have the same domain from which the HTML originates, false if subdomains are also permitted
  - getDomainOrigin
```
public String getDomainOrigin()
```
    Description copied from interface: ConfigurationProvider
    
    TODO Currently not configurable through the properties!
    
    Specified by:
    
    getDomainOrigin in interface ConfigurationProvider
    
    Returns:
    
    the configured domain, whose resources are intended be decorated with CSRF tokens
  - getJavascriptCacheControl
```
public String getJavascriptCacheControl()
```
    Specified by:
    
    getJavascriptCacheControl in interface ConfigurationProvider
    
    Returns:
    
    the configured JavaScript cache control
  - getJavascriptTaggedCacheControl
```
public String getJavascriptTaggedCacheControl()
```
    Specified by:
    
    getJavascriptTaggedCacheControl in interface ConfigurationProvider
    
    Returns:
    
    the configured JavaScript cache control when queried using a tag query param
  - getJavascriptRefererPattern
```
public Pattern getJavascriptRefererPattern()
```
    Specified by:
    
    getJavascriptRefererPattern in interface ConfigurationProvider
    
    Returns:
    
    the configured JavaScript "Referer" pattern to be used
  - initializeJavaScriptConfiguration
```
public void initializeJavaScriptConfiguration()
```
    Description copied from interface: ConfigurationProvider
    
    JavaScript configuration parameters can be set/overwritten via the servlet configuration. This method is intended to trigger the initialization of the JavaScript parameters, if/after the JavaScript servlet is initialized.
    
    Specified by:
    
    initializeJavaScriptConfiguration in interface ConfigurationProvider
  - isJavascriptInjectGetForms
```
public boolean isJavascriptInjectGetForms()
```
    Description copied from interface: ConfigurationProvider
    
    if the token should be injected in GET forms (which will be on the URL) if the HTTP method GET is unprotected, then this should likely be false
    
    Specified by:
    
    isJavascriptInjectGetForms in interface ConfigurationProvider
    
    Returns:
    
    true if the token should be injected in GET forms via Javascript
  - isJavascriptInjectFormAttributes
```
public boolean isJavascriptInjectFormAttributes()
```
    Description copied from interface: ConfigurationProvider
    
    if the token should be injected in the action in forms note, if injectIntoForms is true, then this might not need to be true
    
    Specified by:
    
    isJavascriptInjectFormAttributes in interface ConfigurationProvider
    
    Returns:
    
    if inject
  - isJavascriptInjectIntoForms
```
public boolean isJavascriptInjectIntoForms()
```
    Specified by:
    
    isJavascriptInjectIntoForms in interface ConfigurationProvider
    
    Returns:
    
    true if injecting tokens into JavaScript forms was configured
  - isJavascriptRefererMatchProtocol
```
public boolean isJavascriptRefererMatchProtocol()
```
    Description copied from interface: ConfigurationProvider
    
    if the referer to the javascript must match the protocol of the domain
    
    Specified by:
    
    isJavascriptRefererMatchProtocol in interface ConfigurationProvider
    
    Returns:
    
    true if the javascript must match the protocol of the domain
  - isJavascriptRefererMatchDomain
```
public boolean isJavascriptRefererMatchDomain()
```
    Description copied from interface: ConfigurationProvider
    
    if the referer to the javascript must match domain
    
    Specified by:
    
    isJavascriptRefererMatchDomain in interface ConfigurationProvider
    
    Returns:
    
    true if the javascript must match domain
  - isJavascriptInjectIntoAttributes
```
public boolean isJavascriptInjectIntoAttributes()
```
    Specified by:
    
    isJavascriptInjectIntoAttributes in interface ConfigurationProvider
    
    Returns:
    
    true if injecting tokens into HTML attributes was configured
  - isJavascriptInjectIntoDynamicallyCreatedNodes
```
public boolean isJavascriptInjectIntoDynamicallyCreatedNodes()
```
    Specified by:
    
    isJavascriptInjectIntoDynamicallyCreatedNodes in interface ConfigurationProvider
    
    Returns:
    
    true if injecting tokens into dynamically injected DOM nodes was configured
  - getJavascriptDynamicNodeCreationEventName
```
public String getJavascriptDynamicNodeCreationEventName()
```
    Specified by:
    
    getJavascriptDynamicNodeCreationEventName in interface ConfigurationProvider
    
    Returns:
    
    the name of the JavaScript dynamic node creation event, if the functionality was configured
  - getJavascriptXrequestedWith
```
public String getJavascriptXrequestedWith()
```
    Description copied from interface: ConfigurationProvider
    
    TODO document
    
    Specified by:
    
    getJavascriptXrequestedWith in interface ConfigurationProvider
    
    Returns:
    
    the configured value of the "X-Requested-With" header
  - getJavascriptTemplateCode
```
public String getJavascriptTemplateCode()
```
    Specified by:
    
    getJavascriptTemplateCode in interface ConfigurationProvider
    
    Returns:
    
    the content of the template JavaScript code, on which the JavaScript configurations will be applied
  - getJavascriptUnprotectedExtensions
```
public String getJavascriptUnprotectedExtensions()
```
    Description copied from interface: ConfigurationProvider
    
    example: "js,css,gif,png,ico,jpg"
    
    Specified by:
    
    getJavascriptUnprotectedExtensions in interface ConfigurationProvider
    
    Returns:
    
    the configured list of un-protected, comma separated extensions
  - getTokenHolder
```
public TokenHolder getTokenHolder()
```
    Specified by:
    
    getTokenHolder in interface ConfigurationProvider
    
    Returns:
    
    the configured TokenHolder instance
  - getLogicalSessionExtractor
```
public LogicalSessionExtractor getLogicalSessionExtractor()
```
    Specified by:
    
    getLogicalSessionExtractor in interface ConfigurationProvider
    
    Returns:
    
    the configured LogicalSessionExtractor
  - getPageTokenSynchronizationTolerance
```
public Duration getPageTokenSynchronizationTolerance()
```
    Specified by:
    
    getPageTokenSynchronizationTolerance in interface ConfigurationProvider
    
    Returns:
    
    the configured page token synchronization tolerance

Class NullConfigurationProvider

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

NullConfigurationProvider

Method Detail

isCacheable

isPrintConfig

getTokenName

isValidateWhenNoSessionExists

getTokenLength

isRotateEnabled

isTokenPerPageEnabled

isTokenPerPagePrecreateEnabled

getPrng

getNewTokenLandingPage

isUseNewTokenLandingPage

isAjaxEnabled

isProtectEnabled

isForceSynchronousAjax

getProtectedPages

getUnprotectedPages

getProtectedMethods

getUnprotectedMethods

getBannedUserAgentProperties

isEnabled

getActions

isJavascriptDomainStrict

getDomainOrigin

getJavascriptCacheControl

getJavascriptTaggedCacheControl

getJavascriptRefererPattern

initializeJavaScriptConfiguration

isJavascriptInjectGetForms

isJavascriptInjectFormAttributes

isJavascriptInjectIntoForms

isJavascriptRefererMatchProtocol

isJavascriptRefererMatchDomain

isJavascriptInjectIntoAttributes

isJavascriptInjectIntoDynamicallyCreatedNodes

getJavascriptDynamicNodeCreationEventName

getJavascriptXrequestedWith

getJavascriptTemplateCode

getJavascriptUnprotectedExtensions

getTokenHolder

getLogicalSessionExtractor

getPageTokenSynchronizationTolerance