Package com.atlassian.crowd.xwork
Class SimpleXsrfTokenGenerator
java.lang.Object
com.atlassian.crowd.xwork.SimpleXsrfTokenGenerator
- All Implemented Interfaces:
XsrfTokenGenerator
Simple implementation of XsrfTokenGenerator that stores a unique value in the session. The session ID
itself isn't used because we don't want to risk compromising the entire session in case we don't protect
the XSRF token diligently enough.
Tokens are chosen to be reasonably unique (60 bits) with reasonably short representations (base64 encoded).
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptiongenerateToken
(javax.servlet.http.HttpServletRequest request) Generate a new form token for the current request.getToken
(javax.servlet.http.HttpServletRequest request, boolean create) Retrieves the token from the request.Convenience method which will return the name to be used for a supplied XsrfToken in a request.boolean
validateToken
(javax.servlet.http.HttpServletRequest request, String token) Validate a form token received as part of a web request
-
Field Details
-
TOKEN_SESSION_KEY
- See Also:
-
-
Constructor Details
-
SimpleXsrfTokenGenerator
public SimpleXsrfTokenGenerator()
-
-
Method Details
-
getToken
Description copied from interface:XsrfTokenGenerator
Retrieves the token from the request. Returns null if there is no request and create is false. If create is true, a new token is generated and returned.- Specified by:
getToken
in interfaceXsrfTokenGenerator
- Parameters:
request
- the request the token is retrieved fromcreate
- if true, a token will be created if it doesn't already exist- Returns:
- a valid XSRF form token, null if there is none in the request and create of false.
-
generateToken
Description copied from interface:XsrfTokenGenerator
Generate a new form token for the current request.- Specified by:
generateToken
in interfaceXsrfTokenGenerator
- Parameters:
request
- the request the token is being generated for- Returns:
- a valid XSRF form token
-
getXsrfTokenName
Description copied from interface:XsrfTokenGenerator
Convenience method which will return the name to be used for a supplied XsrfToken in a request.- Specified by:
getXsrfTokenName
in interfaceXsrfTokenGenerator
- Returns:
- the name in the request for the Xsrf token.
-
validateToken
Description copied from interface:XsrfTokenGenerator
Validate a form token received as part of a web request- Specified by:
validateToken
in interfaceXsrfTokenGenerator
- Parameters:
request
- the request the token was received intoken
- the token- Returns:
- true iff the token is valid
-