Class CSRFTokenManager

java.lang.Object
net.shibboleth.idp.ui.csrf.CSRFTokenManager

@ThreadSafe
public final class CSRFTokenManager
extends Object
A thread-safe helper class for dealing with cross-site request forgery tokens.
  • Field Details

    • csrfParameterName

      @Nonnull private String csrfParameterName
      The name of the HTTP parameter that contains the anti-csrf token.
    • tokenGenerationStrategy

      @Nonnull private IdentifierGenerationStrategy tokenGenerationStrategy
      The strategy used to generate a CSRF token value.
    • csrfTokenValidationPredicate

      @Nonnull private BiPredicate<CSRFToken,​String> csrfTokenValidationPredicate
      Predicate to validate the CSRF token.
  • Constructor Details

  • Method Details

    • setTokenGenerationStrategy

      public void setTokenGenerationStrategy​(@Nonnull IdentifierGenerationStrategy tokenStrategy)
      Set the CSRF token generation strategy.
      Parameters:
      tokenStrategy - CSRF token generation strategy
    • setCsrfTokenValidationPredicate

      public void setCsrfTokenValidationPredicate​(@Nonnull BiPredicate<CSRFToken,​String> tokenValidationPredicate)
      Set the CSRF token validation predicate.
      Parameters:
      tokenValidationPredicate - the CSRF token validation predicate.
    • setCsrfParameterName

      public void setCsrfParameterName​(@Nonnull @NotEmpty String parameterName)
      Set the CSRF HTTP parameter name.
      Parameters:
      parameterName - CSRF parameter name
    • generateCSRFToken

      @Nonnull public CSRFToken generateCSRFToken()
      Generate a CSRFToken using the token generation strategy derived token value. Set the HTTP parameter name from the csrfParameterName field.
      Returns:
      a CSRF token
    • isValidCSRFToken

      public boolean isValidCSRFToken​(@Nullable CSRFToken csrfToken, @Nullable String requestCsrfToken)
      Check the CSRF token matches the CSRF token in the request using the csrfTokenValidationPredicate.
      Parameters:
      csrfToken - the server side CSRF token.
      requestCsrfToken - the CSRF token from the request.
      Returns:
      true iff the CSRF token value matches the request CSRF token. False if they do not match.