List of usage examples for org.springframework.security.web.csrf CsrfToken getHeaderName
String getHeaderName();
From source file:com.marklogic.samplestack.web.SessionController.java
/** * Exposes endpoint that returns CSRF token information and a session for use in login. * @param request The Http Request.//from w ww . j ava2s. c o m * @param response The Http response. * @return A JsonNode with bare-bones acknowledgement. */ @RequestMapping(value = "session", method = RequestMethod.GET) public @ResponseBody JsonNode hello(HttpServletRequest request, HttpServletResponse response) { CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf"); String headerName = csrfToken.getHeaderName(); String token = csrfToken.getToken(); HttpServletResponseWrapper responseWrapper = new HttpServletResponseWrapper(response); responseWrapper.addHeader(headerName, token); return errors.makeJsonResponse(200, "New Session"); }
From source file:com.marklogic.samplestack.web.security.SamplestackSecurityFilters.java
@Override /**//from www . j a v a 2s. co m * Hooks into Spring Security filter mechanism to manipulate * headers as needed. */ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); if (token != null) { response.setHeader("X-CSRF-HEADER", token.getHeaderName()); response.setHeader("X-CSRF-PARAM", token.getParameterName()); response.setHeader(token.getHeaderName(), token.getToken()); } response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with, content-type"); filterChain.doFilter(request, response); }
From source file:com.allanditzel.springframework.security.web.csrf.CsrfTokenResponseHeaderBindingFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, javax.servlet.FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute(REQUEST_ATTRIBUTE_NAME); if (token != null) { response.setHeader(RESPONSE_HEADER_NAME, token.getHeaderName()); response.setHeader(RESPONSE_PARAM_NAME, token.getParameterName()); response.setHeader(RESPONSE_TOKEN_NAME, token.getToken()); }/* ww w.ja v a 2 s. c om*/ filterChain.doFilter(request, response); }
From source file:org.appverse.web.framework.backend.frontfacade.rest.authentication.simple.services.presentation.SimpleAuthenticationServiceImpl.java
/** * Authenticates an user. Requires basic authentication header. * @param httpServletRequest/*from w w w .j a v a2 s .co m*/ * @param httpServletResponse * @return * @throws Exception */ @RequestMapping(value = "${appverse.frontfacade.rest.simpleAuthenticationEndpoint.path:/sec/simplelogin}", method = RequestMethod.POST) public ResponseEntity<AuthorizationData> login(@RequestBody CredentialsVO credentials, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception { try { if (credentials == null || credentials.getUsername() == null) { throw new BadCredentialsException("Invalid parameters"); } // Authenticate principal and return authorization data AuthorizationData authData = userAndPasswordAuthenticationManager .authenticatePrincipal(credentials.getUsername(), credentials.getPassword()); if (securityEnableCsrf) { // Obtain XSRFToken and add it as a response header // The token comes in the request (CsrFilter adds it) and we need to set it in the response so the clients // have it to use it in the next requests CsrfToken csrfToken = (CsrfToken) httpServletRequest.getAttribute(CSRF_TOKEN_SESSION_ATTRIBUTE); httpServletResponse.addHeader(csrfToken.getHeaderName(), csrfToken.getToken()); } // AuthorizationDataVO return new ResponseEntity<AuthorizationData>(authData, HttpStatus.OK); } catch (AuthenticationException e) { return new ResponseEntity<AuthorizationData>(HttpStatus.UNAUTHORIZED); } }
From source file:io.fns.calculator.filter.CsrfTokenGeneratorFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); // Spring Security will allow the Token to be included in this header // name/*from w w w . j a va2s . c o m*/ response.setHeader("X-CSRF-HEADER", token.getHeaderName()); // Spring Security will allow the token to be included in this parameter // name response.setHeader("X-CSRF-PARAM", token.getParameterName()); // this is the value of the token to be included as either a header or // an HTTP parameter response.setHeader("X-CSRF-TOKEN", token.getToken()); filterChain.doFilter(request, response); }
From source file:com.olegchir.wicket_spring_security_example.init.CsrfTokenFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { //Inspired by Spring documentation: //http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/ //http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html //And this discussion about Tymeleaf: //http://stackoverflow.com/questions/23669424/cant-create-csrf-token-with-spring-security //Set HTTP Headers CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); // Spring Security will allow the Token to be included in this header name response.setHeader("X-CSRF-HEADER", token.getHeaderName()); // Spring Security will allow the token to be included in this parameter name response.setHeader("X-CSRF-PARAM", token.getParameterName()); // this is the value of the token to be included as either a header or an HTTP parameter response.setHeader("X-CSRF-TOKEN", token.getToken()); //Modify HTML // Wrap the response in a wrapper so we can get at the text after calling the next filter PrintWriter out = response.getWriter(); CharResponseWrapper wrapper = new CharResponseWrapper((HttpServletResponse) response); filterChain.doFilter(request, wrapper); String modifiedHtml = wrapper.toString(); // Extract the text from the completed servlet and apply the regexes modifiedHtml = modifiedHtml.replace("${_csrf.token}", token.getToken()); modifiedHtml = modifiedHtml.replace("${_csrf.parameterName}", token.getParameterName()); modifiedHtml = modifiedHtml.replace("${_csrf.headerName}", token.getHeaderName()); // Write our modified text to the real response response.setContentLength(modifiedHtml.getBytes().length); out.write(modifiedHtml);// w ww . ja v a 2s.c om out.close(); }
From source file:org.appverse.web.framework.backend.frontfacade.rest.authentication.basic.services.presentation.BasicAuthenticationServiceImpl.java
/** * Authenticates an user. Requires basic authentication header. * @param httpServletRequest// w ww.j av a 2 s . c om * @param httpServletResponse * @return * @throws Exception */ @RequestMapping(value = "${appverse.frontfacade.rest.basicAuthenticationEndpoint.path:/sec/login}", method = RequestMethod.POST) public ResponseEntity<AuthorizationData> login(@RequestHeader("Authorization") String authorizationHeader, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception { String[] userNameAndPassword; try { userNameAndPassword = obtainUserAndPasswordFromBasicAuthenticationHeader(httpServletRequest); } catch (BadCredentialsException e) { httpServletResponse.addHeader("WWW-Authenticate", "Basic"); return new ResponseEntity<AuthorizationData>(HttpStatus.UNAUTHORIZED); } if (securityEnableCsrf) { // Obtain XSRFToken and add it as a response header // The token comes in the request (CsrFilter adds it) and we need to set it in the response so the clients // have it to use it in the next requests CsrfToken csrfToken = (CsrfToken) httpServletRequest.getAttribute(CSRF_TOKEN_SESSION_ATTRIBUTE); httpServletResponse.addHeader(csrfToken.getHeaderName(), csrfToken.getToken()); } try { // Authenticate principal and return authorization data AuthorizationData authData = userAndPasswordAuthenticationManager .authenticatePrincipal(userNameAndPassword[0], userNameAndPassword[1]); // AuthorizationDataVO return new ResponseEntity<AuthorizationData>(authData, HttpStatus.OK); } catch (AuthenticationException e) { httpServletResponse.addHeader("WWW-Authenticate", "Basic"); return new ResponseEntity<AuthorizationData>(HttpStatus.UNAUTHORIZED); } }
From source file:org.dawnsci.marketplace.controllers.ExtendedRestApiController.java
/** * Used by the client software to obtain a CSRF token to use in further * communication with the server.// w w w.jav a 2s. c o m */ @ResponseBody @RequestMapping(value = "/token") public ResponseEntity<String> login(HttpServletRequest request) { CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); HttpHeaders headers = new HttpHeaders(); headers.add(token.getHeaderName(), token.getToken()); return new ResponseEntity<>("you got your token", headers, HttpStatus.OK); }
From source file:testapp.CsrfTokenResponseHeaderBindingFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, javax.servlet.FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute(REQUEST_ATTRIBUTE_NAME); Enumeration<String> e = request.getAttributeNames(); while (e.hasMoreElements()) { String param = (String) e.nextElement(); System.out.println(param); }//from w w w . java 2 s .c om if (token != null) { response.setHeader(RESPONSE_HEADER_NAME, token.getHeaderName()); response.setHeader(RESPONSE_PARAM_NAME, token.getParameterName()); response.setHeader(RESPONSE_TOKEN_NAME, token.getToken()); response.addCookie(new Cookie("XSRF-TOKEN", token.getToken())); } filterChain.doFilter(request, response); }
From source file:com.acme.demo.web.CSRFController.java
@RequestMapping("/csrf") public Map<String, Boolean> auth(Principal principal, ServletRequest request, HttpServletResponse response) { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); Map<String, Boolean> result = new HashMap<String, Boolean>(); if (principal == null || token == null) { result.put("authenticated", false); } else {/*from w w w . ja v a2s . c o m*/ // Spring Security will allow the Token to be included in this header name response.setHeader("X-CSRF-HEADER", token.getHeaderName()); // Spring Security will allow the token to be included in this parameter name response.setHeader("X-CSRF-PARAM", token.getParameterName()); // this is the value of the token to be included as either a header or an HTTP parameter response.setHeader("X-CSRF-TOKEN", token.getToken()); response.setHeader("X-USER-NAME", principal.getName()); result.put("authenticated", true); } return result; }