public String getTokenValue(HttpServletRequest request, String uri) { String tokenValue = null; HttpSession session = request.getSession(false); if (session != null) { if (isTokenPerPageEnabled()) { @SuppressWarnings("unchecked") Map<String, String> pageTokens = (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY); if (pageTokens != null) { if (isTokenPerPagePrecreate()) { createPageToken(pageTokens, uri); } tokenValue = pageTokens.get(uri); } } if (tokenValue == null) { tokenValue = (String) session.getAttribute(getSessionKey()); } } return tokenValue; }
private void verifyPageToken(HttpServletRequest request) throws CsrfGuardException { HttpSession session = request.getSession(true); @SuppressWarnings("unchecked") Map<String, String> pageTokens = (Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY); String tokenFromPages = (pageTokens != null ? pageTokens.get(request.getRequestURI()) : null); String tokenFromSession = (String) session.getAttribute(getSessionKey()); String tokenFromRequest = request.getParameter(getTokenName()); if (tokenFromRequest == null) { /** FAIL: token is missing from the request * */ throw new CsrfGuardException("required token is missing from the request"); } else if (tokenFromPages != null) { if (!tokenFromPages.equals(tokenFromRequest)) { /** FAIL: request does not match page token * */ throw new CsrfGuardException("request token does not match page token"); } } else if (!tokenFromSession.equals(tokenFromRequest)) { /** FAIL: the request token does not match the session token * */ throw new CsrfGuardException("request token does not match session token"); } }
public static void load(Properties properties) throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException, ClassNotFoundException, IOException, NoSuchProviderException { CsrfGuard csrfGuard = SingletonHolder.instance; /** load simple properties * */ csrfGuard.setLogger( (ILogger) Class.forName( properties.getProperty( "org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger")) .newInstance()); csrfGuard.setTokenName( properties.getProperty("org.owasp.csrfguard.TokenName", "OWASP_CSRFGUARD")); csrfGuard.setTokenLength( Integer.parseInt(properties.getProperty("org.owasp.csrfguard.TokenLength", "32"))); csrfGuard.setRotate( Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Rotate", "false"))); csrfGuard.setTokenPerPage( Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.TokenPerPage", "false"))); csrfGuard.setTokenPerPagePrecreate( Boolean.valueOf( properties.getProperty("org.owasp.csrfguard.TokenPerPagePrecreate", "false"))); csrfGuard.setPrng( SecureRandom.getInstance( properties.getProperty("org.owasp.csrfguard.PRNG", "SHA1PRNG"), properties.getProperty("org.owasp.csrfguard.PRNG.Provider", "SUN"))); csrfGuard.setNewTokenLandingPage( properties.getProperty("org.owasp.csrfguard.NewTokenLandingPage")); // default to false if newTokenLandingPage is not set; default to true if set. if (csrfGuard.getNewTokenLandingPage() == null) { csrfGuard.setUseNewTokenLandingPage( Boolean.valueOf( properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "false"))); } else { csrfGuard.setUseNewTokenLandingPage( Boolean.valueOf( properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "true"))); } csrfGuard.setSessionKey( properties.getProperty("org.owasp.csrfguard.SessionKey", "OWASP_CSRFGUARD_KEY")); csrfGuard.setAjax(Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Ajax", "false"))); csrfGuard.setProtect( Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Protect", "false"))); /** first pass: instantiate actions * */ Map<String, IAction> actionsMap = new HashMap<String, IAction>(); for (Object obj : properties.keySet()) { String key = (String) obj; if (key.startsWith(ACTION_PREFIX)) { String directive = key.substring(ACTION_PREFIX.length()); int index = directive.indexOf('.'); /** action name/class * */ if (index < 0) { String actionClass = properties.getProperty(key); IAction action = (IAction) Class.forName(actionClass).newInstance(); action.setName(directive); actionsMap.put(action.getName(), action); csrfGuard.getActions().add(action); } } } /** second pass: initialize action parameters * */ for (Object obj : properties.keySet()) { String key = (String) obj; if (key.startsWith(ACTION_PREFIX)) { String directive = key.substring(ACTION_PREFIX.length()); int index = directive.indexOf('.'); /** action name/class * */ if (index >= 0) { String actionName = directive.substring(0, index); IAction action = actionsMap.get(actionName); if (action == null) { throw new IOException( String.format("action class %s has not yet been specified", actionName)); } String parameterName = directive.substring(index + 1); String parameterValue = properties.getProperty(key); action.setParameter(parameterName, parameterValue); } } } /** ensure at least one action was defined * */ if (csrfGuard.getActions().size() <= 0) { throw new IOException("failure to define at least one action"); } /** initialize protected, unprotected pages * */ for (Object obj : properties.keySet()) { String key = (String) obj; if (key.startsWith(PROTECTED_PAGE_PREFIX)) { String directive = key.substring(PROTECTED_PAGE_PREFIX.length()); int index = directive.indexOf('.'); /** page name/class * */ if (index < 0) { String pageUri = properties.getProperty(key); csrfGuard.getProtectedPages().add(Pattern.compile(pageUri)); } } if (key.startsWith(UNPROTECTED_PAGE_PREFIX)) { String directive = key.substring(UNPROTECTED_PAGE_PREFIX.length()); int index = directive.indexOf('.'); /** page name/class * */ if (index < 0) { String pageUri = properties.getProperty(key); csrfGuard.getUnprotectedPages().add(Pattern.compile(pageUri)); } } } /** initialize protected methods * */ String methodList = properties.getProperty("org.owasp.csrfguard.ProtectedMethods"); if (methodList != null && methodList.trim().length() != 0) { for (String method : methodList.split(",")) { csrfGuard.getProtectedMethods().add(method.trim()); } } }