net.sf.mmm.service.impl.server

Class CsrfTokenManagerDefaultImpl

java.lang.Object

net.sf.mmm.util.component.base.AbstractComponent

net.sf.mmm.util.component.base.AbstractLoggableComponent

net.sf.mmm.service.base.server.AbstractCsrfTokenManager

net.sf.mmm.service.impl.server.CsrfTokenManagerDefaultImpl

All Implemented Interfaces:

CsrfTokenManager, Security

public class CsrfTokenManagerDefaultImpl
extends AbstractCsrfTokenManager

This is the default implementation of CsrfTokenManager. It generates a UUID

Since:

1.0.0

Author:

Joerg Hohwiller (hohwille at users.sourceforge.net)

Constructor Summary

Constructors

Constructor and Description
CsrfTokenManagerDefaultImpl() The constructor.

Method Summary

Modifier and Type	Method and Description
CsrfToken	generateInitialToken() This method generates a new CsrfToken for the initial "log-in" of a user.
private CsrfToken	generateNewToken()
protected javax.servlet.http.HttpSession	getSession()

Methods inherited from class net.sf.mmm.service.base.server.AbstractCsrfTokenManager

generateUpdateToken, isValidToken, validateToken

Methods inherited from class net.sf.mmm.util.component.base.AbstractLoggableComponent

createLogger, doInitialize, getLogger

Methods inherited from class net.sf.mmm.util.component.base.AbstractComponent

doInitialized, getInitializationState, initialize

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CsrfTokenManagerDefaultImpl

public CsrfTokenManagerDefaultImpl()

The constructor.

Method Detail

generateInitialToken

public CsrfToken generateInitialToken()

This method generates a new CsrfToken for the initial "log-in" of a user. Here are some examples of possible implementation strategies:

• A token is generated that simply contains the session ID. If an attacker can force the browser to send a request to your service and after the user has already logged into your application the browser will send authentication data for the request (CSRF). However, the attacker can not easily access your session ID due to the SOP (Same Origin Policy).
• A token is generated with a unique ID that the client can not guess such as a UUID. The token is also stored in the server-side HTTP session so it can be compared for validation.
• A token is generated from a combination of different aspects (e.g. user login, user agent, server-secret, etc.) and digitally signed an encrypted. This approach can also be used in situations where no server-side HTTP session exists (e.g. with only HTTP Basic Authentication) as the validation can decrypt the token, split the aspects and verify them.

In case you create your own implementation be aware of the following things:

• The IP address of the user can legally change from one request to another, e.g. if the user enters or leaves a VPN. On the other hand attackers can easily fake IP addresses so relying on IP address often reduces user comfort without gaining a very much higher level of Security.
• Do not use Random to generate security tokens as this is too weak.

Returns:

the initial CsrfToken. Shall not be null.

generateNewToken

private CsrfToken generateNewToken()

Returns:

a newly generated CsrfToken.

getSession

protected javax.servlet.http.HttpSession getSession()

Returns:

the HttpSession or null if no request context is available.