Examples of hirondelle.web4j.model.Id

  /** 
   Return the form-source id value, stored in the user's session.
   If there is no session, or if there is no form-source id in the session, throw a RuntimeException.  
  */
  private Id getHiddenParamValue(){
    Id result = null;
    boolean DO_NOT_CREATE = false;
    HttpSession session = fRequest.getSession(DO_NOT_CREATE);
    if ( session != null ) {
      result = (Id)session.getAttribute(CsrfFilter.FORM_SOURCE_ID_KEY);
      if( result == null ){

    return aRequestParam.getName().equals(fCSRF_REQ_PARAM.getName());
  }


  private void defendAgainstCSRFAttacks(RequestParser aRequestParser) throws BadRequestException {
    if( requestNeedsDefendingAgainstCSRFAttacks(aRequestParser) ) {
      Id postedTokenValue = aRequestParser.toId(fCSRF_REQ_PARAM);
      if ( FAILS == toIncludeCsrfTokenWithForm(postedTokenValue) ){
        fLogger.severe("CSRF token not included in POSTed request. Rejecting this request, since it is likely an attack.");
        throw new BadRequestException(HttpServletResponse.SC_BAD_REQUEST);
      }

  private boolean requestNeedsDefendingAgainstCSRFAttacks(RequestParser aRequestParser){
    boolean isPOST =  aRequestParser.getRequest().getMethod().equalsIgnoreCase("POST");
    boolean sessionPresent = isSessionPresent(aRequestParser);
    boolean csrfFilterIsTurnedOn = false;
    if( sessionPresent ) {
      Id csrfTokenInSession = getCsrfTokenInSession(CURRENT_TOKEN_CSRF, aRequestParser);
      csrfFilterIsTurnedOn = (csrfTokenInSession != null);
    }
    
    if( isPOST &&  sessionPresent && ! csrfFilterIsTurnedOn )  {
      fLogger.warning("POST operation, but no CSRF form token present in existing session. This application does not have WEB4J defenses against CSRF attacks configured in the recommended way.");

  private boolean toIncludeCsrfTokenWithForm(Id aCsrfToken){
    return aCsrfToken != null;
  }
  
  private boolean matchCurrentCSRFToken(RequestParser aRequestParser, Id aPostedTokenValue) {
    Id currentToken = getCsrfTokenInSession(CURRENT_TOKEN_CSRF, aRequestParser);
    return aPostedTokenValue.equals(currentToken);
  }

    return aPostedTokenValue.equals(currentToken);
  }
  
  private boolean matchPreviousCSRFToken(RequestParser aRequestParser, Id aPostedTokenValue){
    //in the case of an anonymous session, with no login, this item will be null
    Id previousToken = getCsrfTokenInSession(PREVIOUS_TOKEN_CSRF, aRequestParser);
    return aPostedTokenValue.equals(previousToken);
  }

  
  private void addItemsForNewSessions(HttpServletRequest aRequest) throws ServletException {
    HttpSession session = aRequest.getSession(DO_NOT_CREATE);
    if ( sessionExists(session) ){
      if ( hasNoFormSourceIdInSession(session) ){
        Id currentFormSourceId = calcFormSourceId();
        addFormSourceIdToSession(session, currentFormSourceId);
        if( userHasLoggedIn(aRequest) ){
          CsrfDAO formSourceDAO = new CsrfDAO(aRequest.getUserPrincipal().getName(), currentFormSourceId);
          addPreviousFormSourceIdToSession(session, formSourceDAO);          
          addFormSourceDAOToSession(session, formSourceDAO);

    aSession.setAttribute(FORM_SOURCE_ID_KEY, aCurrentFormSourceId);
  }
  
  private Id calcFormSourceId(){
    String token = getHashFor( getRandomNumber().toString() );
    return new Id(token);    
  }

  }
  
  private void addPreviousFormSourceIdToSession(HttpSession aSession, CsrfDAO aDAO) throws ServletException {
    fLogger.fine("Adding previous form-source id to session.");
    try {
      Id previousFormSourceId = aDAO.fetchPreviousFormSourceId();
      if( previousFormSourceId == null ) {
        fLogger.fine("No previous form-source id found.");
      }
      else {
        fLogger.fine("Adding previous form-source id to session.");

   Return the form-source id for the user's immediately preceding session.
   
  <P>Returns <tt>null</tt> if there is no previous form-source id for the logged-in user.
  */
  Id fetchPreviousFormSourceId() throws DAOException {
    Id result = null;
    fLogger.fine("Fetching previous form-source id for " + Util.quote(fUserName) + ", using SqlId " + Util.quote(READ_SQL));
    result = Db.fetchValue(Id.class, getReadSql(), fUserName);
    if( result == null ) {
      fLogger.fine("No previous form-source id found for this user.");
    }

  }


  private void enforceOwnershipConstraint(Action aAction, RequestParser aRequestParser) throws AppException, BadRequestException {
    if (aAction instanceof FetchIdentifierOwner ) {
      FetchIdentifierOwner constraint = (FetchIdentifierOwner)aAction;
      Id owner = constraint.fetchOwner();
      String ownerText = (owner == null ? null : owner.getRawString());
      HttpSession session = aRequestParser.getRequest().getSession(DO_NOT_CREATE_SESSION);
      if( session == null ) {
        ownershipConstraintNotImplementedCorrectly(OWNERSHIP_NO_SESSION);
      }
      if( aRequestParser.getRequest().getUserPrincipal() == null ) {

Related Classes of hirondelle.web4j.model.Id

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.