• Home
• com.googlecode.cedar-common
• cedar-common-gwt
• 5.2.4
• source code
• GwtCookieXsrfTokenService.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.cedarsolutions.server.service.impl.GwtCookieXsrfTokenService Maven / Gradle / Ivy

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 *              C E D A R
 *          S O L U T I O N S       "Software done right."
 *           S O F T W A R E
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 * Copyright (c) 2013 Kenneth J. Pronovici.
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the Apache License, Version 2.0.
 * See LICENSE for more information about the licensing terms.
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 * Author   : Kenneth J. Pronovici 
 * Language : Java 6
 * Project  : Common Java Functionality
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
package com.cedarsolutions.server.service.impl;

import javax.servlet.http.Cookie;

import org.apache.log4j.Logger;

import com.cedarsolutions.exception.NotConfiguredException;
import com.cedarsolutions.server.service.ISpringContextService;
import com.cedarsolutions.server.service.IXsrfTokenService;
import com.cedarsolutions.util.LoggingUtils;
import com.google.gwt.user.client.rpc.RpcToken;
import com.google.gwt.user.client.rpc.RpcTokenException;
import com.google.gwt.user.client.rpc.XsrfToken;
import com.google.gwt.util.tools.shared.Md5Utils;
import com.google.gwt.util.tools.shared.StringUtils;

/**
 * GWT CSRF/XSRF token service implemented in terms of the session cookie.
 * @author Kenneth J. Pronovici 
 */
public class GwtCookieXsrfTokenService extends AbstractService implements IXsrfTokenService {

    /** Default value returned when token service is disabled. */
    public static final String DEFAULT_TOKEN = "none";

    /** Logger instance. */
    private static Logger LOGGER = LoggingUtils.getLogger(GwtCookieXsrfTokenService.class);

    /** Name of the configured session cookie. */
    private String sessionCookieName;  // I chose not to use a config object because this should change rarely

    /** Spring context service. */
    private ISpringContextService springContextService;

    /**
     * Invoked by a bean factory after it has set all bean properties.
     * @throws NotConfiguredException In the event of misconfiguration.
     */
    @Override
    public void afterPropertiesSet() throws NotConfiguredException {
        super.afterPropertiesSet();
        if (this.sessionCookieName == null || this.springContextService == null) {
            throw new NotConfiguredException("GwtCookieXsrfTokenService is not properly configured.");
        }
    }

    /**
     * Generate a CSRF/XSRF token.
     * @return CSRF/XSRF token string, always non-null.
     * @throws RpcTokenException If token generation failed.
     */
    @Override
    public String generateXsrfToken() throws RpcTokenException {
        String token = generateTokenFromCookie(this.getSessionCookie(), "generate");
        LOGGER.debug("Generated CSRF/XSRF token [" + token + "].");
        return token;
    }

    /**
     * Validate a CSRF/XSRF token.
     * @param token   RpcToken provided with an RPC request
     * @throws RpcTokenException If token verification failed.
     */
    @Override
    public void validateXsrfToken(RpcToken token) throws RpcTokenException {
        try {
            this.validateXsrfToken((XsrfToken) token);
        } catch (ClassCastException e) {
            LOGGER.error("Possible CSRF/XSRF attack: provided token is not XsrfToken");
            throw new RpcTokenException("Unable to verify CSRF/XSRF token: provided token is not XsrfToken");
        }
    }

    /**
     * Validate a CSRF/XSRF token.
     * @param token   XsrfToken provided with an RPC request
     * @throws RpcTokenException If token verification failed.
     */
    @Override
    public void validateXsrfToken(XsrfToken token) throws RpcTokenException {
        if (token == null) {
            LOGGER.error("Possible CSRF/XSRF attack: token not provided.");
            throw new RpcTokenException("Unable to verify CSRF/XSRF token: token not provided");
        }

        this.validateXsrfToken(token.getToken());
    }

    /**
     * Validate a CSRF/XSRF token.
     * @param token   String token provided with an RPC request
     * @throws RpcTokenException If token verification failed.
     */
    @Override
    public void validateXsrfToken(String token) throws RpcTokenException {
        if (token == null) {
            LOGGER.error("Possible CSRF/XSRF attack: token not provided.");
            throw new RpcTokenException("Unable to verify CSRF/XSRF token: token not provided");
        }

        String expectedToken = generateTokenFromCookie(this.getSessionCookie(), "verify");
        if (!expectedToken.equals(token)) {
            LOGGER.error("Possible CSRF/XSRF attack: expected [" + expectedToken + "], but got [" + token + "]");
            throw new RpcTokenException("CSRF/XSRF token not valid: possible CSRF/XSRF attack");
        }

        LOGGER.debug("CSRF/XSRF token [" + token + "] was valid.");
    }

    /** Generate a CSRF/XSRF token from a session cookie, validating that the cookie looks sensible. */
    protected static String generateTokenFromCookie(Cookie sessionCookie, String action) {
        if (sessionCookie == null || sessionCookie.getValue() == null || sessionCookie.getValue().length() == 0) {
            LOGGER.error("Unable to " + action + " CSRF/XSRF token: session cookie missing or empy");
            throw new RpcTokenException("Unable to " + action + " CSRF/XSRF token: session cookie missing or empy");
        }

        return generateTokenFromCookie(sessionCookie.getValue());
    }

    /** Generate a CSRF/XSRF token from a session cookie value. */
    protected static String generateTokenFromCookie(String sessionCookie) {
        return StringUtils.toHexString(Md5Utils.getMd5Digest(sessionCookie.getBytes()));
    }

    /** Get the session cookie from the Spring context. */
    protected Cookie getSessionCookie() {
        return this.springContextService.getCookie(this.getSessionCookieName(), false);
    }

    public String getSessionCookieName() {
        return this.sessionCookieName;
    }

    public void setSessionCookieName(String sessionCookieName) {
        this.sessionCookieName = sessionCookieName;
    }

    public ISpringContextService getSpringContextService() {
        return this.springContextService;
    }

    public void setSpringContextService(ISpringContextService springContextService) {
        this.springContextService = springContextService;
    }

}