Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.atlassian.crowd.xwork
Class SimpleXsrfTokenGenerator

java.lang.Object
  extended by com.atlassian.crowd.xwork.SimpleXsrfTokenGenerator
All Implemented Interfaces:
XsrfTokenGenerator
public class SimpleXsrfTokenGenerator
extends Object
implements XsrfTokenGenerator

Simple implementation of XsrfTokenGenerator that stores a unique value in the session. The session ID itself isn't used because we don't want to risk compromising the entire session in case we don't protect the XSRF token diligently enough.

Tokens are chosen to be reasonably unique (60 bits) with reasonably short representations (base64 encoded).

Field Summary
static String TOKEN_SESSION_KEY
           
 
Constructor Summary
SimpleXsrfTokenGenerator()
           
 
Method Summary
 String generateToken(javax.servlet.http.HttpServletRequest request)
          Generate a new form token for the current request.
 String getToken(javax.servlet.http.HttpServletRequest request, boolean create)
          Retrieves the token from the request.
 String getXsrfTokenName()
          Convenience method which will return the name to be used for a supplied XsrfToken in a request.
 boolean validateToken(javax.servlet.http.HttpServletRequest request, String token)
          Validate a form token received as part of a web request
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

TOKEN_SESSION_KEY

public static final String TOKEN_SESSION_KEY
See Also:
Constant Field Values
Constructor Detail

SimpleXsrfTokenGenerator

public SimpleXsrfTokenGenerator()
Method Detail

getToken

public String getToken(javax.servlet.http.HttpServletRequest request,
                       boolean create)
Description copied from interface: XsrfTokenGenerator
Retrieves the token from the request. Returns null if there is no request and create is false. If create is true, a new token is generated and returned.

Specified by:
getToken in interface XsrfTokenGenerator
Parameters:
request - the request the token is retrieved from
create - if true, a token will be created if it doesn't already exist
Returns:
a valid XSRF form token, null if there is none in the request and create of false.

generateToken

public String generateToken(javax.servlet.http.HttpServletRequest request)
Description copied from interface: XsrfTokenGenerator
Generate a new form token for the current request.

Specified by:
generateToken in interface XsrfTokenGenerator
Parameters:
request - the request the token is being generated for
Returns:
a valid XSRF form token

getXsrfTokenName

public String getXsrfTokenName()
Description copied from interface: XsrfTokenGenerator
Convenience method which will return the name to be used for a supplied XsrfToken in a request.

Specified by:
getXsrfTokenName in interface XsrfTokenGenerator
Returns:
the name in the request for the Xsrf token.

validateToken

public boolean validateToken(javax.servlet.http.HttpServletRequest request,
                             String token)
Description copied from interface: XsrfTokenGenerator
Validate a form token received as part of a web request

Specified by:
validateToken in interface XsrfTokenGenerator
Parameters:
request - the request the token was received in
token - the token
Returns:
true iff the token is valid
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2013 Atlassian. All Rights Reserved.