Class SimpleXsrfTokenGenerator

java.lang.Object
com.atlassian.crowd.xwork.SimpleXsrfTokenGenerator
All Implemented Interfaces:
XsrfTokenGenerator

public class SimpleXsrfTokenGenerator extends Object implements XsrfTokenGenerator
Simple implementation of XsrfTokenGenerator that stores a unique value in the session. The session ID itself isn't used because we don't want to risk compromising the entire session in case we don't protect the XSRF token diligently enough.

Tokens are chosen to be reasonably unique (60 bits) with reasonably short representations (base64 encoded).

  • Field Details

  • Constructor Details

    • SimpleXsrfTokenGenerator

      public SimpleXsrfTokenGenerator()
  • Method Details

    • getToken

      public String getToken(javax.servlet.http.HttpServletRequest request, boolean create)
      Description copied from interface: XsrfTokenGenerator
      Retrieves the token from the request. Returns null if there is no request and create is false. If create is true, a new token is generated and returned.
      Specified by:
      getToken in interface XsrfTokenGenerator
      Parameters:
      request - the request the token is retrieved from
      create - if true, a token will be created if it doesn't already exist
      Returns:
      a valid XSRF form token, null if there is none in the request and create of false.
    • generateToken

      public String generateToken(javax.servlet.http.HttpServletRequest request)
      Description copied from interface: XsrfTokenGenerator
      Generate a new form token for the current request.
      Specified by:
      generateToken in interface XsrfTokenGenerator
      Parameters:
      request - the request the token is being generated for
      Returns:
      a valid XSRF form token
    • getXsrfTokenName

      public String getXsrfTokenName()
      Description copied from interface: XsrfTokenGenerator
      Convenience method which will return the name to be used for a supplied XsrfToken in a request.
      Specified by:
      getXsrfTokenName in interface XsrfTokenGenerator
      Returns:
      the name in the request for the Xsrf token.
    • validateToken

      public boolean validateToken(javax.servlet.http.HttpServletRequest request, String token)
      Description copied from interface: XsrfTokenGenerator
      Validate a form token received as part of a web request
      Specified by:
      validateToken in interface XsrfTokenGenerator
      Parameters:
      request - the request the token was received in
      token - the token
      Returns:
      true iff the token is valid