@Override public void init() throws ServletException { super.init(); // do not overwrite if value is supplied in constructor if (sessionCookieName == null) { // servlet configuration precedes context configuration sessionCookieName = getServletConfig().getInitParameter( XsrfTokenServiceServlet.COOKIE_NAME_PARAM); if (sessionCookieName == null) { sessionCookieName = getServletContext().getInitParameter( XsrfTokenServiceServlet.COOKIE_NAME_PARAM); } if (sessionCookieName == null) { throw new IllegalStateException( XsrfTokenServiceServlet.COOKIE_NAME_NOT_SET_ERROR_MSG); } } }
/** * Validates {@link XsrfToken} included with {@link RPCRequest} against XSRF * cookie. */ @Override protected void validateXsrfToken(RpcToken token, Method method) throws RpcTokenException { if (token == null) { throw new RpcTokenException("XSRF token missing"); } Cookie sessionCookie = Util.getCookie(getThreadLocalRequest(), sessionCookieName, false); if (sessionCookie == null || sessionCookie.getValue() == null || sessionCookie.getValue().length() == 0) { throw new RpcTokenException("Session cookie is missing or empty! " + "Unable to verify XSRF cookie"); } String expectedToken = StringUtils.toHexString( Md5Utils.getMd5Digest(sessionCookie.getValue().getBytes())); XsrfToken xsrfToken = (XsrfToken) token; if (!expectedToken.equals(xsrfToken.getToken())) { throw new RpcTokenException("Invalid XSRF token"); } } }
@Override public void init() throws ServletException { super.init(); // do not overwrite if value is supplied in constructor if (sessionCookieName == null) { // servlet configuration precedes context configuration sessionCookieName = getServletConfig().getInitParameter( XsrfTokenServiceServlet.COOKIE_NAME_PARAM); if (sessionCookieName == null) { sessionCookieName = getServletContext().getInitParameter( XsrfTokenServiceServlet.COOKIE_NAME_PARAM); } if (sessionCookieName == null) { throw new IllegalStateException( XsrfTokenServiceServlet.COOKIE_NAME_NOT_SET_ERROR_MSG); } } }
/** * Validates {@link XsrfToken} included with {@link RPCRequest} against XSRF * cookie. */ @Override protected void validateXsrfToken(RpcToken token, Method method) throws RpcTokenException { if (token == null) { throw new RpcTokenException("XSRF token missing"); } Cookie sessionCookie = Util.getCookie(getThreadLocalRequest(), sessionCookieName, false); if (sessionCookie == null || sessionCookie.getValue() == null || sessionCookie.getValue().length() == 0) { throw new RpcTokenException("Session cookie is missing or empty! " + "Unable to verify XSRF cookie"); } String expectedToken = StringUtils.toHexString( Md5Utils.getMd5Digest(sessionCookie.getValue().getBytes())); XsrfToken xsrfToken = (XsrfToken) token; if (!expectedToken.equals(xsrfToken.getToken())) { throw new RpcTokenException("Invalid XSRF token"); } } }
@Override public void init() throws ServletException { super.init(); // do not overwrite if value is supplied in constructor if (sessionCookieName == null) { // servlet configuration precedes context configuration sessionCookieName = getServletConfig().getInitParameter( XsrfTokenServiceServlet.COOKIE_NAME_PARAM); if (sessionCookieName == null) { sessionCookieName = getServletContext().getInitParameter( XsrfTokenServiceServlet.COOKIE_NAME_PARAM); } if (sessionCookieName == null) { throw new IllegalStateException( XsrfTokenServiceServlet.COOKIE_NAME_NOT_SET_ERROR_MSG); } } }
/** * Validates {@link XsrfToken} included with {@link RPCRequest} against XSRF * cookie. */ @Override protected void validateXsrfToken(RpcToken token, Method method) throws RpcTokenException { if (token == null) { throw new RpcTokenException("XSRF token missing"); } Cookie sessionCookie = Util.getCookie(getThreadLocalRequest(), sessionCookieName, false); if (sessionCookie == null || sessionCookie.getValue() == null || sessionCookie.getValue().length() == 0) { throw new RpcTokenException("Session cookie is missing or empty! " + "Unable to verify XSRF cookie"); } String expectedToken = StringUtils.toHexString( Md5Utils.getMd5Digest(sessionCookie.getValue().getBytes())); XsrfToken xsrfToken = (XsrfToken) token; if (!expectedToken.equals(xsrfToken.getToken())) { throw new RpcTokenException("Invalid XSRF token"); } } }