Ejemplo n.º 1
0
  private void rotateTokens(HttpServletRequest request) {
    HttpSession session = request.getSession(true);

    /** rotate master token * */
    String tokenFromSession = null;

    try {
      tokenFromSession = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
    } catch (Exception e) {
      throw new RuntimeException(
          String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
    }

    session.setAttribute(getSessionKey(), tokenFromSession);

    /** rotate page token * */
    if (isTokenPerPageEnabled()) {
      @SuppressWarnings("unchecked")
      Map<String, String> pageTokens =
          (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);

      try {
        pageTokens.put(
            request.getRequestURI(), RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
      } catch (Exception e) {
        throw new RuntimeException(
            String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
      }
    }
  }
Ejemplo n.º 2
0
  public String getTokenValue(HttpServletRequest request, String uri) {
    String tokenValue = null;
    HttpSession session = request.getSession(false);

    if (session != null) {
      if (isTokenPerPageEnabled()) {
        @SuppressWarnings("unchecked")
        Map<String, String> pageTokens =
            (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);

        if (pageTokens != null) {
          if (isTokenPerPagePrecreate()) {
            createPageToken(pageTokens, uri);
          }
          tokenValue = pageTokens.get(uri);
        }
      }

      if (tokenValue == null) {
        tokenValue = (String) session.getAttribute(getSessionKey());
      }
    }

    return tokenValue;
  }
Ejemplo n.º 3
0
  public void updateTokens(HttpServletRequest request) {
    /** cannot create sessions if response already committed * */
    HttpSession session = request.getSession(false);

    if (session != null) {
      /** create master token if it does not exist * */
      updateToken(session);

      /** create page specific token * */
      if (isTokenPerPageEnabled()) {
        @SuppressWarnings("unchecked")
        Map<String, String> pageTokens =
            (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);

        /** first time initialization * */
        if (pageTokens == null) {
          pageTokens = new HashMap<String, String>();
          session.setAttribute(CsrfGuard.PAGE_TOKENS_KEY, pageTokens);
        }

        /** create token if it does not exist * */
        if (isProtectedPageAndMethod(request)) {
          createPageToken(pageTokens, request.getRequestURI());
        }
      }
    }
  }
Ejemplo n.º 4
0
  private void verifySessionToken(HttpServletRequest request) throws CsrfGuardException {
    HttpSession session = request.getSession(true);
    String tokenFromSession = (String) session.getAttribute(getSessionKey());
    String tokenFromRequest = request.getParameter(getTokenName());

    if (tokenFromRequest == null) {
      /** FAIL: token is missing from the request * */
      throw new CsrfGuardException("required token is missing from the request");
    } else if (!tokenFromSession.equals(tokenFromRequest)) {
      /** FAIL: the request token does not match the session token * */
      throw new CsrfGuardException("request token does not match session token");
    }
  }
Ejemplo n.º 5
0
  public static synchronized void sessionDestroyed(HttpSessionEvent ev) {
    HttpSession httpSession = ev.getSession();
    String id = httpSession.getId();

    synchronized (lookupSessionById) {
      lookupSessionById.remove(id);
    }

    // Forget HTTP-session:
    {
      lookupHttpSessionById.remove(id);
    }
  }
Ejemplo n.º 6
0
  public void updateToken(HttpSession session) {
    String tokenValue = (String) session.getAttribute(getSessionKey());

    /** Generate a new token and store it in the session. * */
    if (tokenValue == null) {
      try {
        tokenValue = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
      } catch (Exception e) {
        throw new RuntimeException(
            String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
      }

      session.setAttribute(getSessionKey(), tokenValue);
    }
  }
Ejemplo n.º 7
0
  public boolean isValidRequest(HttpServletRequest request, HttpServletResponse response) {
    boolean valid = !isProtectedPageAndMethod(request);
    HttpSession session = request.getSession(true);
    String tokenFromSession = (String) session.getAttribute(getSessionKey());

    /** sending request to protected resource - verify token * */
    if (tokenFromSession != null && !valid) {
      try {
        if (isAjaxEnabled() && isAjaxRequest(request)) {
          verifyAjaxToken(request);
        } else if (isTokenPerPageEnabled()) {
          verifyPageToken(request);
        } else {
          verifySessionToken(request);
        }
        valid = true;
      } catch (CsrfGuardException csrfe) {
        for (IAction action : getActions()) {
          try {
            action.execute(request, response, csrfe, this);
          } catch (CsrfGuardException exception) {
            getLogger().log(LogLevel.Error, exception);
          }
        }
      }

      /** rotate session and page tokens * */
      if (!isAjaxRequest(request) && isRotateEnabled()) {
        rotateTokens(request);
      }
      /** expected token in session - bad state * */
    } else if ((tokenFromSession == null) && !valid) {
      throw new IllegalStateException(
          "CsrfGuard expects the token to exist in session at this point");
    } else {
      /** unprotected page - nothing to do * */
    }

    return valid;
  }
Ejemplo n.º 8
0
  public static synchronized void sessionCreated(HttpSessionEvent ev) {
    HttpSession httpSession = ev.getSession();
    String id = httpSession.getId();

    // Remember HTTP-session:
    {
      lookupHttpSessionById.put(id, httpSession);
    }

    AbstractSession session = null;

    synchronized (lookupSessionById) {
      session = lookupSessionById.get(id);
    }

    if (session == null) {
      Principal userPrincipal = null;
      Date timeCreation = new Date(httpSession.getCreationTime());
      Date timeLastAccess = new Date(httpSession.getLastAccessedTime());
      List<String> urisForLastRequests = null;
      Properties properties = null;

      session =
          new DefaultSession(
              id, userPrincipal, timeCreation, timeLastAccess, urisForLastRequests, properties);

      synchronized (lookupSessionById) {
        lookupSessionById.put(id, session);

        // Update 'sessionCountMax':
        {
          int sessionCount = lookupSessionById.size();
          if (sessionCount > sessionCountMax) {
            sessionCountMax = sessionCount;
            sessionCountMaxTime = System.currentTimeMillis();
          }
        }
      }
    }
  }
Ejemplo n.º 9
0
  protected void expandSession(AbstractSession session) throws IOException {
    if (session != null) {
      String id = session.getId();
      HttpSession httpSession = lookupHttpSessionById.get(id);

      // Set 'timeLastAccess' upon session:
      {
        if (httpSession != null) {
          Date timeLastAccess = new Date(httpSession.getLastAccessedTime());
          session.setTimeLastAccess(timeLastAccess);
        }
      }

      expandSessionPrincipal(session);

      // Set 'requestURI' upon session:
      {
        if (httpSession != null) {
          List<String> requestURIs = RequestURISessionDecorator.getRequestURIs(httpSession);
          if (requestURIs != null) {
            Collections.reverse(requestURIs); // reverse the order!
            session.setRequestURIs(requestURIs);
          }
        }
      }

      // Set 'properties' upon session:
      {
        if (httpSession != null) {
          Map<String, Object> m = PropertiesSessionDecorator.getProperties(httpSession);
          if (m != null) {
            Properties properties = convertProperties(m);
            session.setProperties(properties);
          }
        }
      }
    }
  }
Ejemplo n.º 10
0
  private void verifyPageToken(HttpServletRequest request) throws CsrfGuardException {
    HttpSession session = request.getSession(true);
    @SuppressWarnings("unchecked")
    Map<String, String> pageTokens =
        (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);

    String tokenFromPages = (pageTokens != null ? pageTokens.get(request.getRequestURI()) : null);
    String tokenFromSession = (String) session.getAttribute(getSessionKey());
    String tokenFromRequest = request.getParameter(getTokenName());

    if (tokenFromRequest == null) {
      /** FAIL: token is missing from the request * */
      throw new CsrfGuardException("required token is missing from the request");
    } else if (tokenFromPages != null) {
      if (!tokenFromPages.equals(tokenFromRequest)) {
        /** FAIL: request does not match page token * */
        throw new CsrfGuardException("request token does not match page token");
      }
    } else if (!tokenFromSession.equals(tokenFromRequest)) {
      /** FAIL: the request token does not match the session token * */
      throw new CsrfGuardException("request token does not match session token");
    }
  }