changelog.xml

markt Mon, 21 Mar 2011 15:09:21 -0700

Author: markt
Date: Mon Mar 21 22:08:47 2011
New Revision: 1083987

URL: http://svn.apache.org/viewvc?rev=1083987&view=rev
Log:
Make the CSRF nonce cache serializable to fix an issue reported on the users 
list.
Custom serialization code could shave ~20% but the code isn't as clean.


Modified:
    tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
    tomcat/trunk/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=1083987&r1=1083986&r2=1083987&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Mon 
Mar 21 22:08:47 2011
@@ -18,6 +18,7 @@
 package org.apache.catalina.filters;
 
 import java.io.IOException;
+import java.io.Serializable;
 import java.security.SecureRandom;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
@@ -287,7 +288,9 @@ public class CsrfPreventionFilter extend
         }
     }
     
-    private static class LruCache<T> {
+    protected static class LruCache<T> implements Serializable {
+
+        private static final long serialVersionUID = 1L;
 
         // Although the internal implementation uses a Map, this cache
         // implementation is only concerned with the keys.

Modified: 
tomcat/trunk/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java?rev=1083987&r1=1083986&r2=1083987&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java 
(original)
+++ tomcat/trunk/test/org/apache/catalina/filters/TestCsrfPreventionFilter.java 
Mon Mar 21 22:08:47 2011
@@ -17,8 +17,14 @@
 
 package org.apache.catalina.filters;
 
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.filters.CsrfPreventionFilter.LruCache;
 import org.apache.catalina.startup.TomcatBaseTest;
 
 public class TestCsrfPreventionFilter extends TomcatBaseTest {
@@ -50,6 +56,41 @@ public class TestCsrfPreventionFilter ex
                 wrapper.encodeRedirectURL("/test?a=b#c"));
     }
     
+    public void testLruCacheSerializable() throws Exception {
+        LruCache<String> cache = new LruCache<String>(5);
+        cache.add("key1");
+        cache.add("key2");
+        cache.add("key3");
+        cache.add("key4");
+        cache.add("key5");
+        cache.add("key6");
+        
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(baos);
+        oos.writeObject(cache);
+        
+        ByteArrayInputStream bais =
+            new ByteArrayInputStream(baos.toByteArray());
+        ObjectInputStream ois = new ObjectInputStream(bais);
+        @SuppressWarnings("unchecked")
+        LruCache<String> cache2 = (LruCache<String>) ois.readObject();
+        
+        cache2.add("key7");
+        assertFalse(cache2.contains("key1"));
+        assertFalse(cache2.contains("key2"));
+        assertTrue(cache2.contains("key3"));
+        assertTrue(cache2.contains("key4"));
+        assertTrue(cache2.contains("key5"));
+        assertTrue(cache2.contains("key6"));
+        assertTrue(cache2.contains("key7"));
+    }
+
+    public void testLruCacheSerializablePerformance() throws Exception {
+        for (int i = 0; i < 10000; i++) {
+            testLruCacheSerializable();
+        }
+    }
+
     private static class NonEncodingResponse extends TesterResponse {
 
         @Override

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1083987&r1=1083986&r2=1083987&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Mar 21 22:08:47 2011
@@ -77,6 +77,10 @@
         <bug>50929</bug>: When wrapping an exception, include the root cause.
         Patch provided by sebb. (markt) 
       </fix>
+      <fix>
+        Make the CSRF nonce cache serializable so that it can be replicated
+        across a cluster and/or persisted across Tomcat restarts. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1083987 - in /tomcat/trunk: java/org/apache/catalina/filters/CsrfPreventionFilter.java test/org/apache/catalina/filters/TestCsrfPreventionFilter.java webapps/docs/changelog.xml

Reply via email to