View Javadoc
1   package com.atlassian.sal.core.xsrf;
2   
3   import com.atlassian.sal.api.xsrf.XsrfTokenAccessor;
4   import com.atlassian.sal.api.xsrf.XsrfTokenValidator;
5   import com.atlassian.security.utils.ConstantTimeComparison;
6   
7   import javax.servlet.http.HttpServletRequest;
8   
9   /**
10   * XSRF token validator that manages its own tokens, not using the underlying applications XSRF tokens
11   *
12   * @since 2.4
13   */
14  public class IndependentXsrfTokenValidator implements XsrfTokenValidator {
15      public static final String XSRF_PARAM_NAME = "atl_token";
16  
17      private XsrfTokenAccessor accessor;
18  
19      public IndependentXsrfTokenValidator(XsrfTokenAccessor accessor) {
20          this.accessor = accessor;
21      }
22  
23      public boolean validateFormEncodedToken(HttpServletRequest request) {
24          String parameterToken = request.getParameter(XSRF_PARAM_NAME);
25          String requestToken = accessor.getXsrfToken(request, null, false);
26  
27          return parameterToken != null && requestToken != null && ConstantTimeComparison.isEqual(parameterToken, requestToken);
28      }
29  
30      public String getXsrfParameterName() {
31          return XSRF_PARAM_NAME;
32      }
33  }