org.springframework.security.web.csrf.DefaultCsrfToken Java Examples

The following examples show how to use org.springframework.security.web.csrf.DefaultCsrfToken. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: JWTCsrfTokenRepository.java    From tutorials with MIT License 6 votes vote down vote up
@Override
public CsrfToken generateToken(HttpServletRequest request) {
    String id = UUID.randomUUID()
        .toString()
        .replace("-", "");

    Date now = new Date();
    Date exp = new Date(System.currentTimeMillis() + (1000 * 30)); // 30 seconds

    String token = Jwts.builder()
        .setId(id)
        .setIssuedAt(now)
        .setNotBefore(now)
        .setExpiration(exp)
        .signWith(SignatureAlgorithm.HS256, secret)
        .compact();

    return new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", token);
}
 
Example #2
Source File: SyndesisCsrfRepository.java    From syndesis with Apache License 2.0 5 votes vote down vote up
@Override
public CsrfToken loadToken(HttpServletRequest httpServletRequest) {
    Optional<String> token = extractToken(httpServletRequest);
    if (token.isPresent()) {
        LOG.trace("Xsrf token found in request to uri {}. Value is: {}", httpServletRequest.getRequestURI(), token.get());
    } else {
        LOG.trace("Xsrf token not found in request to uri {}", httpServletRequest.getRequestURI());
    }
    return token.map(val -> new DefaultCsrfToken(XSRF_HEADER_NAME, XSRF_HEADER_NAME, val)).orElse(null);
}
 
Example #3
Source File: CookieCsrfSignedTokenRepository.java    From graviteeio-access-management with Apache License 2.0 5 votes vote down vote up
@Override
public CsrfToken generateToken(HttpServletRequest request) {

    CsrfToken csrfToken = loadToken(request);
    if (csrfToken != null) {
        return csrfToken;
    }

    UUID token = UUID.randomUUID();
    return new DefaultCsrfToken(DEFAULT_CSRF_HEADER_NAME, DEFAULT_CSRF_PARAMETER_NAME, token.toString());
}
 
Example #4
Source File: CookieCsrfSignedTokenRepository.java    From graviteeio-access-management with Apache License 2.0 5 votes vote down vote up
@Override
public CsrfToken loadToken(HttpServletRequest request) {

    Cookie cookie = WebUtils.getCookie(request, DEFAULT_CSRF_COOKIE_NAME);
    if (cookie == null) {
        return null;
    }
    String cookieValue = cookie.getValue();
    if (!StringUtils.hasLength(cookieValue)) {
        return null;
    }

    try {
        JWSObject jws = JWSObject.parse(cookieValue);

        if (jws.verify(verifier)) {
            String token = jws.getPayload().toJSONObject().getAsString(TOKEN_CLAIM);

            if (!StringUtils.hasLength(token)) {
                return null;
            }

            return new DefaultCsrfToken(DEFAULT_CSRF_HEADER_NAME, DEFAULT_CSRF_PARAMETER_NAME, token);
        }
    } catch (ParseException | JOSEException ex) {
        LOGGER.error("Unable to verify CSRF token", ex);
    }

    return null;
}
 
Example #5
Source File: FormLoginAuthenticationCsrfTokenInterceptor.java    From mojito with Apache License 2.0 5 votes vote down vote up
/**
 * Gets the CSRF token from login html because the CSRF token endpoint needs
 * to be authenticated first.
 *
 * @param loginHtml The login page HTML which contains the csrf token. It is
 * assumed that the CSRF token is embedded on the page inside an input field
 * with name matching
 * {@link com.box.l10n.mojito.rest.resttemplate.FormLoginAuthenticationCsrfTokenInterceptor#CSRF_PARAM_NAME}
 * @return
 * @throws AuthenticationException
 */
protected CsrfToken getCsrfTokenFromLoginHtml(String loginHtml) throws AuthenticationException {
    Pattern pattern = Pattern.compile("CSRF_TOKEN = '(.*?)';");
    Matcher matcher = pattern.matcher(loginHtml);

    if (matcher.find()) {
        String csrfTokenString = matcher.group(1);

        logger.debug("CSRF token from login html: {}", csrfTokenString);
        return new DefaultCsrfToken(CSRF_HEADER_NAME,
                CSRF_PARAM_NAME, csrfTokenString);
    } else {
        throw new SessionAuthenticationException("Could not find CSRF_TOKEN variable on login page");
    }
}
 
Example #6
Source File: CookieCsrfSignedTokenRepository.java    From gravitee-management-rest-api with Apache License 2.0 5 votes vote down vote up
@Override
public CsrfToken generateToken(HttpServletRequest request) {

    CsrfToken csrfToken = loadToken(request);
    if (csrfToken != null) {
        return csrfToken;
    }

    UUID token = UUID.randomUUID();
    return new DefaultCsrfToken(DEFAULT_CSRF_HEADER_NAME, DEFAULT_CSRF_PARAMETER_NAME, token.toString());
}
 
Example #7
Source File: CookieCsrfSignedTokenRepository.java    From gravitee-management-rest-api with Apache License 2.0 5 votes vote down vote up
@Override
public CsrfToken loadToken(HttpServletRequest request) {

    Cookie cookie = WebUtils.getCookie(request, DEFAULT_CSRF_COOKIE_NAME);
    if (cookie == null) {
        return null;
    }
    String cookieValue = cookie.getValue();
    if (!StringUtils.hasLength(cookieValue)) {
        return null;
    }

    try {
        JWSObject jws = JWSObject.parse(cookieValue);

        if (jws.verify(verifier)) {
            String token = jws.getPayload().toJSONObject().getAsString(TOKEN_CLAIM);

            if (!StringUtils.hasLength(token)) {
                return null;
            }

            return new DefaultCsrfToken(DEFAULT_CSRF_HEADER_NAME, DEFAULT_CSRF_PARAMETER_NAME, token);
        }
    } catch (ParseException | JOSEException ex) {
        LOGGER.error("Unable to verify CSRF token", ex);
    }

    return null;
}
 
Example #8
Source File: SyndesisCsrfRepository.java    From syndesis with Apache License 2.0 4 votes vote down vote up
@Override
public CsrfToken generateToken(HttpServletRequest httpServletRequest) {
    return new DefaultCsrfToken(XSRF_HEADER_NAME, XSRF_HEADER_NAME, XSRF_HEADER_VALUE);
}
 
Example #9
Source File: FormLoginAuthenticationCsrfTokenInterceptor.java    From mojito with Apache License 2.0 3 votes vote down vote up
/**
 * Use the CSRF token endpoint to get the CSRF token corresponding to this
 * session
 *
 * @param csrfTokenUrl The full URL to which the CSRF token can be obtained
 * @return
 */
protected CsrfToken getCsrfTokenFromEndpoint(String csrfTokenUrl) {
    ResponseEntity<String> csrfTokenEntity = restTemplateForAuthenticationFlow.getForEntity(csrfTokenUrl, String.class, "");
    logger.debug("CSRF token from {} is {}", csrfTokenUrl, csrfTokenEntity.getBody());
    return new DefaultCsrfToken(CSRF_HEADER_NAME,
            CSRF_PARAM_NAME, csrfTokenEntity.getBody());
}
 
Example #10
Source File: CachedCsrfTokenRepository.java    From para with Apache License 2.0 2 votes vote down vote up
/**
 * Generates a CSRF token string.
 * @param request HTTP request
 * @return a new token
 */
public CsrfToken generateToken(HttpServletRequest request) {
	return new DefaultCsrfToken(headerName, parameterName, Utils.generateSecurityToken());
}