1 package com.atlassian.sal.core.xsrf;
2
3 import com.atlassian.sal.api.xsrf.XsrfTokenAccessor;
4 import com.atlassian.security.random.DefaultSecureTokenGenerator;
5 import com.atlassian.security.random.SecureTokenGenerator;
6 import org.slf4j.Logger;
7 import org.slf4j.LoggerFactory;
8
9 import javax.servlet.http.Cookie;
10 import javax.servlet.http.HttpServletRequest;
11 import javax.servlet.http.HttpServletResponse;
12
13
14
15
16
17
18 public class IndependentXsrfTokenAccessor implements XsrfTokenAccessor {
19 private static final Logger log = LoggerFactory.getLogger(IndependentXsrfTokenAccessor.class);
20 public static final String XSRF_COOKIE_KEY = "atl.xsrf.token";
21
22 private final SecureTokenGenerator tokenGenerator = DefaultSecureTokenGenerator.getInstance();
23
24 public String getXsrfToken(final HttpServletRequest request, final HttpServletResponse response, final boolean create) {
25 Cookie[] cookies = request.getCookies();
26 if (cookies != null) {
27 for (Cookie cookie : request.getCookies()) {
28 if (cookie.getName().equals(XSRF_COOKIE_KEY)) {
29 return cookie.getValue();
30 }
31 }
32 }
33 if (create) {
34 if (response.isCommitted()) {
35 log.warn("Adding cookie to committed response, this will likely have no effect");
36 }
37 String token = tokenGenerator.generateToken();
38 Cookie cookie = new Cookie(XSRF_COOKIE_KEY, token);
39 if (request.isSecure()) {
40 cookie.setSecure(true);
41 }
42 response.addCookie(cookie);
43 return token;
44 }
45 return null;
46 }
47 }