1 package com.atlassian.sal.core.xsrf;
2
3 import com.atlassian.sal.api.xsrf.XsrfTokenAccessor;
4 import com.atlassian.security.random.DefaultSecureTokenGenerator;
5 import com.atlassian.security.random.SecureTokenGenerator;
6 import org.slf4j.Logger;
7 import org.slf4j.LoggerFactory;
8
9 import javax.servlet.http.Cookie;
10 import javax.servlet.http.HttpServletRequest;
11 import javax.servlet.http.HttpServletResponse;
12
13
14
15
16
17
18 public class IndependentXsrfTokenAccessor implements XsrfTokenAccessor
19 {
20 private static final Logger log = LoggerFactory.getLogger(IndependentXsrfTokenAccessor.class);
21 public static final String XSRF_COOKIE_KEY = "atl.xsrf.token";
22
23 private final SecureTokenGenerator tokenGenerator = DefaultSecureTokenGenerator.getInstance();
24
25 public String getXsrfToken(final HttpServletRequest request, final HttpServletResponse response, final boolean create)
26 {
27 Cookie[] cookies = request.getCookies();
28 if (cookies != null)
29 {
30 for (Cookie cookie : request.getCookies())
31 {
32 if (cookie.getName().equals(XSRF_COOKIE_KEY))
33 {
34 return cookie.getValue();
35 }
36 }
37 }
38 if (create)
39 {
40 if (response.isCommitted())
41 {
42 log.warn("Adding cookie to committed response, this will likely have no effect");
43 }
44 String token = tokenGenerator.generateToken();
45 Cookie cookie = new Cookie(XSRF_COOKIE_KEY, token);
46 if (request.isSecure())
47 {
48 cookie.setSecure(true);
49 }
50 response.addCookie(cookie);
51 return token;
52 }
53 return null;
54 }
55 }