1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.csrf

File CSRFToken.java

 

Code metrics

0
0
0
1
67
10
0
-
-
0
-

Classes

Class Line # Actions
CSRFToken 37 0 - 0 0
-1.0 -
 

Contributing tests

No tests hitting this source file were found.

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.csrf;
21   
22    import org.xwiki.component.annotation.Role;
23   
24    /**
25    * Anti-CSRF (Cross Site Request Forgery) protection using secret token validation mechanism.
26    * <p>
27    * A random secret token should be included into every request that modifies or stores some data. If the token included
28    * into the request does not match the token stored on the server side, the request is redirected to a resubmission page
29    * where a legitimate user has a chance to confirm his action.
30    *
31    * @see <a href="http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet">CSRF
32    * Prevention Cheat Sheet</a>
33    * @version $Id: abfb5473fbbb574e79efa336557ad53ae7c79093 $
34    * @since 2.5M2
35    */
36    @Role
 
37    public interface CSRFToken
38    {
39    /**
40    * Returns the anti-CSRF token associated with the current user. Creates a fresh token on first call.
41    *
42    * @return the secret token
43    * @see #isTokenValid(String)
44    */
45    String getToken();
46   
47    /**
48    * Removes the anti-CSRF token associated with the current user. Current token is invalidated immediately, a
49    * subsequent call of {@link #getToken()} will generate a fresh token.
50    */
51    void clearToken();
52   
53    /**
54    * Check if the given <code>token</code> matches the internally stored token associated with the current user.
55    *
56    * @param token random token from the request
57    * @return {@code true} if the component is disabled or the given token is correct, {@code false} otherwise
58    */
59    boolean isTokenValid(String token);
60   
61    /**
62    * Get the URL where a failed request should be redirected to.
63    *
64    * @return URL of the resubmission page with correct parameters
65    */
66    String getResubmissionURL();
67    }