[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method

Tue, 08 Feb 2022 02:53:16 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65853

--- Comment #4 from Marvin Fröhlich <apa...@froehlich-mail.net> ---
I have further suggestions for this Filter. To add a little flexibility for the
Nonce cache and for the storage of it I suggest construction methods like this:

#################################
protected static interface NonceCache<T> extends Serializable {
    void add(T nonce);

    boolean contains(T nonce);
}

protected static class LruCache<T> implements NonceCache<T> {
#################################

#################################
protected NonceCache<String> getNonceCache(@SuppressWarnings( "unused" )
HttpServletRequest request, HttpSession session) {
    return (NonceCache<String>)
session.getAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME);
}

protected NonceCache<String> newNonceCache(@SuppressWarnings( "unused" )
HttpServletRequest request, HttpSession session) {
        LruCache<String> nonceCache = new LruCache<>(nonceCacheSize);
    session.setAttribute(Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);

    return nonceCache;
}
#################################


Called like this:

#################################
NonceCache<String> nonceCache = (session == null) ? null : getNonceCache(req,
session);
#################################

#################################
if (nonceCache == null) {
    if(log.getLogger().getLevel().isAsVerboseAs(LogLevel.DEBUG)) {
        log.logDebug("Creating new CSRF nonce cache with size=" +
nonceCacheSize + " for session " + (null == session ? "(will create)" :
session.getId()));
    }

    if (session == null) {
        if(log.getLogger().getLevel().isAsVerboseAs(LogLevel.DEBUG)) {
             log.logDebug("Creating new session to store CSRF nonce cache");
        }

        session = req.getSession(true);
    }

    nonceCache = newNonceCache(req, session);
}
#################################

None cache creation is moved below session "creation" to be able to pass it
into the call of newNonceCache(req, session).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to