Package org.owasp.csrfguard.token.service

Class TokenService

  • public class TokenService
extends Object

    • Constructor Detail

      • TokenService

        public TokenService​(CsrfGuard csrfGuard)

    • Method Detail

      • invalidate

        public void invalidate​(LogicalSession logicalSession)
        Invalidates the logical session and removes all tokens from the storage
        Parameters:
        logicalSession - a not null logical session implementation

      • getMasterToken

        public String getMasterToken​(String logicalSessionKey)
        Returns the master token assigned to the unique identifier extracted from the current request. This identifier could be for example the sessionId of the current user, or the username extracted from a JWT token

        Parameters:
        logicalSessionKey - identifies the current logical session uniquely
        Returns:
        the master token

      • getPageTokens

        public Map<String,​String> getPageTokens​(String logicalSessionKey)
        Return the page tokens if the functionality is enabled and the client has already accessed a protected resource, or if the token pre-creation is enabled.

        Note: this method returns a copy of the page tokens in order to prevent outside modification.

        Parameters:
        logicalSessionKey - identifies the current logical session uniquely
        Returns:
        the page tokens or an empty map

      • generateTokensIfAbsent

        public String generateTokensIfAbsent​(String logicalSessionKey,
                                     String httpMethod,
                                     String requestURI)
        Generates master token and page token for the current resource if the token-per-page configuration is enabled

        Parameters:
        logicalSessionKey - identifies the current logical session uniquely
        httpMethod - the current HTTP method used to request the resource
        requestURI - the URI of the desired HTTP resource
        Returns:
        returns the generated page or master token

      • createMasterTokenIfAbsent

        public void createMasterTokenIfAbsent​(String logicalSessionKey)
        Creates master token if it does not exist already.
        Parameters:
        logicalSessionKey - identifies the current logical session uniquely

      • generateProtectedPageTokens

        public void generateProtectedPageTokens​(String logicalSessionKey)
        Generates new random tokens for configured protected pages. This method creates a new master token if it did not exist previously. Existing page tokens with the same session key will be overwritten.
        Parameters:
        logicalSessionKey - identifies the current logical session uniquely

      • rotateUsedToken

        public TokenTO rotateUsedToken​(String logicalSessionKey,
                               String requestURI,
                               TokenBO usedValidToken)
        Rotates the used master or the currently requested page token if the token-per-page functionality is enabled.
        Parameters:
        logicalSessionKey - identifies the current logical session uniquely
        requestURI - the URI of the desired HTTP resource
        usedValidToken - a verified token that has validated the current request
        Returns:
        a TokenTO transfer object containing the updated token values that will be sent back to the client

      • rotateAllTokens

        public void rotateAllTokens​(String logicalSessionKey)
        Rotates (re-generates) the master token and all page tokens if the token-per-page functionality is enabled.
        Parameters:
        logicalSessionKey - identifies the current logical session uniquely

      • getTokenValue

        public String getTokenValue​(String logicalSessionKey,
                            String resourceUri)
        Returns the master or the page token for the associated resource depending on whether the token-per-page configuration is enabled or not.

        If the token does not currently exists, it creates a new one.

        Parameters:
        logicalSessionKey - identifies the current logical session uniquely
        resourceUri - the URI of the desired HTTP resource
        Returns:
        a valid token for the specified resourceUri

      • verifyToken

        public TokenBO verifyToken​(javax.servlet.http.HttpServletRequest request,
                           String resourceIdentifier,
                           String logicalSessionKey,
                           String masterToken)
                    throws CsrfGuardException
        Verifies the validity of the current request.

        Parameters:
        request - current HTTP Servlet Request
        resourceIdentifier - the requested resource identifier
        logicalSessionKey - identifies the current logical session uniquely
        masterToken - the master token
        Returns:
        The TokenBO business object that contains the updated tokens and the token used to validate the current request
        Throws:
        CsrfGuardException - if the request does not have a valid token associated