@Override public State preExecuteAction(ActionContext context, Validation validation) throws Throwable { if(!isEnabled(context)) { return State.CONTINUE; } Request request = context.getRequest(); //Ignore GET request if(request.isMethod(HTTP.Method.GET)) { return State.CONTINUE; } //Check ignored if(CSRF.isIgnored(request.getServletRequest())) { return State.CONTINUE; } CsrfToken token = CSRF.getGeneratedToken(request); checkCsrfToken(request, token); return State.CONTINUE; }
protected String getCsrfTokenString(Request request) { String token = request.getHeader(securityConfig.getCsrfHeaderName()); if(Strings.isEmpty(token)) { token = request.getParameter(securityConfig.getCsrfParameterName()); if(Strings.isEmpty(token)) { token = CSRF.getRequestToken(request); } } return token; } }
protected State preHandleRequest(Request request, Response response, DefaultSecurityContextHolder context) throws Throwable { request.setSecurityContext(context); //Handles request if login if(config.isLoginEnabled() && handleLoginRequest(request, response, context)){ return State.INTERCEPTED; } //Handles request if logout. if(config.isLogoutEnabled() && handleLogoutRequest(request, response, context)) { return State.INTERCEPTED; } //Resolve authentication. State state = resolveAuthentication(request,response,context); if(state.isIntercepted()){ return state; } //Disable csrf if anonymous access. if(!context.getAuthentication().isAuthenticated()) { CSRF.ignore(request); } return State.CONTINUE; }
@Override protected Object eval(Object context, Map<String, Object> vars) { if(config.isCsrfEnabled()) { HtplContext hc = (HtplContext)context; RequestBase request = hc.getRequest(); if(null != request) { CsrfToken token = CSRF.getGeneratedToken(request); if(null != token) { hc.setLocalVariable("csrf_token_string", token.getToken()); } return true; } } return false; } });
@Override public State handleRequest(Request request, Response response) throws Throwable { //Ignore if csrf not enabled. if(!config.isCsrfEnabled()) { return State.CONTINUE; } CsrfToken token = null; String savedToken = manager.loadToken(request); if(null == savedToken) { savedToken = manager.generateToken(request); token = new SaveOnAccessCsrfToken(config, savedToken, request, manager); }else{ token = new SimpleCsrfToken(config, savedToken, false); } //Set attributes CSRF.setGeneratedToken(request, token); request.setAttribute(config.getCsrfParameterName(), token); return State.CONTINUE; }
CSRF.ignore(request.getServletRequest());
CSRF.ignore(request.getServletRequest());