List of usage examples for org.apache.commons.codec.digest HmacAlgorithms HMAC_SHA_1
HmacAlgorithms HMAC_SHA_1
To view the source code for org.apache.commons.codec.digest HmacAlgorithms HMAC_SHA_1.
Click Source Link
From source file:net.yacy.data.TransactionManager.java
/** * Get a transaction token to be used later on a protected HTTP post method * call on the specified path with the currently authenticated user. * /*from w ww .jav a2 s .c o m*/ * @param header * current request header * @param path the relative path for which the token will be valid * @return a transaction token for the specified path * @throws IllegalArgumentException * when a parameter is null or when the user is not authenticated. */ public static String getTransactionToken(final RequestHeader header, final String path) { if (header == null) { throw new IllegalArgumentException("Missing required header parameter"); } /* Check this comes from an authenticated user */ final String userName = getCurrentUserName(header); if (userName == null) { throw new IllegalArgumentException("User is not authenticated"); } /* Produce a token by signing a message with the server secret key : * The token is not unique per request and thus keeps the service stateless * (no need to store tokens until they are consumed). * On the other hand, it is supposed to remain hard enough to forge because the secret key and token seed * are initialized with a random value at each server startup */ final String token = new HmacUtils(HmacAlgorithms.HMAC_SHA_1, SIGNING_KEY) .hmacHex(TOKEN_SEED + userName + path); return token; }
From source file:net.yacy.data.TransactionManager.java
/** * Check the current request is a valid HTTP POST transaction : the current user is authenticated, * and the request post parameters contain a valid transaction token. * @param header current request header//from w w w.j a va2 s. c o m * @param post request parameters * @throws IllegalArgumentException when a parameter is null. * @throws DisallowedMethodException when the HTTP method is something else than post * @throws TemplateMissingParameterException when the transaction token is missing * @throws BadTransactionException when a condition for valid transaction is not met. */ public static void checkPostTransaction(final RequestHeader header, final serverObjects post) { if (header == null || post == null) { throw new IllegalArgumentException("Missing required parameters."); } if (!HeaderFramework.METHOD_POST.equals(header.getMethod())) { throw new DisallowedMethodException("HTTP POST method is the only one authorized."); } String userName = getCurrentUserName(header); if (userName == null) { throw new BadTransactionException("User is not authenticated."); } final String transactionToken = post.get(TRANSACTION_TOKEN_PARAM); if (transactionToken == null) { throw new TemplateMissingParameterException("Missing transaction token."); } final String token = new HmacUtils(HmacAlgorithms.HMAC_SHA_1, SIGNING_KEY) .hmacHex(TOKEN_SEED + userName + header.getPathInfo()); /* Compare the server generated token with the one received in the post parameters, * using a time constant function */ if (!MessageDigest.isEqual(token.getBytes(StandardCharsets.UTF_8), transactionToken.getBytes(StandardCharsets.UTF_8))) { throw new BadTransactionException("Invalid transaction token."); } }