Package com.webmethods.caf.faces.render.xsrf

Class SecretBasedAXSRFTVendingMachine

java.lang.Object
com.webmethods.caf.faces.render.xsrf.BaseAXSRFTVendingMachine
com.webmethods.caf.faces.render.xsrf.SecretBasedAXSRFTVendingMachine
All Implemented Interfaces:
IAXSRFTVendingMachine
public class SecretBasedAXSRFTVendingMachine extends BaseAXSRFTVendingMachine
Anti-cross-site-request-forgery-token manager which uses server secrets to produce and validate tokens. This class must be initialized with at least one secret in its list of secrets. Ideally, one thread (ie portal scheduled event listener) will call removeOldSecrets(long) and then addNewSecret() on a timed schedule (which will update the secrets list).

  • Field Details

  • Constructor Details

    • SecretBasedAXSRFTVendingMachine

      public SecretBasedAXSRFTVendingMachine()

  • Method Details

    • produceToken

      public String produceToken(FacesContext context)
      Produces an anti-cross-site-request-forgery token for the specified user.

    • produceToken

      public String produceToken(HttpServletRequest request)
      Produces an anti-cross-site-request-forgery token for the specified user.

    • produceToken

      public String produceToken(String user)
      Produces an anti-cross-site-request-forgery token for the specified user.

    • acceptToken

      public boolean acceptToken(FacesContext context, String token)
      Returns true if the specified anti-cross-site-request-forgery token is valid for the specified user.

    • acceptToken

      public boolean acceptToken(HttpServletRequest request, String token)
      Returns true if the specified anti-cross-site-request-forgery token is valid for the specified user.

    • addNewSecret

      public void addNewSecret()
      Generates a new random secret, and adds it to the list of secrets.

    • removeOldSecrets

      public void removeOldSecrets(long oldestAllowed)

    • generateNewSecret

      protected SecretBasedAXSRFTVendingMachine.Secret generateNewSecret()
      Generates a new random secret.

    • generateToken

      protected String generateToken(String user)
      Generates a token for this user.

    • validateToken

      protected boolean validateToken(String user, String token)
      Validates the token for this user.

    • digest

      protected String digest(SecretBasedAXSRFTVendingMachine.Secret secret, String user)
      Digests user + secret.

    • getUser

      protected String getUser(FacesContext context)

    • getUser

      protected String getUser(HttpServletRequest request)

    • getSecrets

      public List<SecretBasedAXSRFTVendingMachine.Secret> getSecrets()

    • setSecrets

      public void setSecrets(List<SecretBasedAXSRFTVendingMachine.Secret> secrets)