Package org.xwiki.csrf
Interface CSRFToken
-
- All Known Implementing Classes:
CSRFTokenScriptService
@Role public interface CSRFToken
Anti-CSRF (Cross Site Request Forgery) protection using secret token validation mechanism.A random secret token should be included into every request that modifies or stores some data. If the token included into the request does not match the token stored on the server side, the request is redirected to a resubmission page where a legitimate user has a chance to confirm his action.
- Since:
- 2.5M2
- Version:
- $Id: 3671059457be856ae372b0b3ea2ea99bdebdfeeb $
- See Also:
- CSRF Prevention Cheat Sheet
-
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Modifier and Type Method Description void
clearToken()
Removes the anti-CSRF token associated with the current user.default String
getRequestURI()
Get the URI to call to trigger back the failed request.String
getResubmissionURL()
Get the URL where a failed request should be redirected to.String
getToken()
Returns the anti-CSRF token associated with the current user.boolean
isTokenValid(String token)
Check if the giventoken
matches the internally stored token associated with the current user.
-
-
-
Method Detail
-
getToken
String getToken()
Returns the anti-CSRF token associated with the current user. Creates a fresh token on first call.- Returns:
- the secret token
- See Also:
isTokenValid(String)
-
clearToken
void clearToken()
Removes the anti-CSRF token associated with the current user. Current token is invalidated immediately, a subsequent call ofgetToken()
will generate a fresh token.
-
isTokenValid
boolean isTokenValid(String token)
Check if the giventoken
matches the internally stored token associated with the current user.- Parameters:
token
- random token from the request- Returns:
true
if the component is disabled or the given token is correct,false
otherwise
-
getResubmissionURL
String getResubmissionURL()
Get the URL where a failed request should be redirected to.- Returns:
- URL of the resubmission page with correct parameters
-
getRequestURI
default String getRequestURI()
Get the URI to call to trigger back the failed request. It is the "resubmit" part ofgetResubmissionURL()
.- Returns:
- the URI to call to trigger back the failed request.
- Since:
- 11.3RC1
-
-