private void rotateTokens(HttpServletRequest request) {
HttpSession session = request.getSession(true);
/** rotate master token * */
String tokenFromSession = null;
try {
tokenFromSession = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
} catch (Exception e) {
throw new RuntimeException(
String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
}
session.setAttribute(getSessionKey(), tokenFromSession);
/** rotate page token * */
if (isTokenPerPageEnabled()) {
@SuppressWarnings("unchecked")
Map<String, String> pageTokens =
(Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
try {
pageTokens.put(
request.getRequestURI(), RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
} catch (Exception e) {
throw new RuntimeException(
String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
}
}
}
public String getTokenValue(HttpServletRequest request, String uri) {
String tokenValue = null;
HttpSession session = request.getSession(false);
if (session != null) {
if (isTokenPerPageEnabled()) {
@SuppressWarnings("unchecked")
Map<String, String> pageTokens =
(Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
if (pageTokens != null) {
if (isTokenPerPagePrecreate()) {
createPageToken(pageTokens, uri);
}
tokenValue = pageTokens.get(uri);
}
}
if (tokenValue == null) {
tokenValue = (String) session.getAttribute(getSessionKey());
}
}
return tokenValue;
}
public void updateTokens(HttpServletRequest request) {
/** cannot create sessions if response already committed * */
HttpSession session = request.getSession(false);
if (session != null) {
/** create master token if it does not exist * */
updateToken(session);
/** create page specific token * */
if (isTokenPerPageEnabled()) {
@SuppressWarnings("unchecked")
Map<String, String> pageTokens =
(Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
/** first time initialization * */
if (pageTokens == null) {
pageTokens = new HashMap<String, String>();
session.setAttribute(CsrfGuard.PAGE_TOKENS_KEY, pageTokens);
}
/** create token if it does not exist * */
if (isProtectedPageAndMethod(request)) {
createPageToken(pageTokens, request.getRequestURI());
}
}
}
}
private void verifySessionToken(HttpServletRequest request) throws CsrfGuardException {
HttpSession session = request.getSession(true);
String tokenFromSession = (String) session.getAttribute(getSessionKey());
String tokenFromRequest = request.getParameter(getTokenName());
if (tokenFromRequest == null) {
/** FAIL: token is missing from the request * */
throw new CsrfGuardException("required token is missing from the request");
} else if (!tokenFromSession.equals(tokenFromRequest)) {
/** FAIL: the request token does not match the session token * */
throw new CsrfGuardException("request token does not match session token");
}
}
public static synchronized void sessionDestroyed(HttpSessionEvent ev) {
HttpSession httpSession = ev.getSession();
String id = httpSession.getId();
synchronized (lookupSessionById) {
lookupSessionById.remove(id);
}
// Forget HTTP-session:
{
lookupHttpSessionById.remove(id);
}
}
public void updateToken(HttpSession session) {
String tokenValue = (String) session.getAttribute(getSessionKey());
/** Generate a new token and store it in the session. * */
if (tokenValue == null) {
try {
tokenValue = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
} catch (Exception e) {
throw new RuntimeException(
String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
}
session.setAttribute(getSessionKey(), tokenValue);
}
}
public boolean isValidRequest(HttpServletRequest request, HttpServletResponse response) {
boolean valid = !isProtectedPageAndMethod(request);
HttpSession session = request.getSession(true);
String tokenFromSession = (String) session.getAttribute(getSessionKey());
/** sending request to protected resource - verify token * */
if (tokenFromSession != null && !valid) {
try {
if (isAjaxEnabled() && isAjaxRequest(request)) {
verifyAjaxToken(request);
} else if (isTokenPerPageEnabled()) {
verifyPageToken(request);
} else {
verifySessionToken(request);
}
valid = true;
} catch (CsrfGuardException csrfe) {
for (IAction action : getActions()) {
try {
action.execute(request, response, csrfe, this);
} catch (CsrfGuardException exception) {
getLogger().log(LogLevel.Error, exception);
}
}
}
/** rotate session and page tokens * */
if (!isAjaxRequest(request) && isRotateEnabled()) {
rotateTokens(request);
}
/** expected token in session - bad state * */
} else if ((tokenFromSession == null) && !valid) {
throw new IllegalStateException(
"CsrfGuard expects the token to exist in session at this point");
} else {
/** unprotected page - nothing to do * */
}
return valid;
}
public static synchronized void sessionCreated(HttpSessionEvent ev) {
HttpSession httpSession = ev.getSession();
String id = httpSession.getId();
// Remember HTTP-session:
{
lookupHttpSessionById.put(id, httpSession);
}
AbstractSession session = null;
synchronized (lookupSessionById) {
session = lookupSessionById.get(id);
}
if (session == null) {
Principal userPrincipal = null;
Date timeCreation = new Date(httpSession.getCreationTime());
Date timeLastAccess = new Date(httpSession.getLastAccessedTime());
List<String> urisForLastRequests = null;
Properties properties = null;
session =
new DefaultSession(
id, userPrincipal, timeCreation, timeLastAccess, urisForLastRequests, properties);
synchronized (lookupSessionById) {
lookupSessionById.put(id, session);
// Update 'sessionCountMax':
{
int sessionCount = lookupSessionById.size();
if (sessionCount > sessionCountMax) {
sessionCountMax = sessionCount;
sessionCountMaxTime = System.currentTimeMillis();
}
}
}
}
}
protected void expandSession(AbstractSession session) throws IOException {
if (session != null) {
String id = session.getId();
HttpSession httpSession = lookupHttpSessionById.get(id);
// Set 'timeLastAccess' upon session:
{
if (httpSession != null) {
Date timeLastAccess = new Date(httpSession.getLastAccessedTime());
session.setTimeLastAccess(timeLastAccess);
}
}
expandSessionPrincipal(session);
// Set 'requestURI' upon session:
{
if (httpSession != null) {
List<String> requestURIs = RequestURISessionDecorator.getRequestURIs(httpSession);
if (requestURIs != null) {
Collections.reverse(requestURIs); // reverse the order!
session.setRequestURIs(requestURIs);
}
}
}
// Set 'properties' upon session:
{
if (httpSession != null) {
Map<String, Object> m = PropertiesSessionDecorator.getProperties(httpSession);
if (m != null) {
Properties properties = convertProperties(m);
session.setProperties(properties);
}
}
}
}
}
private void verifyPageToken(HttpServletRequest request) throws CsrfGuardException {
HttpSession session = request.getSession(true);
@SuppressWarnings("unchecked")
Map<String, String> pageTokens =
(Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
String tokenFromPages = (pageTokens != null ? pageTokens.get(request.getRequestURI()) : null);
String tokenFromSession = (String) session.getAttribute(getSessionKey());
String tokenFromRequest = request.getParameter(getTokenName());
if (tokenFromRequest == null) {
/** FAIL: token is missing from the request * */
throw new CsrfGuardException("required token is missing from the request");
} else if (tokenFromPages != null) {
if (!tokenFromPages.equals(tokenFromRequest)) {
/** FAIL: request does not match page token * */
throw new CsrfGuardException("request token does not match page token");
}
} else if (!tokenFromSession.equals(tokenFromRequest)) {
/** FAIL: the request token does not match the session token * */
throw new CsrfGuardException("request token does not match session token");
}
}
