Author: remy.maucherat(a)jboss.com Date: 2012-10-03 04:11:09 -0400 (Wed, 03 Oct 2012) New Revision: 2097 Modified: branches/7.2.x/src/main/java/org/apache/catalina/filters/CsrfPreventionFilter.java Log: Port patch. Modified: branches/7.2.x/src/main/java/org/apache/catalina/filters/CsrfPreventionFilter.java =================================================================== --- branches/7.2.x/src/main/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-10-02 16:10:35 UTC (rev 2096) +++ branches/7.2.x/src/main/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2012-10-03 08:11:09 UTC (rev 2097) @@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponseWrapper; +import javax.servlet.http.HttpSession; /** * Provides basic CSRF protection for a web application. The filter assumes @@ -141,16 +142,19 @@ } } + HttpSession session = req.getSession(false); + @SuppressWarnings("unchecked") - LruCache<String> nonceCache = - (LruCache<String>) req.getSession(true).getAttribute( + LruCache<String> nonceCache = (session == null) ? null : + (LruCache<String>) session.getAttribute( Constants.CSRF_NONCE_SESSION_ATTR_NAME); if (!skipNonceCheck) { String previousNonce = req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM); - if (nonceCache != null && !nonceCache.contains(previousNonce)) { + if (nonceCache == null || previousNonce == null + || !nonceCache.contains(previousNonce)) { res.sendError(HttpServletResponse.SC_FORBIDDEN); return; } @@ -158,7 +162,10 @@ if (nonceCache == null) { nonceCache = new LruCache<String>(nonceCacheSize); - req.getSession().setAttribute( + if (session == null) { + session = req.getSession(true); + } + session.setAttribute( Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache); }