List of usage examples for org.springframework.security.web.csrf CsrfToken getParameterName
String getParameterName();
From source file:au.gov.dto.dibp.appointments.security.csrf.CookieBasedCsrfTokenRepositoryTest.java
@Test public void testSaveAndLoadToken() throws Exception { CookieBasedCsrfTokenRepository repo = new CookieBasedCsrfTokenRepository(); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); CsrfToken token = repo.generateToken(request); repo.saveToken(token, request, response); Cookie cookie = response.getCookie(token.getParameterName()); assertNotNull(cookie);/*w w w. j a v a 2 s . c om*/ assertEquals(token.getToken(), cookie.getValue()); assertEquals(true, cookie.isHttpOnly()); request.setCookies(cookie); CsrfToken saved = repo.loadToken(request); assertEquals(token.getToken(), saved.getToken()); assertEquals(token.getHeaderName(), saved.getHeaderName()); assertEquals(token.getParameterName(), saved.getParameterName()); }
From source file:com.marklogic.samplestack.web.security.SamplestackSecurityFilters.java
@Override /**//from w w w.j a v a2 s.c om * Hooks into Spring Security filter mechanism to manipulate * headers as needed. */ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); if (token != null) { response.setHeader("X-CSRF-HEADER", token.getHeaderName()); response.setHeader("X-CSRF-PARAM", token.getParameterName()); response.setHeader(token.getHeaderName(), token.getToken()); } response.setHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with, content-type"); filterChain.doFilter(request, response); }
From source file:com.allanditzel.springframework.security.web.csrf.CsrfTokenResponseHeaderBindingFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, javax.servlet.FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute(REQUEST_ATTRIBUTE_NAME); if (token != null) { response.setHeader(RESPONSE_HEADER_NAME, token.getHeaderName()); response.setHeader(RESPONSE_PARAM_NAME, token.getParameterName()); response.setHeader(RESPONSE_TOKEN_NAME, token.getToken()); }//from www .j a v a 2s . co m filterChain.doFilter(request, response); }
From source file:au.gov.dto.dibp.appointments.security.csrf.CookieBasedCsrfTokenRepository.java
@Override public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) { Cookie csrfCookie;/*from ww w.jav a 2 s . c o m*/ if (token == null) { csrfCookie = new Cookie(CSRF_COOKIE_AND_PARAMETER_NAME, ""); csrfCookie.setMaxAge(0); } else { csrfCookie = new Cookie(token.getParameterName(), token.getToken()); csrfCookie.setMaxAge(COOKIE_MAX_AGE_SECONDS); } csrfCookie.setHttpOnly(true); csrfCookie.setSecure(request.isSecure()); response.addCookie(csrfCookie); }
From source file:com.olegchir.wicket_spring_security_example.init.CsrfTokenFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { //Inspired by Spring documentation: //http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/ //http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html //And this discussion about Tymeleaf: //http://stackoverflow.com/questions/23669424/cant-create-csrf-token-with-spring-security //Set HTTP Headers CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); // Spring Security will allow the Token to be included in this header name response.setHeader("X-CSRF-HEADER", token.getHeaderName()); // Spring Security will allow the token to be included in this parameter name response.setHeader("X-CSRF-PARAM", token.getParameterName()); // this is the value of the token to be included as either a header or an HTTP parameter response.setHeader("X-CSRF-TOKEN", token.getToken()); //Modify HTML // Wrap the response in a wrapper so we can get at the text after calling the next filter PrintWriter out = response.getWriter(); CharResponseWrapper wrapper = new CharResponseWrapper((HttpServletResponse) response); filterChain.doFilter(request, wrapper); String modifiedHtml = wrapper.toString(); // Extract the text from the completed servlet and apply the regexes modifiedHtml = modifiedHtml.replace("${_csrf.token}", token.getToken()); modifiedHtml = modifiedHtml.replace("${_csrf.parameterName}", token.getParameterName()); modifiedHtml = modifiedHtml.replace("${_csrf.headerName}", token.getHeaderName()); // Write our modified text to the real response response.setContentLength(modifiedHtml.getBytes().length); out.write(modifiedHtml);// w w w . j a v a2s . co m out.close(); }
From source file:io.fns.calculator.filter.CsrfTokenGeneratorFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); // Spring Security will allow the Token to be included in this header // name// w w w . j a v a2 s . c o m response.setHeader("X-CSRF-HEADER", token.getHeaderName()); // Spring Security will allow the token to be included in this parameter // name response.setHeader("X-CSRF-PARAM", token.getParameterName()); // this is the value of the token to be included as either a header or // an HTTP parameter response.setHeader("X-CSRF-TOKEN", token.getToken()); filterChain.doFilter(request, response); }
From source file:testapp.CsrfTokenResponseHeaderBindingFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, javax.servlet.FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute(REQUEST_ATTRIBUTE_NAME); Enumeration<String> e = request.getAttributeNames(); while (e.hasMoreElements()) { String param = (String) e.nextElement(); System.out.println(param); }//w ww .ja va 2 s . c om if (token != null) { response.setHeader(RESPONSE_HEADER_NAME, token.getHeaderName()); response.setHeader(RESPONSE_PARAM_NAME, token.getParameterName()); response.setHeader(RESPONSE_TOKEN_NAME, token.getToken()); response.addCookie(new Cookie("XSRF-TOKEN", token.getToken())); } filterChain.doFilter(request, response); }
From source file:com.example.AzureADAuthenticationFilter.java
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { try {// w w w . j a v a 2 s . c o m String currentUri = AuthHelper.getCurrentUri(request); // Check if current session contains user authentication info. if (!AuthHelper.isAuthenticated(request)) { if (log.isTraceEnabled()) { log.trace("AuthHelper.isAuthenticated = false"); } if (AuthHelper.containsAuthenticationData(request)) { // The request contains authentication data, which means this request is returned from AzureAD login page // after authentication process is completed. The result should have been processed by AzureADResponseFilter. } else { if (log.isTraceEnabled()) { log.trace("AuthHelper.containsAuthenticationData = false"); } // when not authenticated and request does not contains authentication data (not come from Azure AD login process), // redirect to Azure login page. // get csrf token CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); if (log.isDebugEnabled()) { log.debug("Current csrf token before going to AzureAD login {} {} = {}", token.getHeaderName(), token.getParameterName(), token.getToken()); } // add the csrf token to login request and go login... response.setStatus(302); String redirectTo = getRedirectUrl(currentUri) + "&state=" + token.getToken(); if (log.isDebugEnabled()) { log.debug("302 redirect to " + redirectTo); } response.sendRedirect(redirectTo); return; } } else { if (log.isTraceEnabled()) { log.trace("AuthHelper.isAuthenticated = true"); } // if authenticated, how to check for valid session? AuthenticationResult result = AuthHelper.getAuthSessionObject(request); if (request.getParameter("refresh") != null) { result = getAccessTokenFromRefreshToken(result.getRefreshToken(), currentUri); } else { if (request.getParameter("cc") != null) { result = getAccessTokenFromClientCredentials(); } else { if (result.getExpiresOnDate().before(new Date())) { result = getAccessTokenFromRefreshToken(result.getRefreshToken(), currentUri); } } } AuthHelper.setAuthSessionObject(request, result); // Handle logout if (logout.equals(request.getRequestURI())) { if (log.isTraceEnabled()) { log.trace("Logout..."); } // Clear spring security context so spring thinks this user is gone. request.logout(); SecurityContextHolder.clearContext(); // Clear Azure principal AuthHelper.remoteAuthSessionObject(request); // Go to AzureAD and logout. response.setStatus(302); String logoutPage = "https://login.windows.net/" + tenant + "/oauth2/logout"; if (log.isDebugEnabled()) { log.debug("302 redirect to " + logoutPage); } response.sendRedirect(logoutPage); return; } else { if (log.isTraceEnabled()) { log.trace("URI: " + request.getRequestURI() + " does not match " + logout + ". It is not a logout request"); } } } } catch (Throwable exc) { response.setStatus(500); request.setAttribute("error", exc.getMessage()); response.sendRedirect(((HttpServletRequest) request).getContextPath() + error); } filterChain.doFilter(request, response); }
From source file:com.acme.demo.web.CSRFController.java
@RequestMapping("/csrf") public Map<String, Boolean> auth(Principal principal, ServletRequest request, HttpServletResponse response) { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); Map<String, Boolean> result = new HashMap<String, Boolean>(); if (principal == null || token == null) { result.put("authenticated", false); } else {/*from w w w .j av a 2s. c om*/ // Spring Security will allow the Token to be included in this header name response.setHeader("X-CSRF-HEADER", token.getHeaderName()); // Spring Security will allow the token to be included in this parameter name response.setHeader("X-CSRF-PARAM", token.getParameterName()); // this is the value of the token to be included as either a header or an HTTP parameter response.setHeader("X-CSRF-TOKEN", token.getToken()); response.setHeader("X-USER-NAME", principal.getName()); result.put("authenticated", true); } return result; }
From source file:au.gov.dto.springframework.security.web.csrf.CookieCsrfTokenRepositoryTest.java
@Test public void testSaveAndLoadToken() throws Exception { CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository(); String csrfCookieName = "csrfCookie"; csrfTokenRepository.setCsrfCookieName(csrfCookieName); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); CsrfToken token = csrfTokenRepository.generateToken(request); csrfTokenRepository.saveToken(token, request, response); Cookie cookie = response.getCookie(csrfCookieName); assertNotNull(cookie);//www .jav a 2 s . co m assertEquals(token.getToken(), cookie.getValue()); assertEquals(true, cookie.isHttpOnly()); request.setCookies(cookie); CsrfToken saved = csrfTokenRepository.loadToken(request); assertEquals(token.getToken(), saved.getToken()); assertEquals(token.getHeaderName(), saved.getHeaderName()); assertEquals(token.getParameterName(), saved.getParameterName()); }