/**
* Creates a new instance.
*
* @param nonceCache a cache to place used CSRF tokens. This is required to ensure the consumed
* token is never used again, which is mandatory for CSRF protection. This cache <em>MUST</em>
* have a TTL value equal to or greater than {@code ttlMillis}. Cache key: a unique token ID,
* Cache value: the used token
* @param signingKey a base64-encoded (and hopefully secure-random) cryptographic signing key used
* to digitally sign the CSRF token to ensure it cannot be tampered with by HTTP clients.
* @param ttlMillis the length of time in milliseconds for which a generated CSRF token is valid.
* When a token is created, it cannot be used after this duration, even if it has not been
* consumed yet.
*/
public CacheCsrfTokenRepository(Cache nonceCache, String signingKey, long ttlMillis) {
Assert.notNull(nonceCache, "nonce cache cannot be null.");
this.nonceCache = nonceCache;
Assert.hasText(signingKey, "signingKey cannot be null or empty.");
this.signingKey = signingKey;
Assert.isTrue(ttlMillis > 0, "ttlMillis must be greater than zero.");
this.ttlMillis = ttlMillis;
}
/* @since 1.0.RC5 */
private Error constructError(Map jsonMap) {
Assert.isTrue(isError(jsonMap));
Map<String, Object> errorMap = getRequiredValue(jsonMap, ERROR);
Error error =
new DefaultErrorBuilder((Integer) getRequiredValue(errorMap, STATUS))
.code((Integer) getRequiredValue(errorMap, "code"))
.developerMessage((String) getRequiredValue(errorMap, "developerMessage"))
.message((String) getRequiredValue(errorMap, "message"))
.moreInfo((String) getRequiredValue(errorMap, "moreInfo"))
.build();
return error;
}
private String getJwtResponse(Object httpRequestObject) {
String jwtResponse;
if (HttpRequest.class.isAssignableFrom(httpRequestObject.getClass())) {
HttpRequest httpRequest = (HttpRequest) httpRequestObject;
Assert.isTrue(
httpRequest.getMethod() == HttpMethod.GET, "Only Http GET method is supported.");
jwtResponse = httpRequest.getParameter(JWT_RESPONSE);
} else {
// This must never happen, if the object request is of HttpServletRequest type the
// HTTP_SERVLET_REQUEST_WRAPPER_CLASS
// must be already loaded and therefore cannot be null.
if (HTTP_SERVLET_REQUEST_WRAPPER_CLASS == null) {
throw new RuntimeException(
"DefaultHttpServletRequestWrapper not loaded error occurred while handling httpRequest of type: "
+ httpRequestObject.getClass().getName());
}
Constructor<? extends HttpServletRequestWrapper> ctor =
Classes.getConstructor(HTTP_SERVLET_REQUEST_WRAPPER_CLASS, Object.class);
HttpServletRequestWrapper httpServletRequestWrapper =
Classes.instantiate(ctor, httpRequestObject);
HttpMethod method = HttpMethod.fromName(httpServletRequestWrapper.getMethod());
Assert.isTrue(HttpMethod.GET == method, "Only Http GET method is supported.");
jwtResponse = httpServletRequestWrapper.getParameter(JWT_RESPONSE);
}
if (!Strings.hasText(jwtResponse)) {
throw new InvalidJwtException(InvalidJwtException.JWT_REQUIRED_ERROR);
}
return jwtResponse;
}
