-
Notifications
You must be signed in to change notification settings - Fork 682
/
CsrfAuthorizer.java
75 lines (59 loc) · 2.35 KB
/
CsrfAuthorizer.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package org.pac4j.core.authorization.authorizer.csrf;
import org.pac4j.core.authorization.authorizer.Authorizer;
import org.pac4j.core.context.ContextHelper;
import org.pac4j.core.context.Pac4jConstants;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.core.util.CommonHelper;
import java.util.List;
/**
* Authorizer that checks CSRF tokens.
*
* @author Jerome Leleu
* @since 1.8.0
*/
public class CsrfAuthorizer<U extends UserProfile> implements Authorizer<U> {
private String parameterName = Pac4jConstants.CSRF_TOKEN;
private String headerName = Pac4jConstants.CSRF_TOKEN;
private boolean onlyCheckPostRequest = true;
public CsrfAuthorizer() {
}
public CsrfAuthorizer(final String parameterName, final String headerName) {
this.parameterName = parameterName;
this.headerName = headerName;
}
public CsrfAuthorizer(final String parameterName, final String headerName, final boolean onlyCheckPostRequest) {
this(parameterName, headerName);
this.onlyCheckPostRequest = onlyCheckPostRequest;
}
@Override
public boolean isAuthorized(final WebContext context, final List<U> profiles) {
final boolean checkRequest = !onlyCheckPostRequest || (onlyCheckPostRequest && ContextHelper.isPost(context));
if (checkRequest) {
final String parameterToken = context.getRequestParameter(parameterName);
final String headerToken = context.getRequestHeader(headerName);
final String sessionToken = (String) context.getSessionAttribute(Pac4jConstants.CSRF_TOKEN);
return CommonHelper.areEquals(parameterToken, sessionToken) || CommonHelper.areEquals(headerToken, sessionToken);
} else {
return true;
}
}
public String getParameterName() {
return parameterName;
}
public void setParameterName(String parameterName) {
this.parameterName = parameterName;
}
public String getHeaderName() {
return headerName;
}
public void setHeaderName(String headerName) {
this.headerName = headerName;
}
public boolean isOnlyCheckPostRequest() {
return onlyCheckPostRequest;
}
public void setOnlyCheckPostRequest(boolean onlyCheckPostRequest) {
this.onlyCheckPostRequest = onlyCheckPostRequest;
}
}