Interface CSRFToken

  • All Known Implementing Classes:
    CSRFTokenScriptService

    @Role
    public interface CSRFToken
    Anti-CSRF (Cross Site Request Forgery) protection using secret token validation mechanism.

    A random secret token should be included into every request that modifies or stores some data. If the token included into the request does not match the token stored on the server side, the request is redirected to a resubmission page where a legitimate user has a chance to confirm his action.

    Since:
    2.5M2
    Version:
    $Id: 3671059457be856ae372b0b3ea2ea99bdebdfeeb $
    See Also:
    CSRF Prevention Cheat Sheet
    • Method Detail

      • getToken

        String getToken()
        Returns the anti-CSRF token associated with the current user. Creates a fresh token on first call.
        Returns:
        the secret token
        See Also:
        isTokenValid(String)
      • clearToken

        void clearToken()
        Removes the anti-CSRF token associated with the current user. Current token is invalidated immediately, a subsequent call of getToken() will generate a fresh token.
      • isTokenValid

        boolean isTokenValid​(String token)
        Check if the given token matches the internally stored token associated with the current user.
        Parameters:
        token - random token from the request
        Returns:
        true if the component is disabled or the given token is correct, false otherwise
      • getResubmissionURL

        String getResubmissionURL()
        Get the URL where a failed request should be redirected to.
        Returns:
        URL of the resubmission page with correct parameters
      • getRequestURI

        default String getRequestURI()
        Get the URI to call to trigger back the failed request. It is the "resubmit" part of getResubmissionURL().
        Returns:
        the URI to call to trigger back the failed request.
        Since:
        11.3RC1