com.atlassian.crowd.xwork

Class SimpleXsrfTokenGenerator

java.lang.Object

com.atlassian.crowd.xwork.SimpleXsrfTokenGenerator

All Implemented Interfaces:

XsrfTokenGenerator

public class SimpleXsrfTokenGenerator
extends Object
implements XsrfTokenGenerator

Simple implementation of XsrfTokenGenerator that stores a unique value in the session. The session ID itself isn't used because we don't want to risk compromising the entire session in case we don't protect the XSRF token diligently enough.

Tokens are chosen to be reasonably unique (60 bits) with reasonably short representations (base64 encoded).

Field Summary

Fields

Modifier and Type	Field and Description
static String	TOKEN_SESSION_KEY

Constructor Summary

Constructors

Constructor and Description
SimpleXsrfTokenGenerator()

Method Summary

Modifier and Type	Method and Description
String	generateToken(javax.servlet.http.HttpServletRequest request) Generate a new form token for the current request.
String	getToken(javax.servlet.http.HttpServletRequest request, boolean create) Retrieves the token from the request.
String	getXsrfTokenName() Convenience method which will return the name to be used for a supplied XsrfToken in a request.
boolean	validateToken(javax.servlet.http.HttpServletRequest request, String token) Validate a form token received as part of a web request

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

TOKEN_SESSION_KEY

public static final String TOKEN_SESSION_KEY

See Also:

Constant Field Values

Constructor Detail

SimpleXsrfTokenGenerator

public SimpleXsrfTokenGenerator()

Method Detail

getToken

public String getToken(javax.servlet.http.HttpServletRequest request,
                       boolean create)

Description copied from interface: XsrfTokenGenerator

Retrieves the token from the request. Returns null if there is no request and create is false. If create is true, a new token is generated and returned.

Specified by:

getToken in interface XsrfTokenGenerator

Parameters:

request - the request the token is retrieved from

create - if true, a token will be created if it doesn't already exist

Returns:

a valid XSRF form token, null if there is none in the request and create of false.

generateToken

public String generateToken(javax.servlet.http.HttpServletRequest request)

Description copied from interface: XsrfTokenGenerator

Generate a new form token for the current request.

Specified by:

generateToken in interface XsrfTokenGenerator

Parameters:

request - the request the token is being generated for

Returns:

a valid XSRF form token

getXsrfTokenName

public String getXsrfTokenName()

Description copied from interface: XsrfTokenGenerator

Convenience method which will return the name to be used for a supplied XsrfToken in a request.

Specified by:

getXsrfTokenName in interface XsrfTokenGenerator

Returns:

the name in the request for the Xsrf token.

validateToken

public boolean validateToken(javax.servlet.http.HttpServletRequest request,
                             String token)

Description copied from interface: XsrfTokenGenerator

Validate a form token received as part of a web request

Specified by:

validateToken in interface XsrfTokenGenerator

Parameters:

request - the request the token was received in

token - the token

Returns:

true iff the token is valid