View Javadoc
1   package com.atlassian.sal.core.xsrf;
2   
3   import com.atlassian.sal.api.xsrf.XsrfTokenAccessor;
4   import com.atlassian.security.random.DefaultSecureTokenGenerator;
5   import com.atlassian.security.random.SecureTokenGenerator;
6   import org.slf4j.Logger;
7   import org.slf4j.LoggerFactory;
8   
9   import javax.servlet.http.Cookie;
10  import javax.servlet.http.HttpServletRequest;
11  import javax.servlet.http.HttpServletResponse;
12  
13  /**
14   * XSRF token accessor that manages its own tokens, not using the underlying applications XSRF tokens
15   *
16   * @since 2.4
17   */
18  public class IndependentXsrfTokenAccessor implements XsrfTokenAccessor {
19      private static final Logger log = LoggerFactory.getLogger(IndependentXsrfTokenAccessor.class);
20      public static final String XSRF_COOKIE_KEY = "atl.xsrf.token";
21  
22      private final SecureTokenGenerator tokenGenerator = DefaultSecureTokenGenerator.getInstance();
23  
24      public String getXsrfToken(final HttpServletRequest request, final HttpServletResponse response, final boolean create) {
25          Cookie[] cookies = request.getCookies();
26          if (cookies != null) {
27              for (Cookie cookie : request.getCookies()) {
28                  if (cookie.getName().equals(XSRF_COOKIE_KEY)) {
29                      return cookie.getValue();
30                  }
31              }
32          }
33          if (create) {
34              if (response.isCommitted()) {
35                  log.warn("Adding cookie to committed response, this will likely have no effect");
36              }
37              String token = tokenGenerator.generateToken();
38              Cookie cookie = new Cookie(XSRF_COOKIE_KEY, token);
39              if (request.isSecure()) {
40                  cookie.setSecure(true);
41              }
42              response.addCookie(cookie);
43              return token;
44          }
45          return null;
46      }
47  }