jodd.servlet

Class CsrfShield

java.lang.Object

jodd.servlet.CsrfShield

public class CsrfShield
extends java.lang.Object

Shields against CSRF attacks.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CsrfShield.Token CSRF Token.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CSRF_TOKEN_NAME
static java.lang.String	CSRF_TOKEN_SET
protected static int	maxTokensPerSession
protected static int	timeToLive

Constructor Summary

Constructors

Constructor and Description
CsrfShield()

Method Summary

Modifier and Type	Method and Description
protected static void	assureSize(java.util.Set<CsrfShield.Token> tokenSet) Removes expired tokens if token set is full.
static boolean	checkCsrfToken(javax.servlet.http.HttpServletRequest request)
static boolean	checkCsrfToken(javax.servlet.http.HttpServletRequest request, java.lang.String tokenName) Checks if CSRF token is valid.
static boolean	checkCsrfToken(javax.servlet.http.HttpSession session, java.lang.String tokenValue) Checks token value.
static java.lang.String	prepareCsrfToken(javax.servlet.http.HttpSession session)
static java.lang.String	prepareCsrfToken(javax.servlet.http.HttpSession session, int timeToLive) Generates new CSRF token and puts it in the session.
static java.lang.String	prepareCsrfToken(javax.servlet.jsp.PageContext pageContext)
static void	setMaxTokensPerSession(int maxTokensPerSession) Sets max number of tokens that will be stored for single session.
static void	setTimeToLive(int periodInSeconds) Sets time to live for tokens in seconds.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CSRF_TOKEN_NAME

public static final java.lang.String CSRF_TOKEN_NAME

See Also:

Constant Field Values

CSRF_TOKEN_SET

public static final java.lang.String CSRF_TOKEN_SET

See Also:

Constant Field Values

timeToLive

protected static int timeToLive

maxTokensPerSession

protected static int maxTokensPerSession

Constructor Detail

CsrfShield

public CsrfShield()

Method Detail

setTimeToLive

public static void setTimeToLive(int periodInSeconds)

Sets time to live for tokens in seconds. By setting negative value or 0 token leaves forever.

setMaxTokensPerSession

public static void setMaxTokensPerSession(int maxTokensPerSession)

Sets max number of tokens that will be stored for single session. It is actually the number of CSRF validation that may occur in the same time. Limit prevents from malicious growing of the set.

prepareCsrfToken

public static java.lang.String prepareCsrfToken(javax.servlet.jsp.PageContext pageContext)

See Also:

prepareCsrfToken(javax.servlet.http.HttpSession, int)

prepareCsrfToken

public static java.lang.String prepareCsrfToken(javax.servlet.http.HttpSession session)

See Also:

prepareCsrfToken(javax.servlet.http.HttpSession, int)

prepareCsrfToken

public static java.lang.String prepareCsrfToken(javax.servlet.http.HttpSession session,
                                                int timeToLive)

Generates new CSRF token and puts it in the session. Returns generated token value.

assureSize

protected static void assureSize(java.util.Set<CsrfShield.Token> tokenSet)

Removes expired tokens if token set is full.

See Also:

setMaxTokensPerSession(int)

checkCsrfToken

public static boolean checkCsrfToken(javax.servlet.http.HttpServletRequest request)

See Also:

checkCsrfToken(javax.servlet.http.HttpServletRequest, String)

checkCsrfToken

public static boolean checkCsrfToken(javax.servlet.http.HttpServletRequest request,
                                     java.lang.String tokenName)

Checks if CSRF token is valid. Returns false if token was requested, but not found. Otherwise, it returns true.

checkCsrfToken

public static boolean checkCsrfToken(javax.servlet.http.HttpSession session,
                                     java.lang.String tokenValue)

Checks token value. C