org.xwiki.csrf

Interface CSRFToken

All Known Implementing Classes:

CSRFTokenScriptService

@Role
public interface CSRFToken

Anti-CSRF (Cross Site Request Forgery) protection using secret token validation mechanism.

A random secret token should be included into every request that modifies or stores some data. If the token included into the request does not match the token stored on the server side, the request is redirected to a resubmission page where a legitimate user has a chance to confirm his action.

Since:

2.5M2

Version:

$Id: abfb5473fbbb574e79efa336557ad53ae7c79093 $

See Also:

CSRF Prevention Cheat Sheet

Method Summary

Modifier and Type	Method and Description
void	clearToken() Removes the anti-CSRF token associated with the current user.
String	getResubmissionURL() Get the URL where a failed request should be redirected to.
String	getToken() Returns the anti-CSRF token associated with the current user.
boolean	isTokenValid(String token) Check if the given token matches the internally stored token associated with the current user.

Method Detail

getToken

String getToken()

Returns the anti-CSRF token associated with the current user. Creates a fresh token on first call.

Returns:

the secret token

See Also:

isTokenValid(String)

clearToken

void clearToken()

Removes the anti-CSRF token associated with the current user. Current token is invalidated immediately, a subsequent call of getToken() will generate a fresh token.

isTokenValid

boolean isTokenValid(String token)

Check if the given token matches the internally stored token associated with the current user.

Parameters:

token - random token from the request

Returns:

true if the component is disabled or the given token is correct, false otherwise

getResubmissionURL

String getResubmissionURL()

Get the URL where a failed request should be redirected to.

Returns:

URL of the resubmission page with correct parameters