private void rotateTokens(HttpServletRequest request) {
HttpSession session = request.getSession(true);
/** rotate master token * */
String tokenFromSession = null;
try {
tokenFromSession = RandomGenerator.generateRandomId(getPrng(), getTokenLength());
} catch (Exception e) {
throw new RuntimeException(
String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
}
session.setAttribute(getSessionKey(), tokenFromSession);
/** rotate page token * */
if (isTokenPerPageEnabled()) {
@SuppressWarnings("unchecked")
Map<String, String> pageTokens =
(Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
try {
pageTokens.put(
request.getRequestURI(), RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
} catch (Exception e) {
throw new RuntimeException(
String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
}
}
}
public String getTokenValue(HttpServletRequest request, String uri) {
String tokenValue = null;
HttpSession session = request.getSession(false);
if (session != null) {
if (isTokenPerPageEnabled()) {
@SuppressWarnings("unchecked")
Map<String, String> pageTokens =
(Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
if (pageTokens != null) {
if (isTokenPerPagePrecreate()) {
createPageToken(pageTokens, uri);
}
tokenValue = pageTokens.get(uri);
}
}
if (tokenValue == null) {
tokenValue = (String) session.getAttribute(getSessionKey());
}
}
return tokenValue;
}
/**
* Create page token if it doesn't exist.
*
* @param pageTokens A map of tokens. If token doesn't exist it will be added.
* @param uri The key for the tokens.
*/
private void createPageToken(Map<String, String> pageTokens, String uri) {
if (pageTokens == null) return;
/** create token if it does not exist * */
if (pageTokens.containsKey(uri)) return;
try {
pageTokens.put(uri, RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
} catch (Exception e) {
throw new RuntimeException(
String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
}
}
private void verifyPageToken(HttpServletRequest request) throws CsrfGuardException {
HttpSession session = request.getSession(true);
@SuppressWarnings("unchecked")
Map<String, String> pageTokens =
(Map<String, String>) session.getAttribute(CsrfGuard.PAGE_TOKENS_KEY);
String tokenFromPages = (pageTokens != null ? pageTokens.get(request.getRequestURI()) : null);
String tokenFromSession = (String) session.getAttribute(getSessionKey());
String tokenFromRequest = request.getParameter(getTokenName());
if (tokenFromRequest == null) {
/** FAIL: token is missing from the request * */
throw new CsrfGuardException("required token is missing from the request");
} else if (tokenFromPages != null) {
if (!tokenFromPages.equals(tokenFromRequest)) {
/** FAIL: request does not match page token * */
throw new CsrfGuardException("request token does not match page token");
}
} else if (!tokenFromSession.equals(tokenFromRequest)) {
/** FAIL: the request token does not match the session token * */
throw new CsrfGuardException("request token does not match session token");
}
}
public static void load(Properties properties)
throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException,
ClassNotFoundException, IOException, NoSuchProviderException {
CsrfGuard csrfGuard = SingletonHolder.instance;
/** load simple properties * */
csrfGuard.setLogger(
(ILogger)
Class.forName(
properties.getProperty(
"org.owasp.csrfguard.Logger", "org.owasp.csrfguard.log.ConsoleLogger"))
.newInstance());
csrfGuard.setTokenName(
properties.getProperty("org.owasp.csrfguard.TokenName", "OWASP_CSRFGUARD"));
csrfGuard.setTokenLength(
Integer.parseInt(properties.getProperty("org.owasp.csrfguard.TokenLength", "32")));
csrfGuard.setRotate(
Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Rotate", "false")));
csrfGuard.setTokenPerPage(
Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.TokenPerPage", "false")));
csrfGuard.setTokenPerPagePrecreate(
Boolean.valueOf(
properties.getProperty("org.owasp.csrfguard.TokenPerPagePrecreate", "false")));
csrfGuard.setPrng(
SecureRandom.getInstance(
properties.getProperty("org.owasp.csrfguard.PRNG", "SHA1PRNG"),
properties.getProperty("org.owasp.csrfguard.PRNG.Provider", "SUN")));
csrfGuard.setNewTokenLandingPage(
properties.getProperty("org.owasp.csrfguard.NewTokenLandingPage"));
// default to false if newTokenLandingPage is not set; default to true if set.
if (csrfGuard.getNewTokenLandingPage() == null) {
csrfGuard.setUseNewTokenLandingPage(
Boolean.valueOf(
properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "false")));
} else {
csrfGuard.setUseNewTokenLandingPage(
Boolean.valueOf(
properties.getProperty("org.owasp.csrfguard.UseNewTokenLandingPage", "true")));
}
csrfGuard.setSessionKey(
properties.getProperty("org.owasp.csrfguard.SessionKey", "OWASP_CSRFGUARD_KEY"));
csrfGuard.setAjax(Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Ajax", "false")));
csrfGuard.setProtect(
Boolean.valueOf(properties.getProperty("org.owasp.csrfguard.Protect", "false")));
/** first pass: instantiate actions * */
Map<String, IAction> actionsMap = new HashMap<String, IAction>();
for (Object obj : properties.keySet()) {
String key = (String) obj;
if (key.startsWith(ACTION_PREFIX)) {
String directive = key.substring(ACTION_PREFIX.length());
int index = directive.indexOf('.');
/** action name/class * */
if (index < 0) {
String actionClass = properties.getProperty(key);
IAction action = (IAction) Class.forName(actionClass).newInstance();
action.setName(directive);
actionsMap.put(action.getName(), action);
csrfGuard.getActions().add(action);
}
}
}
/** second pass: initialize action parameters * */
for (Object obj : properties.keySet()) {
String key = (String) obj;
if (key.startsWith(ACTION_PREFIX)) {
String directive = key.substring(ACTION_PREFIX.length());
int index = directive.indexOf('.');
/** action name/class * */
if (index >= 0) {
String actionName = directive.substring(0, index);
IAction action = actionsMap.get(actionName);
if (action == null) {
throw new IOException(
String.format("action class %s has not yet been specified", actionName));
}
String parameterName = directive.substring(index + 1);
String parameterValue = properties.getProperty(key);
action.setParameter(parameterName, parameterValue);
}
}
}
/** ensure at least one action was defined * */
if (csrfGuard.getActions().size() <= 0) {
throw new IOException("failure to define at least one action");
}
/** initialize protected, unprotected pages * */
for (Object obj : properties.keySet()) {
String key = (String) obj;
if (key.startsWith(PROTECTED_PAGE_PREFIX)) {
String directive = key.substring(PROTECTED_PAGE_PREFIX.length());
int index = directive.indexOf('.');
/** page name/class * */
if (index < 0) {
String pageUri = properties.getProperty(key);
csrfGuard.getProtectedPages().add(Pattern.compile(pageUri));
}
}
if (key.startsWith(UNPROTECTED_PAGE_PREFIX)) {
String directive = key.substring(UNPROTECTED_PAGE_PREFIX.length());
int index = directive.indexOf('.');
/** page name/class * */
if (index < 0) {
String pageUri = properties.getProperty(key);
csrfGuard.getUnprotectedPages().add(Pattern.compile(pageUri));
}
}
}
/** initialize protected methods * */
String methodList = properties.getProperty("org.owasp.csrfguard.ProtectedMethods");
if (methodList != null && methodList.trim().length() != 0) {
for (String method : methodList.split(",")) {
csrfGuard.getProtectedMethods().add(method.trim());
}
}
}