Package org.owasp.csrfguard.token.storage

Interface Token

All Known Implementing Classes:

InMemoryToken

public interface Token

Interface used to interact with CSRF tokens

Method Summary

Modifier and Type	Method	Description
String	getMasterToken()	Returns the master token
String	getPageToken(String uri)
Map<String,String>	getPageTokens()
PageTokenValue	getTimedPageToken(String uri)
void	regenerateUsedPageToken(String tokenFromRequest, Supplier<String> tokenValueSupplier)	TODO is it worth the added performance penalty in case of a large application with a lot of pages? What would be the risk if this would be contextual to the assigned resource? Disposes the current token from all the stored valid page tokens, disregarding to which resource it was assigned and replaces with a newly generated one.
void	rotateAllPageTokens(Supplier<String> tokenValueSupplier)	Rotates all the existing page token values
void	setMasterToken(String masterToken)	Sets the new master token
void	setPageToken(String uri, String pageToken)
String	setPageTokenIfAbsent(String uri, Supplier<String> valueSupplier)
void	setPageTokens(Map<String,String> pageTokens)	Initialize or overwrite the entire page-token map

Method Detail

getMasterToken

String getMasterToken()

Returns the master token

Returns:

the current master token

setMasterToken

void setMasterToken(String masterToken)

Sets the new master token

Parameters:

masterToken - the new master token

getPageToken

String getPageToken(String uri)

Parameters:

uri - the URI to which the page token should be returned

Returns:

the page token for the requested uri

getTimedPageToken

PageTokenValue getTimedPageToken(String uri)

Parameters:

uri - the URI to which the timed page token should be returned

Returns:

a timed page token containing a page token and its creation date

setPageToken

void setPageToken(String uri,
                  String pageToken)

Parameters:

uri - the URI to which the page token should be associated

pageToken - the new page token

setPageTokenIfAbsent

String setPageTokenIfAbsent(String uri,
                            Supplier<String> valueSupplier)

Parameters:

uri - the URI to which the page token should be associated

valueSupplier - a supplier that generates new, unique tokens at each invocation

Returns:

the newly generated token

getPageTokens

Map<String,String> getPageTokens()

Returns:

a map of URIs and their associated page tokens

setPageTokens

void setPageTokens(Map<String,String> pageTokens)

Initialize or overwrite the entire page-token map

Parameters:

pageTokens - a map of URIs and their associated page tokens

rotateAllPageTokens

void rotateAllPageTokens(Supplier<String> tokenValueSupplier)

Rotates all the existing page token values

Parameters:

tokenValueSupplier - a supplier that generates new, unique tokens at each invocation

regenerateUsedPageToken

void regenerateUsedPageToken(String tokenFromRequest,
                             Supplier<String> tokenValueSupplier)

TODO is it worth the added performance penalty in case of a large application with a lot of pages? What would be the risk if this would be contextual to the assigned resource? Disposes the current token from all the stored valid page tokens, disregarding to which resource it was assigned and replaces with a newly generated one.

Parameters:

tokenFromRequest - the current token which needs to be rotated

tokenValueSupplier - a supplier that generates new, unique tokens at each invocation