View Javadoc

1   package com.atlassian.xwork;
2   
3   import com.atlassian.security.random.DefaultSecureTokenGenerator;
4   import com.atlassian.xwork.interceptors.XsrfTokenInterceptor;
5   
6   import javax.servlet.http.HttpServletRequest;
7   import javax.servlet.http.HttpSession;
8   
9   /**
10   * Simple implementation of XsrfTokenGenerator that stores a unique value in the session. The session ID
11   * itself isn't used because we don't want to risk compromising the entire session in case we don't protect
12   * the XSRF token diligently enough.
13   *
14   * <p>Tokens are chosen to be reasonably unique (60 bits) with reasonably short representations (base64 encoded).
15   */
16  public class SimpleXsrfTokenGenerator implements XsrfTokenGenerator
17  {
18      public static final String TOKEN_SESSION_KEY = "atlassian.xsrf.token";
19  
20      public String getToken(HttpServletRequest request, boolean create)
21      {
22          HttpSession session = request.getSession();
23          String token = (String) session.getAttribute(TOKEN_SESSION_KEY);
24  
25          if (create && token == null)
26          {
27              token = createToken();
28              session.setAttribute(TOKEN_SESSION_KEY, token);
29          }
30  
31          return token;
32      }
33  
34      public String generateToken(HttpServletRequest request)
35      {
36          return getToken(request, true);
37      }
38      
39      public String getXsrfTokenName()
40      {
41          return XsrfTokenInterceptor.REQUEST_PARAM_NAME;
42      }
43  
44      public boolean validateToken(HttpServletRequest request, String token)
45      {
46          return token != null && token.equals(request.getSession(true).getAttribute(TOKEN_SESSION_KEY));
47      }
48  
49      private String createToken()
50      {
51          return DefaultSecureTokenGenerator.getInstance().generateToken();
52      }
53  }