@ComponentSpecification public interface CsrfTokenManager extends Security
|Modifier and Type||Method and Description|
This method generates a new
Checks if the given
boolean isValidToken(CsrfToken token)
CsrfTokenthat has been sent from the client is valid. This method has to correspond to
generateUpdateToken(CsrfToken). In case a remote invocation is invoked that is secured (requires authentication and typically also authorization), the
CsrfTokenhas to be checked. A value of
nullis never valid and will always fail. Only in case of a secured invocation and the presence of
CsrfTokenthis method is invoked.
token- is the
CsrfTokensend from the client. Will not be
trueif the given
falseotherwise (in case of an CSRF attack or some technical bug).
void validateToken(CsrfToken token) throws SecurityException
CsrfTokenfor the initial "log-in" of a user. Here are some examples of possible implementation strategies:
UUID. The token is also stored in the server-side HTTP session so it can be compared for
validationcan decrypt the token, split the aspects and verify them.
Randomto generate security tokens as this is too weak.
CsrfToken. Shall not be
currentToken- is the current
CsrfTokenthat has previously been generated and may be updated.
currentToken(same instance) to keep the token or a new instance of
CsrfTokento replace the current token and expect the next request from the client to provide that new token (e.g. to implement one-time tokens for highest level of protection).
Copyright © 2001–2014 mmm-Team. All rights reserved.