@Override public String toString() { return getToken(); } }
@Override public String generateToken(Request request) throws Throwable { return doGenerateToken(); }
protected void checkCsrfToken(Request request, CsrfToken expected) throws Throwable { String requestedToken = getCsrfTokenString(request); if(!csrfManager.verifyToken(request, requestedToken, expected)) { if(expected.isNew()) { throw new MissingCsrfTokenException("Expected CSRF token not found. Has your session expired?"); }else{ throw new InvalidCsrfTokenException("Invalid CSRF Token '" + requestedToken + "' was found on the request parameter '" + securityConfig.getCsrfParameterName() + "' or header '" + securityConfig.getCsrfHeaderName() + "'."); } } }
@Override public State handleRequest(Request request, Response response) throws Throwable { //Ignore if csrf not enabled. if(!config.isCsrfEnabled()) { return State.CONTINUE; } CsrfToken token = null; String savedToken = manager.loadToken(request); if(null == savedToken) { savedToken = manager.generateToken(request); token = new SaveOnAccessCsrfToken(config, savedToken, request, manager); }else{ token = new SimpleCsrfToken(config, savedToken, false); } //Set attributes CSRF.setGeneratedToken(request, token); request.setAttribute(config.getCsrfParameterName(), token); return State.CONTINUE; }
protected State preHandleRequest(Request request, Response response, DefaultSecurityContextHolder context) throws Throwable { request.setSecurityContext(context); //Handles request if login if(config.isLoginEnabled() && handleLoginRequest(request, response, context)){ return State.INTERCEPTED; } //Handles request if logout. if(config.isLogoutEnabled() && handleLogoutRequest(request, response, context)) { return State.INTERCEPTED; } //Resolve authentication. State state = resolveAuthentication(request,response,context); if(state.isIntercepted()){ return state; } //Disable csrf if anonymous access. if(!context.getAuthentication().isAuthenticated()) { CSRF.ignore(request); } return State.CONTINUE; }
@Override public State preExecuteAction(ActionContext context, Validation validation) throws Throwable { if(!isEnabled(context)) { return State.CONTINUE; } Request request = context.getRequest(); //Ignore GET request if(request.isMethod(HTTP.Method.GET)) { return State.CONTINUE; } //Check ignored if(CSRF.isIgnored(request.getServletRequest())) { return State.CONTINUE; } CsrfToken token = CSRF.getGeneratedToken(request); checkCsrfToken(request, token); return State.CONTINUE; }
@Override protected Object eval(Object context, Map<String, Object> vars) { if(config.isCsrfEnabled()) { HtplContext hc = (HtplContext)context; RequestBase request = hc.getRequest(); if(null != request) { CsrfToken token = CSRF.getGeneratedToken(request); if(null != token) { hc.setLocalVariable("csrf_token_string", token.getToken()); } return true; } } return false; } });
@Override public String getToken() { if(!saved) { try { manager.saveToken(request, token); } catch (Throwable e) { throw new IllegalStateException("Error saving csrf token , " + e.getMessage(), e); } saved = true; } return token; }
@Override public void saveToken(Request request, String token) throws Throwable { sc.getCsrfStore().saveToken(request, token); }
@Override public void removeToken(Request request) throws Throwable { sc.getCsrfStore().removeToken(request); }
@Override public String loadToken(Request request) throws Throwable { return sc.getCsrfStore().loadToken(request); }
@Override public boolean verifyToken(Request request, String token, CsrfToken expected) throws CsrfTokenExpiredException { try { return null == token ? false : tokenEncoder.verifyToken(token); } catch (TokenExpiredException e) { throw new CsrfTokenExpiredException(e.getMessage()); } }
protected String getCsrfTokenString(Request request) { String token = request.getHeader(securityConfig.getCsrfHeaderName()); if(Strings.isEmpty(token)) { token = request.getParameter(securityConfig.getCsrfParameterName()); if(Strings.isEmpty(token)) { token = CSRF.getRequestToken(request); } } return token; } }
@Override public State preHandleRequest(Request request, Response response, ActionContext ac) throws Throwable { //Web security do not enabled. if(!config.isEnabled()){ log.debug("Web security not enabled, ignore the interceptor"); return State.CONTINUE; } //csrf if(State.isIntercepted(csrf.handleRequest(request, response))){ return State.INTERCEPTED; } //cors if(config.isCorsIgnored() && cors.isPreflightRequest(request)) { return State.CONTINUE; } //TODO : cache //Check is the request ignored. for(RequestIgnore ignore : config.getIgnores()) { if(ignore.matches(request)) { return State.CONTINUE; } } DefaultSecurityContextHolder context = new DefaultSecurityContextHolder(config, perm, request, ac); context.setSecuredPath(resolveSecuredPath(request,response,context,ac.getRoute())); return preHandleRequest(request, response, context); }
CSRF.ignore(request.getServletRequest());
CSRF.ignore(request.getServletRequest());