/* build the trust source set*/ private static Set getTrustedSourceList() throws SessionException { Set result = new HashSet(); try { String rawList = SystemProperties.get(Constants.TRUSTED_SOURCE_LIST); if (rawList != null) { StringTokenizer stk = new StringTokenizer(rawList, ","); while (stk.hasMoreTokens()) { result.add(InetAddress.getByName(stk.nextToken())); } } else { // use platform server list as a default fallback Vector psl = WebtopNaming.getPlatformServerList(); if (psl == null) { throw new SessionException(SessionBundle.rbName, "emptyTrustedSourceList", null); } for (Enumeration e = psl.elements(); e.hasMoreElements(); ) { try { URL url = new URL((String) e.nextElement()); result.add(InetAddress.getByName(url.getHost())); } catch (Exception ex) { debug.error("SessionUtils.getTrustedSourceList : " + "Validating Host exception", ex); } } } } catch (Exception e) { throw new SessionException(e); } return result; }
private boolean validateRequest(HttpServletRequest servletRequest) { try { String encryptedCookie = CookieUtils.getCookieValueFromReq(servletRequest, SessionService.securityCookieName); if (encryptedCookie == null) { SessionService.sessionDebug.error( "GetHttpSession.validateRequest: " + "no Security Cookie in the request"); return false; } String decryptedCookie = (String) AccessController.doPrivileged(new DecodeAction(encryptedCookie)); StringTokenizer st = new StringTokenizer(decryptedCookie, "@"); String serverURL = st.nextToken(); long requestTimeStamp = Long.parseLong(st.nextToken()); long currentTime = System.currentTimeMillis(); if (Math.abs(currentTime - requestTimeStamp) > MAX_TIMESTAMP_DIFF) { SessionService.sessionDebug.error( "GetHttpSession.validateRequest: " + "Max time elapsed for the Request"); return false; } Vector platformServerList = WebtopNaming.getPlatformServerList(); if (!platformServerList.contains(serverURL)) { SessionService.sessionDebug.error( "GetHttpSession.validateRequest: " + "request host :" + serverURL + "was not part of the platformServerList"); } return true; } catch (Exception e) { SessionService.sessionDebug.error( "GetHttpSession.validateRequest: " + "Exception while validating the request ", e); return false; } }