1 /* vim:set ts=4 sts=4 sw=4 noet fenc=utf-8:
3 Copyright 2009 senju@users.sourceforge.jp
5 Licensed under the Apache License, Version 2.0 (the "License");
6 you may not use this file except in compliance with the License.
7 You may obtain a copy of the License at
9 http://www.apache.org/licenses/LICENSE-2.0
11 Unless required by applicable law or agreed to in writing, software
12 distributed under the License is distributed on an "AS IS" BASIS,
13 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 See the License for the specific language governing permissions and
15 limitations under the License.
18 package jp.sourceforge.rabbitBTS.interceptors;
20 import java.util.ArrayList;
21 import java.util.Date;
22 import java.util.HashMap;
23 import java.util.List;
26 import javax.servlet.http.HttpServletRequest;
27 import javax.servlet.http.HttpServletResponse;
29 import jp.sourceforge.rabbitBTS.Sht;
30 import jp.sourceforge.rabbitBTS.controllers.IController;
32 import org.apache.commons.lang.RandomStringUtils;
33 import org.apache.commons.lang.StringUtils;
34 import org.springframework.web.servlet.ModelAndView;
35 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
40 public class CSRFInterceptor extends HandlerInterceptorAdapter {
41 private int expireInSecond;
47 public boolean preHandle(HttpServletRequest request,
48 HttpServletResponse response, Object handler) throws Exception {
49 if (request.getMethod().equals("POST")
50 && handler instanceof IController) {
51 final IController c = (IController) handler;
52 final CsrfChecker checker = new CsrfChecker(request);
53 if (checker.checkTokenValid()) {
57 Sht.log(this).warning("CSRF detected.");
64 * セッションとMAVにトークンを格納しておく
67 public void postHandle(HttpServletRequest request,
68 HttpServletResponse response, Object handler, ModelAndView mav)
72 if (!StringUtils.startsWith(mav.getViewName(), "redirect:")) {
73 final CsrfChecker checker = new CsrfChecker(request);
74 final String token = checker.saveNewToken();
75 mav.addObject("secureToken", token);
79 if (request.getMethod().equals("POST")
80 && handler instanceof IController) {
81 // きちんとCSRFチェックが行われているかチェックする
82 final IController c = (IController) handler;
83 if (!c.isCsrfChecked()) {
84 Sht.log(this).severe("CSRFチェックを行っていないPOST");
86 assert c.isCsrfChecked() : "CSRFチェックを行っていないPOST";
94 private final HttpServletRequest req;
95 private Map<String, Date> tokens;
101 * セッションにトークンのリストが存在しない場合、新規に作成しセッションに保存する。
105 @SuppressWarnings("unchecked")
106 public CsrfChecker(HttpServletRequest request) {
108 this.tokens = (Map<String, Date>) request.getSession()
109 .getAttribute("tokens");
110 if (this.tokens == null) {
111 this.tokens = new HashMap<String, Date>();
112 request.getSession().setAttribute("tokens", this.tokens);
119 * @return 保存された新規トークン
121 public String saveNewToken() {
122 final String token = RandomStringUtils.randomAlphanumeric(128);
123 this.tokens.put(token, new Date());
130 * @return 正しいパラメータが送信された場合true
132 public boolean checkTokenValid() {
133 final String reqToken = this.req.getParameter("secureToken");
134 final Date datenow = new Date();
136 boolean found = false;
137 if (this.tokens.containsKey(reqToken)) {
138 found = checkExpire(datenow, this.tokens.get(reqToken));
142 if (this.tokens.size() > 30) {
143 final List<String> removeList = new ArrayList<String>();
144 for (final String token : this.tokens.keySet()) {
145 final Date created = this.tokens.get(token);
146 if (!this.checkExpire(datenow, created)) {
148 removeList.add(token);
149 Sht.log(this).finer("delete token: " + token);
152 for (final String token : removeList) {
153 this.tokens.remove(token);
165 * @return 期限以内の場合true
167 private boolean checkExpire(Date datenow, Date created) {
168 final long ageInMils = datenow.getTime() - created.getTime();
169 return ageInMils / 1000 < CSRFInterceptor.this.expireInSecond;
174 * @param expireInSecond
175 * the expireInSecond to set
177 public void setExpireInSecond(int expireInMinute) {
178 this.expireInSecond = expireInMinute;