Package com.webmethods.caf.faces.render.xsrf

Class BaseAXSRFTVendingMachine

java.lang.Object

com.webmethods.caf.faces.render.xsrf.BaseAXSRFTVendingMachine

All Implemented Interfaces:

IAXSRFTVendingMachine

Direct Known Subclasses:

SecretBasedAXSRFTVendingMachine, SessionBasedAXSRFTVendingMachine

public abstract class BaseAXSRFTVendingMachine
extends Object
implements IAXSRFTVendingMachine

Base class for anti-cross-site-request-forgery-token vending-machine; includes helpers for waiving the requirement for anti-xsrf tokens from whitelisted clients.

Field Summary

Fields

Modifier and Type	Field	Description
protected List<InetAddress[]>	m_whitelist	List of client addresses or ranges of addresses which never require an anti-cross-site-request-forgery token.

Constructor Summary

Constructors

Constructor	Description
BaseAXSRFTVendingMachine()

Method Summary

Modifier and Type	Method	Description
protected HttpServletRequest	getRequest(FacesContext context)	Returns the current portal request or null.
List<InetAddress[]>	getWhitelist()	List of client addresses or ranges of addresses which never require an anti-cross-site-request-forgery token.
boolean	inWhitelist(String address)	Returns true if the specified address is in the whitelist of client addresses which never require an anti-cross-site-request-forgery token.
void	parseWhitelist(String whitelist)	Sets the list of addresses or ranges of addresses which never require an anti-cross-site-request-forgery token, using the specified comma-separated list of allowed ip addresses, ip-address ranges, or host names.
void	setWhitelist(List<InetAddress[]> whitelist)	List of client addresses or ranges of addresses which never require an anti-cross-site-request-forgery token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.webmethods.caf.faces.render.xsrf.IAXSRFTVendingMachine

acceptToken, acceptToken, produceToken, produceToken, produceToken

Field Details

m_whitelist

protected List<InetAddress[]> m_whitelist

List of client addresses or ranges of addresses which never require an anti-cross-site-request-forgery token. The list should never be null, and each entry in the list should contain exactly two InetAddresss. Each entry should either contain the same InetAddress twice, to indicate that specific is allowed; or it should contain two different InetAddresss (the first lower than the second), indicating that any ip address between the two InetAddresss (inclusive) is allowed.
If the list is empty, then no clients are whitelisted (ie every client is checked for anti-xsrf tokens as necessary); if the list contains an entry for 0.0.0.0-255.255.255.255, then all clients are whitelisted (ie no client is checked for anti-xsrf tokens).

Constructor Details

BaseAXSRFTVendingMachine

public BaseAXSRFTVendingMachine()

Method Details

getWhitelist

public List<InetAddress[]> getWhitelist()

List of client addresses or ranges of addresses which never require an anti-cross-site-request-forgery token. The list should never be null, and each entry in the list should contain exactly two InetAddresss. Each entry should either contain the same InetAddress twice, to indicate that specific is allowed; or it should contain two different InetAddresss (the first lower than the second), indicating that any ip address between the two InetAddresss (inclusive) is allowed.
If the list is empty, then no clients are whitelisted (ie every client is checked for anti-xsrf tokens as necessary); if the list contains an entry for 0.0.0.0-255.255.255.255, then all clients are whitelisted (ie no client is checked for anti-xsrf tokens).

setWhitelist

public void setWhitelist(List<InetAddress[]> whitelist)

List of client addresses or ranges of addresses which never require an anti-cross-site-request-forgery token. The list should never be null, and each entry in the list should contain exactly two InetAddresss. Each entry should either contain the same InetAddress twice, to indicate that specific is allowed; or it should contain two different InetAddresss (the first lower than the second), indicating that any ip address between the two InetAddresss (inclusive) is allowed.
If the list is empty, then no clients are whitelisted (ie every client is checked for anti-xsrf tokens as necessary); if the list contains an entry for 0.0.0.0-255.255.255.255, then all clients are whitelisted (ie no client is checked for anti-xsrf tokens).

parseWhitelist

public void parseWhitelist(String whitelist)

Sets the list of addresses or ranges of addresses which never require an anti-cross-site-request-forgery token, using the specified comma-separated list of allowed ip addresses, ip-address ranges, or host names. For example, "1.2.3.4" sets the list to consist of only the ip address of 1.2.3.4; "1.2.3.4-5.6.7.8" sets the list to consist of the ip addresses greater than or equal to 1.2.3.4 and less than or equal to 5.6.7.8; "localhost,10.140.58.1-10.140.58.31,pc1.private.corp.com" sets the list to consist of localhost, pc1.private.corp.com, and the ip addresses greater than or equal to 10.140.58.1 and less than or equal to 10.140.58.3. Null or empty string ("") sets the list to an empty list; "*" sets the list to a single entry of "0.0.0.0-255.255.255.255" (all addresses).

Parameters:

whitelist - Comma-separated list of allowed addresses.

See Also:

• setWhitelist(java.util.List<java.net.InetAddress[]>)

inWhitelist

public boolean inWhitelist(String address)

Returns true if the specified address is in the whitelist of client addresses which never require an anti-cross-site-request-forgery token.

getRequest

protected HttpServletRequest getRequest(FacesContext context)

Returns the current portal request or null.