Package net.shibboleth.idp.ui.csrf.impl

Class CSRFTokenFlowExecutionListener

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
net.shibboleth.idp.ui.csrf.impl.CSRFTokenFlowExecutionListener
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, FlowExecutionListener
public class CSRFTokenFlowExecutionListener extends AbstractInitializableComponent implements FlowExecutionListener
A flow execution lifecycle listener that, if enabled:
  1. Sets an anti-CSRF token into the flow-scope map when a flow session starts and a token per-flow is enabled.
  2. Sets an anti-CSRF token into the view-scope map when rendering a suitable view-state. This token is either retrieved from the flow-scope, if available from step 1, or generated anew.
  3. Checks the CSRF token in a HTTP request matches that stored in the view-scope map when a suitable view-state event occurs.

  • Field Details

    • CSRF_TOKEN_VIEWSCOPE_NAME

      @Nonnull public static final String CSRF_TOKEN_VIEWSCOPE_NAME
      The name of the view scope parameter that holds the CSRF token.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • eventRequiresCSRFTokenValidationPredicate

      @NonnullAfterInit private BiPredicate<RequestContext,Event> eventRequiresCSRFTokenValidationPredicate
      Should the request context and event be checked for a valid (matching) CSRF token?

    • viewRequiresCSRFTokenPredicate

      @NonnullAfterInit private Predicate<RequestContext> viewRequiresCSRFTokenPredicate
      Does the view being rendered require a CSRF token to be set.

    • enabled

      private boolean enabled
      Is this listener enabled?

    • tokenPerFlow

      private boolean tokenPerFlow
      Should a new token should be created for each flow session and not for each view?

    • csrfTokenManager

      @NonnullAfterInit private CSRFTokenManager csrfTokenManager
      The CSRF token manager for getting and validating tokens.

  • Constructor Details

    • CSRFTokenFlowExecutionListener

      public CSRFTokenFlowExecutionListener()
      Constructor.

  • Method Details

    • setEnabled

      public void setEnabled(boolean enable)
      Set whether CSRF protection is globally enabled or disabled.
      Parameters:
      enable - enabled/disable CSRF protection (default is false).

    • setTokenPerFlow

      public void setTokenPerFlow(boolean flag)
      Sets whether a new token should be created for each flow session and not for each view.
      Parameters:
      flag - enable or disable the token per flow pattern

    • setViewRequiresCSRFTokenPredicate

      public void setViewRequiresCSRFTokenPredicate(@Nonnull Predicate<RequestContext> condition)
      Sets the request context condition to determine if a CSRF token should be added to the view-scope.
      Parameters:
      condition - the condition to apply.

    • setEventRequiresCSRFTokenValidationPredicate

      public void setEventRequiresCSRFTokenValidationPredicate(@Nonnull BiPredicate<RequestContext,Event> condition)
      Set the request context and event condition to determine if a CSRF token should be validated.
      Parameters:
      condition - the condition to apply

    • setCsrfTokenManager

      public void setCsrfTokenManager(@Nonnull CSRFTokenManager tokenManager)
      Sets the CSRF token manager.
      Parameters:
      tokenManager - the CSRF token manager.

    • sessionStarting

      public void sessionStarting(RequestContext context, FlowSession session, MutableAttributeMap<?> input)

      If per flow-session tokens are enabled, creates a CSRF token and adds it to the request context flow scope for extraction into the view scope later on.

      Specified by:
      sessionStarting in interface FlowExecutionListener

    • viewRendering

      public void viewRendering(RequestContext context, View view, StateDefinition viewState)
      Generates a CSRF token and adds it to the request context view scope, overwriting any existing token.
      Specified by:
      viewRendering in interface FlowExecutionListener

    • eventSignaled

      public void eventSignaled(@Nullable RequestContext context, @Nullable Event event)
      Checks the CSRF token in the HTTP request matches that stored in the request context viewScope.

      Only applies if the listener is enabled, the current state is a view-state, and the request context and event match the eventRequiresCSRFTokenValidationPredicate condition.

      Invalid tokens - those not found or not matching - are signalled by throwing a InvalidCSRFTokenException.

      Specified by:
      eventSignaled in interface FlowExecutionListener

    • doInitialize

      public void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException