View Javadoc

1   package com.atlassian.sal.core.xsrf;
2   
3   import com.atlassian.sal.api.xsrf.XsrfTokenAccessor;
4   import com.atlassian.security.random.DefaultSecureTokenGenerator;
5   import com.atlassian.security.random.SecureTokenGenerator;
6   import org.slf4j.Logger;
7   import org.slf4j.LoggerFactory;
8   
9   import javax.servlet.http.Cookie;
10  import javax.servlet.http.HttpServletRequest;
11  import javax.servlet.http.HttpServletResponse;
12  
13  /**
14   * XSRF token accessor that manages its own tokens, not using the underlying applications XSRF tokens
15   *
16   * @since 2.4
17   */
18  public class IndependentXsrfTokenAccessor implements XsrfTokenAccessor
19  {
20      private static final Logger log = LoggerFactory.getLogger(IndependentXsrfTokenAccessor.class);
21      public static final String XSRF_COOKIE_KEY = "atl.xsrf.token";
22  
23      private final SecureTokenGenerator tokenGenerator = DefaultSecureTokenGenerator.getInstance();
24  
25      public String getXsrfToken(final HttpServletRequest request, final HttpServletResponse response, final boolean create)
26      {
27          Cookie[] cookies = request.getCookies();
28          if (cookies != null)
29          {
30              for (Cookie cookie : request.getCookies())
31              {
32                  if (cookie.getName().equals(XSRF_COOKIE_KEY))
33                  {
34                      return cookie.getValue();
35                  }
36              }
37          }
38          if (create)
39          {
40              if (response.isCommitted())
41              {
42                  log.warn("Adding cookie to committed response, this will likely have no effect");
43              }
44              String token = tokenGenerator.generateToken();
45              Cookie cookie = new Cookie(XSRF_COOKIE_KEY, token);
46              response.addCookie(cookie);
47              return token;
48          }
49          return null;
50      }
51  }