Class CsrfPreventionRequestCycleListener

    • Method Detail

      • setErrorCode

        public CsrfPreventionRequestCycleListener setErrorCode​(int errorCode)
        Deprecated.
        Modifies the HTTP error code in the exception when a conflicting Origin header is detected.
        Parameters:
        errorCode - the alternate HTTP error code, default 400 BAD REQUEST
        Returns:
        this
      • isEnabled

        protected boolean isEnabled()
        Deprecated.
        Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a multi-tenant application. When false, the CSRF detection is not performed for the running request. Default true
        Returns:
        true when the CSRF checks need to be performed.
      • isChecked

        protected boolean isChecked​(IRequestablePage targetedPage)
        Deprecated.
        Override to limit whether the request to the specific page should be checked for a possible CSRF attack.
        Parameters:
        targetedPage - the page that is the target for the action
        Returns:
        true when the request to the page should be checked for CSRF issues.
      • isChecked

        protected boolean isChecked​(IRequestHandler handler)
        Deprecated.
        Override to change the request handler types that are checked. Currently only action handlers (form submits, link clicks, AJAX events) are checked for a matching Origin HTTP header.
        Parameters:
        handler - the handler that is currently processing
        Returns:
        true when the Origin HTTP header should be checked for this handler
      • unwrap

        protected IRequestHandler unwrap​(IRequestHandler handler)
        Deprecated.
        Unwraps the handler if it is a IRequestHandlerDelegate down to the deepest nested handler.
        Parameters:
        handler - The handler to unwrap
        Returns:
        the deepest handler that does not implement IRequestHandlerDelegate
      • getSourceUri

        protected String getSourceUri​(javax.servlet.http.HttpServletRequest containerRequest)
        Deprecated.
        Resolves the source URI from the request headers (Origin or Referer).
        Parameters:
        containerRequest - the current container request
        Returns:
        the normalized source URI.
      • checkRequest

        protected void checkRequest​(javax.servlet.http.HttpServletRequest request,
                                    String sourceUri,
                                    IRequestablePage page)
        Deprecated.
        Performs the check of the Origin or Referer header that is targeted at the page.
        Parameters:
        request - the current container request
        sourceUri - the source URI
        page - the page that is the target of the request
      • whitelistedHandler

        protected void whitelistedHandler​(javax.servlet.http.HttpServletRequest request,
                                          String origin,
                                          IRequestablePage page)
        Deprecated.
        Handles the case where an origin is in the whitelist. Default action is to allow the whitelisted origin.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header
        page - the page that is targeted with this request
      • onWhitelisted

        protected void onWhitelisted​(javax.servlet.http.HttpServletRequest request,
                                     String origin,
                                     IRequestablePage page)
        Deprecated.
        Called when the origin was available in the whitelist. Override this method to implement your own custom action.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header
        page - the page that is targeted with this request
      • matchingOrigin

        protected void matchingOrigin​(javax.servlet.http.HttpServletRequest request,
                                      String origin,
                                      IRequestablePage page)
        Deprecated.
        Handles the case where an origin was checked and matched the request origin. Default action is to allow the whitelisted origin.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header
        page - the page that is targeted with this request
      • onMatchingOrigin

        protected void onMatchingOrigin​(javax.servlet.http.HttpServletRequest request,
                                        String origin,
                                        IRequestablePage page)
        Deprecated.
        Called when the origin HTTP header matched the request. Override this method to implement your own custom action.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header
        page - the page that is targeted with this request
      • allowHandler

        protected void allowHandler​(javax.servlet.http.HttpServletRequest request,
                                    String origin,
                                    IRequestablePage page)
        Deprecated.
        Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction or conflictingOriginAction) is set to ALLOW.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header, may be null or empty
        page - the page that is targeted with this request
      • onAllowed

        protected void onAllowed​(javax.servlet.http.HttpServletRequest request,
                                 String origin,
                                 IRequestablePage page)
        Deprecated.
        Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction or conflictingOriginAction) is set to ALLOW.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header, may be null or empty
        page - the page that is targeted with this request
      • suppressHandler

        protected void suppressHandler​(javax.servlet.http.HttpServletRequest request,
                                       String origin,
                                       IRequestablePage page)
        Deprecated.
        Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction or conflictingOriginAction) is set to SUPPRESS.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header, may be null or empty
        page - the page that is targeted with this request
      • onSuppressed

        protected void onSuppressed​(javax.servlet.http.HttpServletRequest request,
                                    String origin,
                                    IRequestablePage page)
        Deprecated.
        Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction or conflictingOriginAction) is set to SUPPRESSED.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header, may be null or empty
        page - the page that is targeted with this request
      • abortHandler

        protected void abortHandler​(javax.servlet.http.HttpServletRequest request,
                                    String origin,
                                    IRequestablePage page)
        Deprecated.
        Handles the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction or conflictingOriginAction) is set to ABORT.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header, may be null or empty
        page - the page that is targeted with this request
      • onAborted

        protected void onAborted​(javax.servlet.http.HttpServletRequest request,
                                 String origin,
                                 IRequestablePage page)
        Deprecated.
        Override this method to customize the case where an Origin HTTP header was not present or did not match the request origin, and the corresponding action (noOriginAction or conflictingOriginAction) is set to ABORTED.
        Parameters:
        request - the request
        origin - the contents of the Origin HTTP header, may be null or empty
        page - the page that is targeted with this request