@Override public void init(HttpServletRequest request, HttpServletResponse response) { String returnTo = request.getParameter(RETURN_TO_PARAMETER); String allowEmailShift = request.getParameter(ALLOW_EMAIL_SHIFT_PARAMETER); String allowLoginUpdate = request.getParameter(ALLOW_LOGIN_UPDATE_PARAMETER); Map<String, String> parameters = new HashMap<>(); Optional<String> sanitizeRedirectUrl = sanitizeRedirectUrl(returnTo); sanitizeRedirectUrl.ifPresent(s -> parameters.put(RETURN_TO_PARAMETER, s)); if (isNotBlank(allowEmailShift)) { parameters.put(ALLOW_EMAIL_SHIFT_PARAMETER, allowEmailShift); } if (isNotBlank(allowLoginUpdate)) { parameters.put(ALLOW_LOGIN_UPDATE_PARAMETER, allowLoginUpdate); } if (parameters.isEmpty()) { return; } response.addCookie(newCookieBuilder(request) .setName(AUTHENTICATION_COOKIE_NAME) .setValue(toJson(parameters)) .setHttpOnly(true) .setExpiry(FIVE_MINUTES_IN_SECONDS) .build()); }
public Cookie build() { Cookie cookie = new Cookie(requireNonNull(name), value); cookie.setPath(getContextPath(request)); cookie.setSecure(isHttps(request)); cookie.setHttpOnly(httpOnly); cookie.setMaxAge(expiry); return cookie; }
@Override public void init(HttpServletRequest request, HttpServletResponse response) { String returnTo = request.getParameter(RETURN_TO_PARAMETER); String allowEmailShift = request.getParameter(ALLOW_EMAIL_SHIFT_PARAMETER); String allowLoginUpdate = request.getParameter(ALLOW_LOGIN_UPDATE_PARAMETER); Map<String, String> parameters = new HashMap<>(); if (isNotBlank(returnTo)) { parameters.put(RETURN_TO_PARAMETER, returnTo); } if (isNotBlank(allowEmailShift)) { parameters.put(ALLOW_EMAIL_SHIFT_PARAMETER, allowEmailShift); } if (isNotBlank(allowLoginUpdate)) { parameters.put(ALLOW_LOGIN_UPDATE_PARAMETER, allowLoginUpdate); } if (parameters.isEmpty()) { return; } response.addCookie(newCookieBuilder(request) .setName(AUTHENTICATION_COOKIE_NAME) .setValue(toJson(parameters)) .setHttpOnly(true) .setExpiry(FIVE_MINUTES_IN_SECONDS) .build()); }
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider) { Cookie cookie = findCookie(CSRF_STATE_COOKIE, request) .orElseThrow(AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage(format("Cookie '%s' is missing", CSRF_STATE_COOKIE))::build); String hashInCookie = cookie.getValue(); // remove cookie response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(true).setExpiry(0).build()); String stateInRequest = request.getParameter("state"); if (isBlank(stateInRequest) || !sha256Hex(stateInRequest).equals(hashInCookie)) { throw AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage("CSRF state value is invalid") .build(); } }
private static Cookie createCookie(HttpServletRequest request, String name, @Nullable String value, int expirationInSeconds) { return newCookieBuilder(request).setName(name).setValue(value).setHttpOnly(true).setExpiry(expirationInSeconds).build(); }
public void removeState(HttpServletRequest request, HttpServletResponse response) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(false).setExpiry(0).build()); }
public static CookieBuilder newCookieBuilder(HttpServletRequest request) { return new CookieBuilder(request); }
public void refreshState(HttpServletRequest request, HttpServletResponse response, String csrfState, int timeoutInSeconds) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(csrfState).setHttpOnly(false).setExpiry(timeoutInSeconds).build()); }
public Cookie build() { Cookie cookie = new Cookie(requireNonNull(name), value); cookie.setPath(getContextPath(request)); cookie.setSecure(isHttps(request)); cookie.setHttpOnly(httpOnly); cookie.setMaxAge(expiry); return cookie; }
public String generateState(HttpServletRequest request, HttpServletResponse response, int timeoutInSeconds) { // Create a state token to prevent request forgery. // Store it in the cookie for later validation. String state = new BigInteger(130, new SecureRandom()).toString(32); response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(state).setHttpOnly(false).setExpiry(timeoutInSeconds).build()); return state; }
public String generateState(HttpServletRequest request, HttpServletResponse response) { // Create a state token to prevent request forgery. // Store it in the session for later validation. String state = new BigInteger(130, new SecureRandom()).toString(32); response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(sha256Hex(state)).setHttpOnly(true).setExpiry(-1).build()); return state; }
@Override public void delete(HttpServletRequest request, HttpServletResponse response) { response.addCookie(newCookieBuilder(request) .setName(AUTHENTICATION_COOKIE_NAME) .setValue(null) .setHttpOnly(true) .setExpiry(0) .build()); }
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider, String parameterName) { Cookie cookie = findCookie(CSRF_STATE_COOKIE, request) .orElseThrow(AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage(format("Cookie '%s' is missing", CSRF_STATE_COOKIE))::build); String hashInCookie = cookie.getValue(); // remove cookie response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(true).setExpiry(0).build()); String stateInRequest = request.getParameter(parameterName); if (isBlank(stateInRequest) || !sha256Hex(stateInRequest).equals(hashInCookie)) { throw AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage("CSRF state value is invalid") .build(); } }
public void removeState(HttpServletRequest request, HttpServletResponse response) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(false).setExpiry(0).build()); }
public static CookieBuilder newCookieBuilder(HttpServletRequest request) { return new CookieBuilder(request); }
public void refreshState(HttpServletRequest request, HttpServletResponse response, String csrfState, int timeoutInSeconds) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(csrfState).setHttpOnly(false).setExpiry(timeoutInSeconds).build()); }
@Test public void fail_with_NPE_when_cookie_has_no_name() { expectedException.expect(NullPointerException.class); newCookieBuilder(request).setName(null); }
@Test public void fail_with_NPE_when_cookie_name_is_null() { expectedException.expect(NullPointerException.class); newCookieBuilder(request).setName(null); }
private static Cookie createCookie(HttpServletRequest request, String name, @Nullable String value, int expirationInSeconds) { return newCookieBuilder(request).setName(name).setValue(value).setHttpOnly(true).setExpiry(expirationInSeconds).build(); }
@Test public void find_cookie() { Cookie cookie = newCookieBuilder(request).setName("name").setValue("value").build(); when(request.getCookies()).thenReturn(new Cookie[] {cookie}); assertThat(findCookie("name", request)).isPresent(); assertThat(findCookie("NAME", request)).isEmpty(); assertThat(findCookie("unknown", request)).isEmpty(); }