src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java

   1 // vim:set ts=4 sts=4 sw=4 noet fenc=utf-8:
   2 /*
   3    Copyright 2009 senju@users.sourceforge.jp
   4
   5    Licensed under the Apache License, Version 2.0 (the "License");
   6    you may not use this file except in compliance with the License.
   7    You may obtain a copy of the License at
   8
   9        http://www.apache.org/licenses/LICENSE-2.0
  10
  11    Unless required by applicable law or agreed to in writing, software
  12    distributed under the License is distributed on an "AS IS" BASIS,
  13    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14    See the License for the specific language governing permissions and
  15    limitations under the License.
  16  */
  17
  18 package jp.sourceforge.rabbitBTS.interceptors;
  19
  20 import javax.servlet.http.HttpServletRequest;
  21 import javax.servlet.http.HttpServletResponse;
  22
  23 import jp.sourceforge.rabbitBTS.Sht;
  24 import jp.sourceforge.rabbitBTS.controllers.IController;
  25
  26 import org.apache.commons.lang.RandomStringUtils;
  27 import org.apache.commons.lang.StringUtils;
  28 import org.springframework.web.servlet.ModelAndView;
  29 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
  30
  31 /**
  32  * CSRF対策用インターセプター
  33  */
  34 public class CSRFInterceptor extends HandlerInterceptorAdapter {
  35
  36         /**
  37          * POSTの場合チェック処理
  38          */
  39         @Override
  40         public boolean preHandle(HttpServletRequest request,
  41                         HttpServletResponse response, Object handler) throws Exception {
  42                 if (request.getMethod().equals("POST")
  43                                 && handler instanceof IController) {
  44                         final String sentToken = request.getParameter("secureToken");
  45                         final String sessionToken = (String) request.getSession()
  46                                         .getAttribute("secureToken");
  47                         final IController c = (IController) handler;
  48
  49                         if (StringUtils.equals(sentToken, sessionToken)) {
  50                                 c.setCsrfSafe(true);
  51                         } else {
  52                                 c.setCsrfSafe(false);
  53                                 Sht.log(this).warning("CSRF detected.");
  54                         }
  55
  56                 }
  57                 return true;
  58         }
  59
  60         /**
  61          * セッションとMAVにトークンを格納しておく
  62          */
  63         @Override
  64         public void postHandle(HttpServletRequest request,
  65                         HttpServletResponse response, Object handler, ModelAndView mav)
  66                         throws Exception {
  67                 // リダイレクトする場合は不要
  68                 if (mav != null) {
  69                         if (!StringUtils.startsWith(mav.getViewName(), "redirect:")) {
  70                                 final String token = RandomStringUtils.randomAlphanumeric(128);
  71                                 request.getSession().setAttribute("secureToken", token);
  72                                 mav.addObject("secureToken", token);
  73                         }
  74                 }
  75
  76                 if (request.getMethod().equals("POST")
  77                                 && handler instanceof IController) {
  78                         // きちんとCSRFチェックが行われているかチェックする
  79                         final IController c = (IController) handler;
  80                         if (!c.isCsrfChecked()) {
  81                                 Sht.log(this).severe("CSRFチェックを行っていないPOST");
  82                         }
  83                         assert c.isCsrfChecked() : "CSRFチェックを行っていないPOST";
  84                 }
  85         }
  86
  87 }