The Apache Tomcat Servlet/JSP Container

Apache Tomcat 6.0

Version 6.0.35, Nov 28 2011
Apache Logo

Links

Top Level Elements

Executors

Connectors

Containers

Nested Components

Cluster Elements

Global Settings

Apache Tomcat Configuration Reference

Container Provided Filters

Table of Contents
Introduction

Tomcat provides a number of Filters which may be configured for use with all web applications using $CATALINA_BASE/conf/web.xml or may be configured for individual web applications by configuring them in the application's WEB-INF/web.xml. Each filter is described below.

This description uses the variable name $CATALINA_BASE to refer the base directory against which most relative paths are resolved. If you have not configured Tomcat for multiple instances by setting a CATALINA_BASE directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME, the directory into which you have installed Tomcat.

CSRF Prevention Filter
Introduction

This filter provides basic CSRF protection for a web application. The filter assumes that it is mapped to /* and that all URLs returned to the client are encoded via a call to HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String).

This filter prevents CSRF by generating a nonce and storing it in the session. URLs are also encoded with the same nonce. When the next request is received the nonce in the request is compared to the nonce in the session and only if they are the same is the request allowed to continue.

Filter Class Name

The filter class name for the CSRF Prevention Filter is org.apache.catalina.filters.CsrfPreventionFilter .

Initialisation parameters

The CSRF Prevention Filter supports the following initialisation parameters:

AttributeDescription
entryPoints

A comma separated list of URLs that will not be tested for the presence of a valid nonce. They are used to provide a way to navigate back to a protected application after having navigated away from it. Entry points will be limited to HTTP GET requests and should not trigger any security sensitive actions.

nonceCacheSize

The number of previously issued nonces that will be cached on a LRU basis to support parallel requests, limited use of the refresh and back in the browser and similar behaviors that may result in the submission of a previous nonce rather than the current one. If not set, the default value of 5 will be used.

randomClass

The name of the class to use to generate nonces. The class must be an instance of java.util.Random. If not set, the default value of java.security.SecureRandom will be used.

Failed Request Filter
Introduction

This filter triggers parameters parsing in a request and rejects the request if some parameters were skipped during parameter parsing because of parsing errors or request size limitations (such as maxParameterCount attribute in a Connector). This filter can be used to ensure that none parameter values submitted by client are lost.

Note that parameter parsing may consume the body of an HTTP request, so caution is needed if the servlet protected by this filter uses request.getInputStream() or request.getReader() calls. In general the risk of breaking a web application by adding this filter is not so high, because parameter parsing does check content type of the request before consuming the request body.

The request is rejected with HTTP status code 400 (Bad Request).

Filter Class Name

The filter class name for the Failed Request Filter is org.apache.catalina.filters.FailedRequestFilter .

Initialisation parameters

The Failed Request Filter does not support any initialization parameters.


Copyright © 1999-2011, Apache Software Foundation