Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.xwiki.csrf.internal
Class DefaultCSRFToken

java.lang.Object
  extended by org.xwiki.csrf.internal.DefaultCSRFToken
All Implemented Interfaces:
org.xwiki.component.phase.Initializable, CSRFToken
@Component
@InstantiationStrategy(value=SINGLETON)
public class DefaultCSRFToken
extends java.lang.Object
implements CSRFToken, org.xwiki.component.phase.Initializable

Concrete implementation of the CSRFToken component.

This implementation uses a user => token map to store the tokens. The tokens are random BASE64 encoded bit-strings.

TODO Expire tokens every couple of hours (configurable). Expiration can be implemented using two maps, oldTokens and currentTokens, old tokens are replaced by current tokens every 1/2 period, check is performed on both and new tokens are added to the current tokens.

Since:
2.5M2
Version:
$Id$

Constructor Summary
DefaultCSRFToken()
           
 
Method Summary
 void clearToken()
          Removes the anti-CSRF token associated with the current user.
 java.lang.String getResubmissionURL()
          Get the URL where a failed request should be redirected to.
 java.lang.String getToken()
          Returns the anti-CSRF token associated with the current user.
 void initialize()
          Initializes the storage and random number generator.
 boolean isTokenValid(java.lang.String token)
          Check if the given token matches the internally stored token associated with the current user.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

DefaultCSRFToken

public DefaultCSRFToken()
Method Detail

initialize

public void initialize()
                throws org.xwiki.component.phase.InitializationException
Initializes the storage and random number generator.

Specified by:
initialize in interface org.xwiki.component.phase.Initializable
Throws:
org.xwiki.component.phase.InitializationException

getToken

public java.lang.String getToken()
Returns the anti-CSRF token associated with the current user. Creates a fresh token on first call.

Specified by:
getToken in interface CSRFToken
Returns:
the secret token
See Also:
CSRFToken.isTokenValid(String)

clearToken

public void clearToken()
Removes the anti-CSRF token associated with the current user. Current token is invalidated immediately, a subsequent call of CSRFToken.getToken() will generate a fresh token.

Specified by:
clearToken in interface CSRFToken

isTokenValid

public boolean isTokenValid(java.lang.String token)
Check if the given token matches the internally stored token associated with the current user.

Specified by:
isTokenValid in interface CSRFToken
Parameters:
token - random token from the request
Returns:
true if the component is disabled or the given token is correct, false otherwise

getResubmissionURL

public java.lang.String getResubmissionURL()
Get the URL where a failed request should be redirected to.

Specified by:
getResubmissionURL in interface CSRFToken
Returns:
URL of the resubmission page with correct parameters
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2004-2011 XWiki. All Rights Reserved.