private void verifyAjaxToken(HttpServletRequest request) throws CsrfGuardException { HttpSession session = request.getSession(true); String tokenFromSession = (String) session.getAttribute(getSessionKey()); String tokenFromRequest = request.getHeader(getTokenName()); if (tokenFromRequest == null) { /** FAIL: token is missing from the request * */ throw new CsrfGuardException("required token is missing from the request"); } else if (tokenFromRequest.indexOf(tokenFromSession) == -1) { /** FAIL: the request token does not match the session token * */ throw new CsrfGuardException("request token does not match session token"); } }
private boolean isAjaxRequest(HttpServletRequest request) { return request.getHeader("X-Requested-With") != null; }