org.kuali.rice.krad.util

Class CsrfValidator

java.lang.Object

org.kuali.rice.krad.util.CsrfValidator

public class CsrfValidator
extends Object

Simple utility class that will validate the given request to determine if it has any required CSRF information, setting appropriate response errors if not.

Author:

Eric Westfall

Field Summary

Fields

Modifier and Type	Field and Description
static String	CSRF_PARAMETER
static String	CSRF_SESSION_TOKEN

Constructor Summary

Constructors

Constructor and Description
CsrfValidator()

Method Summary

Modifier and Type	Method and Description
static String	getRequestToken(javax.servlet.http.HttpServletRequest request) Retrieve the CSRF token parameter that is on the given request, or null if the request has none.
static String	getSessionToken(javax.servlet.http.HttpServletRequest request) Retrieve the CSRF token that is associated with the session for the given request, or null if the session has none.
static void	placeSessionToken(javax.servlet.http.HttpServletRequest request) If the session associated with the given request has no CSRF token, this method will generate that token and add it as an attribute on the session.
static boolean	validateCsrf(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Applies CSRF protection for any HTTP method other than GET, HEAD, or OPTIONS.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CSRF_PARAMETER

public static final String CSRF_PARAMETER

See Also:

Constant Field Values

CSRF_SESSION_TOKEN

public static final String CSRF_SESSION_TOKEN

See Also:

Constant Field Values

Constructor Detail

CsrfValidator

public CsrfValidator()

Method Detail

validateCsrf

public static boolean validateCsrf(javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response)

Applies CSRF protection for any HTTP method other than GET, HEAD, or OPTIONS.

Parameters:

request - the http request to check

response - the http response associated with the given request

Returns:

true if the request validated successfully, false otherwise. If false is returned, calling code should act immediately to terminate any additional work performed on the response.

getSessionToken

public static String getSessionToken(javax.servlet.http.HttpServletRequest request)

Retrieve the CSRF token that is associated with the session for the given request, or null if the session has none.

Parameters:

request - the request to check the session for the CSRF token

Returns:

the CSRF token on the request's session, or null if the session has none

getRequestToken

public static String getRequestToken(javax.servlet.http.HttpServletRequest request)

Retrieve the CSRF token parameter that is on the given request, or null if the request has none.

Parameters:

request - the request to check for the CSRF token parameter

Returns:

the CSRF token parameter on the request, or null if the request has none

placeSessionToken

public static void placeSessionToken(javax.servlet.http.HttpServletRequest request)

If the session associated with the given request has no CSRF token, this method will generate that token and add it as an attribute on the session. If the session already has a CSRF token, this method will do nothing.

Parameters:

request - the request with the session on which to place the session token if needed