Package net.shibboleth.idp.ui.csrf

Class CSRFTokenManager

java.lang.Object

net.shibboleth.idp.ui.csrf.CSRFTokenManager

@ThreadSafe
public final class CSRFTokenManager
extends Object

A thread-safe helper class for dealing with cross-site request forgery tokens.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
private static class	CSRFTokenManager.DefaultCSRFTokenValidationPredicate	A simple default CSRF token validation predicate.

Field Summary

Fields

Modifier and Type	Field	Description
private String	csrfParameterName	The name of the HTTP parameter that contains the anti-csrf token.
private BiPredicate<CSRFToken,String>	csrfTokenValidationPredicate	Predicate to validate the CSRF token.
private IdentifierGenerationStrategy	tokenGenerationStrategy	The strategy used to generate a CSRF token value.

Constructor Summary

Constructors

Constructor	Description
CSRFTokenManager()	public Constructor.

Method Summary

Modifier and Type	Method	Description
CSRFToken	generateCSRFToken()	Generate a CSRFToken using the token generation strategy derived token value.
boolean	isValidCSRFToken(CSRFToken csrfToken, String requestCsrfToken)	Check the CSRF token matches the CSRF token in the request using the csrfTokenValidationPredicate.
void	setCsrfParameterName(String parameterName)	Set the CSRF HTTP parameter name.
void	setCsrfTokenValidationPredicate(BiPredicate<CSRFToken,String> tokenValidationPredicate)	Set the CSRF token validation predicate.
void	setTokenGenerationStrategy(IdentifierGenerationStrategy tokenStrategy)	Set the CSRF token generation strategy.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

csrfParameterName

@Nonnull
private String csrfParameterName

The name of the HTTP parameter that contains the anti-csrf token.

tokenGenerationStrategy

@Nonnull
private IdentifierGenerationStrategy tokenGenerationStrategy

The strategy used to generate a CSRF token value.

csrfTokenValidationPredicate

@Nonnull
private BiPredicate<CSRFToken,String> csrfTokenValidationPredicate

Predicate to validate the CSRF token.

Constructor Details

CSRFTokenManager

public CSRFTokenManager()

public Constructor.

A 20 byte SecureRandomIdentifierGenerationStrategy is default to guarantee a strong token entropy.

Method Details

setTokenGenerationStrategy

public void setTokenGenerationStrategy(@Nonnull
 IdentifierGenerationStrategy tokenStrategy)

Set the CSRF token generation strategy.

Parameters:

tokenStrategy - CSRF token generation strategy

setCsrfTokenValidationPredicate

public void setCsrfTokenValidationPredicate(@Nonnull
 BiPredicate<CSRFToken,String> tokenValidationPredicate)

Set the CSRF token validation predicate.

Parameters:

tokenValidationPredicate - the CSRF token validation predicate.

setCsrfParameterName

public void setCsrfParameterName(@Nonnull @NotEmpty
 String parameterName)

Set the CSRF HTTP parameter name.

Parameters:

parameterName - CSRF parameter name

generateCSRFToken

@Nonnull
public CSRFToken generateCSRFToken()

Generate a CSRFToken using the token generation strategy derived token value. Set the HTTP parameter name from the csrfParameterName field.

Returns:

a CSRF token

isValidCSRFToken

public boolean isValidCSRFToken(@Nullable
 CSRFToken csrfToken,
 @Nullable
 String requestCsrfToken)

Check the CSRF token matches the CSRF token in the request using the csrfTokenValidationPredicate.

Parameters:

csrfToken - the server side CSRF token.

requestCsrfToken - the CSRF token from the request.

Returns:

true iff the CSRF token value matches the request CSRF token. False if they do not match.