@Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("\r\n*****************************************************\r\n"); sb.append("* Owasp.CsrfGuard Properties\r\n"); sb.append("*\r\n"); sb.append(String.format("* Logger: %s\r\n", getLogger().getClass().getName())); sb.append(String.format("* NewTokenLandingPage: %s\r\n", getNewTokenLandingPage())); sb.append(String.format("* PRNG: %s\r\n", getPrng().getAlgorithm())); sb.append(String.format("* SessionKey: %s\r\n", getSessionKey())); sb.append(String.format("* TokenLength: %s\r\n", getTokenLength())); sb.append(String.format("* TokenName: %s\r\n", getTokenName())); sb.append(String.format("* Ajax: %s\r\n", isAjaxEnabled())); sb.append(String.format("* Rotate: %s\r\n", isRotateEnabled())); sb.append(String.format("* TokenPerPage: %s\r\n", isTokenPerPageEnabled())); for (IAction action : actions) { sb.append(String.format("* Action: %s\r\n", action.getClass().getName())); for (String name : action.getParameterMap().keySet()) { String value = action.getParameter(name); sb.append(String.format("*\tParameter: %s = %s\r\n", name, value)); } } sb.append("*****************************************************\r\n"); return sb.toString(); }
public boolean isValidRequest(HttpServletRequest request, HttpServletResponse response) { boolean valid = !isProtectedPageAndMethod(request); HttpSession session = request.getSession(true); String tokenFromSession = (String) session.getAttribute(getSessionKey()); /** sending request to protected resource - verify token * */ if (tokenFromSession != null && !valid) { try { if (isAjaxEnabled() && isAjaxRequest(request)) { verifyAjaxToken(request); } else if (isTokenPerPageEnabled()) { verifyPageToken(request); } else { verifySessionToken(request); } valid = true; } catch (CsrfGuardException csrfe) { for (IAction action : getActions()) { try { action.execute(request, response, csrfe, this); } catch (CsrfGuardException exception) { getLogger().log(LogLevel.Error, exception); } } } /** rotate session and page tokens * */ if (!isAjaxRequest(request) && isRotateEnabled()) { rotateTokens(request); } /** expected token in session - bad state * */ } else if ((tokenFromSession == null) && !valid) { throw new IllegalStateException( "CsrfGuard expects the token to exist in session at this point"); } else { /** unprotected page - nothing to do * */ } return valid; }
public static void load(Properties properties) throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException, ClassNotFoundException, IOException, NoSuchProviderException { CsrfGuard csrfGuard = SingletonHolder.instance; /** load simple properties * */ csrfGuard.setLogger( (ILogger) Class.forName( properties.getProperty( "org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger")) .newInstance()); csrfGuard.setTokenName( properties.getProperty("org.owasp.csrfguard.TokenName", "OWASP_CSRFGUARD")); csrfGuard.setTokenLength( Integer.parseInt(properties.getProperty("org.owasp.csrfguard.TokenLength", "32"))); csrfGuard.setRotate( Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Rotate", "false"))); csrfGuard.setTokenPerPage( Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.TokenPerPage", "false"))); csrfGuard.setTokenPerPagePrecreate( Boolean.valueOf( properties.getProperty("org.owasp.csrfguard.TokenPerPagePrecreate", "false"))); csrfGuard.setPrng( SecureRandom.getInstance( properties.getProperty("org.owasp.csrfguard.PRNG", "SHA1PRNG"), properties.getProperty("org.owasp.csrfguard.PRNG.Provider", "SUN"))); csrfGuard.setNewTokenLandingPage( properties.getProperty("org.owasp.csrfguard.NewTokenLandingPage")); // default to false if newTokenLandingPage is not set; default to true if set. if (csrfGuard.getNewTokenLandingPage() == null) { csrfGuard.setUseNewTokenLandingPage( Boolean.valueOf( properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "false"))); } else { csrfGuard.setUseNewTokenLandingPage( Boolean.valueOf( properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "true"))); } csrfGuard.setSessionKey( properties.getProperty("org.owasp.csrfguard.SessionKey", "OWASP_CSRFGUARD_KEY")); csrfGuard.setAjax(Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Ajax", "false"))); csrfGuard.setProtect( Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Protect", "false"))); /** first pass: instantiate actions * */ Map<String, IAction> actionsMap = new HashMap<String, IAction>(); for (Object obj : properties.keySet()) { String key = (String) obj; if (key.startsWith(ACTION_PREFIX)) { String directive = key.substring(ACTION_PREFIX.length()); int index = directive.indexOf('.'); /** action name/class * */ if (index < 0) { String actionClass = properties.getProperty(key); IAction action = (IAction) Class.forName(actionClass).newInstance(); action.setName(directive); actionsMap.put(action.getName(), action); csrfGuard.getActions().add(action); } } } /** second pass: initialize action parameters * */ for (Object obj : properties.keySet()) { String key = (String) obj; if (key.startsWith(ACTION_PREFIX)) { String directive = key.substring(ACTION_PREFIX.length()); int index = directive.indexOf('.'); /** action name/class * */ if (index >= 0) { String actionName = directive.substring(0, index); IAction action = actionsMap.get(actionName); if (action == null) { throw new IOException( String.format("action class %s has not yet been specified", actionName)); } String parameterName = directive.substring(index + 1); String parameterValue = properties.getProperty(key); action.setParameter(parameterName, parameterValue); } } } /** ensure at least one action was defined * */ if (csrfGuard.getActions().size() <= 0) { throw new IOException("failure to define at least one action"); } /** initialize protected, unprotected pages * */ for (Object obj : properties.keySet()) { String key = (String) obj; if (key.startsWith(PROTECTED_PAGE_PREFIX)) { String directive = key.substring(PROTECTED_PAGE_PREFIX.length()); int index = directive.indexOf('.'); /** page name/class * */ if (index < 0) { String pageUri = properties.getProperty(key); csrfGuard.getProtectedPages().add(Pattern.compile(pageUri)); } } if (key.startsWith(UNPROTECTED_PAGE_PREFIX)) { String directive = key.substring(UNPROTECTED_PAGE_PREFIX.length()); int index = directive.indexOf('.'); /** page name/class * */ if (index < 0) { String pageUri = properties.getProperty(key); csrfGuard.getUnprotectedPages().add(Pattern.compile(pageUri)); } } } /** initialize protected methods * */ String methodList = properties.getProperty("org.owasp.csrfguard.ProtectedMethods"); if (methodList != null && methodList.trim().length() != 0) { for (String method : methodList.split(",")) { csrfGuard.getProtectedMethods().add(method.trim()); } } }