com.webmethods.caf.faces.render.xsrf

Class SecretBasedAXSRFTVendingMachine

java.lang.Object

com.webmethods.caf.faces.render.xsrf.BaseAXSRFTVendingMachine

com.webmethods.caf.faces.render.xsrf.SecretBasedAXSRFTVendingMachine

All Implemented Interfaces:

IAXSRFTVendingMachine

public class SecretBasedAXSRFTVendingMachine
extends BaseAXSRFTVendingMachine

Anti-cross-site-request-forgery-token manager which uses server secrets to produce and validate tokens. This class must be initialized with at least one secret in its list of secrets. Ideally, one thread (ie portal scheduled event listener) will call removeOldSecrets(long) and then addNewSecret() on a timed schedule (which will update the secrets list).

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	SecretBasedAXSRFTVendingMachine.Secret

Field Summary

Fields

Modifier and Type	Field and Description
protected static String	CURRENT_TOKEN
protected List<SecretBasedAXSRFTVendingMachine.Secret>	m_secrets

Fields inherited from class com.webmethods.caf.faces.render.xsrf.BaseAXSRFTVendingMachine

m_whitelist

Constructor Summary

Constructors

Constructor and Description
SecretBasedAXSRFTVendingMachine()

Method Summary

Modifier and Type	Method and Description
boolean	acceptToken(FacesContext context, String token) Returns true if the specified anti-cross-site-request-forgery token is valid for the specified user.
boolean	acceptToken(HttpServletRequest request, String token) Returns true if the specified anti-cross-site-request-forgery token is valid for the specified user.
void	addNewSecret() Generates a new random secret, and adds it to the list of secrets.
protected String	digest(SecretBasedAXSRFTVendingMachine.Secret secret, String user) Digests user + secret.
protected SecretBasedAXSRFTVendingMachine.Secret	generateNewSecret() Generates a new random secret.
protected String	generateToken(String user) Generates a token for this user.
List<SecretBasedAXSRFTVendingMachine.Secret>	getSecrets()
protected String	getUser(FacesContext context)
protected String	getUser(HttpServletRequest request)
String	produceToken(FacesContext context) Produces an anti-cross-site-request-forgery token for the specified user.
String	produceToken(HttpServletRequest request) Produces an anti-cross-site-request-forgery token for the specified user.
String	produceToken(String user) Produces an anti-cross-site-request-forgery token for the specified user.
void	removeOldSecrets(long oldestAllowed)
void	setSecrets(List<SecretBasedAXSRFTVendingMachine.Secret> secrets)
protected boolean	validateToken(String user, String token) Validates the token for this user.

Methods inherited from class com.webmethods.caf.faces.render.xsrf.BaseAXSRFTVendingMachine

getRequest, getWhitelist, inWhitelist, parseWhitelist, setWhitelist

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CURRENT_TOKEN

protected static final String CURRENT_TOKEN

m_secrets

protected List<SecretBasedAXSRFTVendingMachine.Secret> m_secrets

Constructor Detail

SecretBasedAXSRFTVendingMachine

public SecretBasedAXSRFTVendingMachine()

Method Detail

produceToken

public String produceToken(FacesContext context)

Produces an anti-cross-site-request-forgery token for the specified user.

produceToken

public String produceToken(HttpServletRequest request)

Produces an anti-cross-site-request-forgery token for the specified user.

produceToken

public String produceToken(String user)

Produces an anti-cross-site-request-forgery token for the specified user.

acceptToken

public boolean acceptToken(FacesContext context,
                           String token)

Returns true if the specified anti-cross-site-request-forgery token is valid for the specified user.

acceptToken

public boolean acceptToken(HttpServletRequest request,
                           String token)

Returns true if the specified anti-cross-site-request-forgery token is valid for the specified user.

addNewSecret

public void addNewSecret()

Generates a new random secret, and adds it to the list of secrets.

removeOldSecrets

public void removeOldSecrets(long oldestAllowed)

generateNewSecret

protected SecretBasedAXSRFTVendingMachine.Secret generateNewSecret()

Generates a new random secret.

generateToken

protected String generateToken(String user)

Generates a token for this user.

validateToken

protected boolean validateToken(String user,
                                String token)

Validates the token for this user.

digest

protected String digest(SecretBasedAXSRFTVendingMachine.Secret secret,
                        String user)

Digests user + secret.

getUser

protected String getUser(FacesContext context)

getUser

protected String getUser(HttpServletRequest request)

getSecrets

public List<SecretBasedAXSRFTVendingMachine.Secret> getSecrets()

setSecrets

public void setSecrets(List<SecretBasedAXSRFTVendingMachine.Secret> secrets)