@Override
public Map<String, String> getExtraHiddenFields(final HttpServletRequest request) {
final Map<String, String> hiddenFields = new HashMap<String, String>();
hiddenFields.put(
CSRFTokenManager.CSRF_PARAM_NAME,
CSRFTokenManager.getTokenForSession(request.getSession()));
return hiddenFields;
}
@Override
public boolean preHandle(
final HttpServletRequest request, final HttpServletResponse response, final Object handler)
throws Exception {
if (shouldCheckCSRFTokenForRequest(request)) {
// This is a POST request - need to check the CSRF token
final String sessionToken = CSRFTokenManager.getTokenForSession(request.getSession());
final String requestToken = CSRFTokenManager.getTokenFromRequest(request);
if (sessionToken.equals(requestToken)) {
return true;
} else {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Bad or missing CSRF value");
return false;
}
} else {
{
// Not a POST - allow the request
return true;
}
}
}
