Class CSRFTokenFlowExecutionListener

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
net.shibboleth.idp.ui.csrf.impl.CSRFTokenFlowExecutionListener
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, FlowExecutionListener

public class CSRFTokenFlowExecutionListener
extends AbstractInitializableComponent
implements FlowExecutionListener
A flow execution lifecycle listener that, if enabled:
  • Sets an anti-CSRF token into the view-scope map on rendering of a suitable view-state
  • Checks the CSRF token in a HTTP request matches that stored in the view-scope map when a suitable view-state event occurs.
  • Field Details

    • CSRF_TOKEN_VIEWSCOPE_NAME

      @Nonnull public static final String CSRF_TOKEN_VIEWSCOPE_NAME
      The name of the view scope parameter that holds the CSRF token.
      See Also:
      Constant Field Values
    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.
    • eventRequiresCSRFTokenValidationPredicate

      @NonnullAfterInit private BiPredicate<RequestContext,​Event> eventRequiresCSRFTokenValidationPredicate
      Should the request context and event be checked for a valid (matching) CSRF token?
    • viewRequiresCSRFTokenPredicate

      @NonnullAfterInit private Predicate<RequestContext> viewRequiresCSRFTokenPredicate
      Does the view being rendered require a CSRF token to be set.
    • enabled

      @Nonnull private boolean enabled
      Is this listener enabled?
    • csrfTokenManager

      @NonnullAfterInit private CSRFTokenManager csrfTokenManager
      The CSRF token manager for getting and validating tokens.
  • Constructor Details

    • CSRFTokenFlowExecutionListener

      public CSRFTokenFlowExecutionListener()
      Constructor.
  • Method Details

    • setEnabled

      public void setEnabled​(@Nonnull boolean enable)
      Set whether CSRF protection is globally enabled or disabled.
      Parameters:
      enable - enabled/disable CSRF protection (default is false).
    • setViewRequiresCSRFTokenPredicate

      public void setViewRequiresCSRFTokenPredicate​(@Nonnull Predicate<RequestContext> condition)
      Sets the request context condition to determine if a CSRF token should be added to the view-scope.
      Parameters:
      condition - the condition to apply.
    • setEventRequiresCSRFTokenValidationPredicate

      public void setEventRequiresCSRFTokenValidationPredicate​(@Nonnull BiPredicate<RequestContext,​Event> condition)
      Set the request context and event condition to determine if a CSRF token should be validated.
      Parameters:
      condition - the condition to apply
    • setCsrfTokenManager

      public void setCsrfTokenManager​(@Nonnull CSRFTokenManager tokenManager)
      Sets the CSRF token manager.
      Parameters:
      tokenManager - the CSRF token manager.
    • viewRendering

      public void viewRendering​(@Nonnull RequestContext context, @Nonnull View view, @Nonnull StateDefinition viewState)
      Generates a CSRF token and adds it to the request context view scope, overwriting any existing token.
      Specified by:
      viewRendering in interface FlowExecutionListener
    • eventSignaled

      public void eventSignaled​(@Nonnull RequestContext context, @Nonnull Event event)
      Checks the CSRF token in the HTTP request matches that stored in the request context viewScope.

      Only applies if the listener is enabled, the current state is a view-state, and the request context and event match the eventRequiresCSRFTokenValidationPredicate condition.

      Invalid tokens - those not found or not matching - are signalled by throwing a InvalidCSRFTokenException.

      Specified by:
      eventSignaled in interface FlowExecutionListener
    • doInitialize

      public void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException