Package net.shibboleth.idp.ui.csrf

Class CSRFTokenManager

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
net.shibboleth.idp.ui.csrf.CSRFTokenManager
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent
@ThreadSafe public final class CSRFTokenManager extends AbstractInitializableComponent
A thread-safe helper class for dealing with cross-site request forgery tokens.

  • Field Details

    • csrfParameterName

      @Nonnull private String csrfParameterName
      The name of the HTTP parameter that contains the anti-csrf token.

    • tokenGenerationStrategy

      @NonnullAfterInit private IdentifierGenerationStrategy tokenGenerationStrategy
      The strategy used to generate a CSRF token value.

    • csrfTokenValidationPredicate

      @Nonnull private BiPredicate<CSRFToken,String> csrfTokenValidationPredicate
      Predicate to validate the CSRF token.

  • Constructor Details

    • CSRFTokenManager

      public CSRFTokenManager()
      Constructor.

  • Method Details

    • setTokenGenerationStrategy

      public void setTokenGenerationStrategy(@Nonnull IdentifierGenerationStrategy tokenStrategy)
      Set the CSRF token generation strategy.
      Parameters:
      tokenStrategy - CSRF token generation strategy

    • setCsrfTokenValidationPredicate

      public void setCsrfTokenValidationPredicate(@Nonnull BiPredicate<CSRFToken,String> tokenValidationPredicate)
      Set the CSRF token validation predicate.
      Parameters:
      tokenValidationPredicate - the CSRF token validation predicate.

    • setCsrfParameterName

      public void setCsrfParameterName(@Nonnull @NotEmpty String parameterName)
      Set the CSRF HTTP parameter name.
      Parameters:
      parameterName - CSRF parameter name

    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException

    • generateCSRFToken

      @Nonnull public CSRFToken generateCSRFToken()
      Generate a CSRFToken using the token generation strategy derived token value. Set the HTTP parameter name from the csrfParameterName field.
      Returns:
      a CSRF token

    • isValidCSRFToken

      public boolean isValidCSRFToken(@Nullable CSRFToken csrfToken, @Nullable String requestCsrfToken)
      Check the CSRF token matches the CSRF token in the request using the csrfTokenValidationPredicate.
      Parameters:
      csrfToken - the server side CSRF token.
      requestCsrfToken - the CSRF token from the request.
      Returns:
      true iff the CSRF token value matches the request CSRF token. False if they do not match.