@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // Spring put the CSRF token in session attribute "_csrf" CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf"); // Send the cookie only if the token has changed String actualToken = request.getHeader("X-CSRF-TOKEN"); if (actualToken == null || !actualToken.equals(csrfToken.getToken())) { // Session cookie that will be used by AngularJS String pCookieName = "CSRF-TOKEN"; Cookie cookie = new Cookie(pCookieName, csrfToken.getToken()); cookie.setMaxAge(-1); cookie.setHttpOnly(false); cookie.setPath("/"); response.addCookie(cookie); } filterChain.doFilter(request, response); }
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
@Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { // A veces "modelAndView" es null cuando no encuentra la pagina if (modelAndView != null) { // CSRF CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); modelAndView.addObject("_csrf", token); // User role if (sessionService.getUsuarioActual() != null) { modelAndView.addObject("isAdmin", sessionService.usuarioActualHasRole("ROLE_ADMIN")); } } }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request .getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken()); cookie.setPath("/"); response.addCookie(cookie); } filterChain.doFilter(request, response); } }; }
/** * Retrieves the CSRF token from the server session. * * @param request {@link HttpServletRequest} to retrieve the current session from * @param response {@link HttpServletResponse} to send additional information * @return the Spring Security {@link CsrfToken} */ @Produces(MediaType.APPLICATION_JSON) @GET @Path("/csrftoken/") @PermitAll public CsrfToken getCsrfToken(@Context HttpServletRequest request, @Context HttpServletResponse response) { // return (CsrfToken) request.getSession().getAttribute( // HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN")); CsrfToken token = this.csrfTokenRepository.loadToken(request); if (token == null) { LOG.warn("No CsrfToken could be found - instanciating a new Token"); token = this.csrfTokenRepository.generateToken(request); this.csrfTokenRepository.saveToken(token, request, response); } return token; }
@Override protected void doFilterInternal( HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if (ignoredMatcher.matches(request)) { filterChain.doFilter(request, response); return; } final CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, ANGULAR_CSRF_DEFAULT_COOKIE_NAME); if (cookie == null || csrf.getToken() != null && !csrf.getToken().equals(cookie.getValue())) { cookie = new Cookie(ANGULAR_CSRF_DEFAULT_COOKIE_NAME, csrf.getToken()); cookie.setMaxAge(-1); cookie.setPath(getCookiePath(request)); cookie.setSecure(request.isSecure()); response.addCookie(cookie); } } filterChain.doFilter(request, response); }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class .getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class .getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie==null || token!=null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); }
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // Spring put the CSRF token in session attribute "_csrf" CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf"); // Send the cookie only if the token has changed String actualToken = request.getHeader("X-CSRF-TOKEN"); if (actualToken == null || !actualToken.equals(csrfToken.getToken())) { // Session cookie that will be used by AngularJS String pCookieName = "CSRF-TOKEN"; Cookie cookie = new Cookie(pCookieName, csrfToken.getToken()); cookie.setMaxAge(-1); cookie.setHttpOnly(false); cookie.setPath("/"); response.addCookie(cookie); } response.addHeader("Access-Control-Allow-Origin", "*"); response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE"); response.setHeader("Access-Control-Max-Age", "86400"); // 24 Hours response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, x-auth-token"); filterChain.doFilter(request, response); }
@Test public void testSaveAndLoadToken() throws Exception { CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository(); String csrfCookieName = "csrfCookie"; csrfTokenRepository.setCsrfCookieName(csrfCookieName); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); CsrfToken token = csrfTokenRepository.generateToken(request); csrfTokenRepository.saveToken(token, request, response); Cookie cookie = response.getCookie(csrfCookieName); assertNotNull(cookie); assertEquals(token.getToken(), cookie.getValue()); assertEquals(true, cookie.isHttpOnly()); request.setCookies(cookie); CsrfToken saved = csrfTokenRepository.loadToken(request); assertEquals(token.getToken(), saved.getToken()); assertEquals(token.getHeaderName(), saved.getHeaderName()); assertEquals(token.getParameterName(), saved.getParameterName()); }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if(csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if(cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }
@Override protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain) throws ServletException, IOException { final CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrf != null) { final String token = csrf.getToken(); final Cookie existingCookie = WebUtils.getCookie(request, COOKIE_NAME); if (existingCookie == null || !token.equals(existingCookie.getValue())) { // `path` = while it doesn't provide any added security, set to context path to be consistent with `JSESSIONID` cookie // `secure` = cookie to only be transmitted over secure protocol as https // `maxAge` = expire the cookie after 8 hours final Cookie cookie = new Cookie(COOKIE_NAME, token); cookie.setPath(request.getContextPath()); cookie.setSecure(true); cookie.setMaxAge(60 * 60 * 8); response.addCookie(cookie); } } filterChain.doFilter(request, response); }
@Override public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) { String tokenValue = token == null ? "" : token.getToken(); Cookie cookie = new Cookie(this.cookieName, tokenValue); cookie.setSecure(request.isSecure()); cookie.setPath(getCookiePath(request)); if (token == null) { cookie.setMaxAge(0); } else { cookie.setMaxAge(-1); } if (cookieHttpOnly && setHttpOnlyMethod != null) { ReflectionUtils.invokeMethod(setHttpOnlyMethod, cookie, Boolean.TRUE); } response.addCookie(cookie); }
@RequestMapping(value = "/calendar/text/{date}/{time}", method = RequestMethod.GET, produces = "text/html") public ModelAndView getPlaintextSelectionConfirmation(@AuthenticationPrincipal Client client, @PathVariable("date") String dateString, @PathVariable("time") String timeString, @RequestParam(value = "error", required = false) String error, HttpServletRequest request) { Map<String, Object> model = getCommonModelData(client, error); model.put("page_name", SELECTION_NOJS_PAGE_NAME); model.put("is_logged_in", true); LocalDate selectedAppointmentDate = LocalDate.parse(dateString); LocalTime selectedAppointmentTime = LocalTime.parse(timeString); LocalDateTime selectedAppointment = LocalDateTime.of(selectedAppointmentDate, selectedAppointmentTime); model.put("selected_appointment", selectedAppointment.format(DateTimeFormatter.ofPattern("yyyy'-'MM'-'dd'T'HH':'mm':'ss"))); model.put("display_appointment_datetime", selectedAppointment.format(DateTimeFormatter.ofPattern("EEEE dd MMMM, h:mm a"))); CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (csrfToken != null) { model.put("_csrf", csrfToken); } return new ModelAndView("selection_nojs", model); }
@Test public void testSaveAndLoadToken() throws Exception { CookieBasedCsrfTokenRepository repo = new CookieBasedCsrfTokenRepository(); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); CsrfToken token = repo.generateToken(request); repo.saveToken(token, request, response); Cookie cookie = response.getCookie(token.getParameterName()); assertNotNull(cookie); assertEquals(token.getToken(), cookie.getValue()); assertEquals(true, cookie.isHttpOnly()); request.setCookies(cookie); CsrfToken saved = repo.loadToken(request); assertEquals(token.getToken(), saved.getToken()); assertEquals(token.getHeaderName(), saved.getHeaderName()); assertEquals(token.getParameterName(), saved.getParameterName()); }
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class .getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); }
private Filter csrfHeaderFilter() { return new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken csrf = (CsrfToken) request .getAttribute(CsrfToken.class.getName()); if (csrf != null) { Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); String token = csrf.getToken(); if (cookie == null || token != null && !token.equals(cookie.getValue())) { cookie = new Cookie("XSRF-TOKEN", token); cookie.setPath("/"); response.addCookie(cookie); } } filterChain.doFilter(request, response); } }; }