public String generateState(HttpServletRequest request, HttpServletResponse response, int timeoutInSeconds) { // Create a state token to prevent request forgery. // Store it in the cookie for later validation. String state = new BigInteger(130, new SecureRandom()).toString(32); response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(state).setHttpOnly(false).setExpiry(timeoutInSeconds).build()); return state; }
@Override public void init(HttpServletRequest request, HttpServletResponse response) { String returnTo = request.getParameter(RETURN_TO_PARAMETER); String allowEmailShift = request.getParameter(ALLOW_EMAIL_SHIFT_PARAMETER); String allowLoginUpdate = request.getParameter(ALLOW_LOGIN_UPDATE_PARAMETER); Map<String, String> parameters = new HashMap<>(); Optional<String> sanitizeRedirectUrl = sanitizeRedirectUrl(returnTo); sanitizeRedirectUrl.ifPresent(s -> parameters.put(RETURN_TO_PARAMETER, s)); if (isNotBlank(allowEmailShift)) { parameters.put(ALLOW_EMAIL_SHIFT_PARAMETER, allowEmailShift); } if (isNotBlank(allowLoginUpdate)) { parameters.put(ALLOW_LOGIN_UPDATE_PARAMETER, allowLoginUpdate); } if (parameters.isEmpty()) { return; } response.addCookie(newCookieBuilder(request) .setName(AUTHENTICATION_COOKIE_NAME) .setValue(toJson(parameters)) .setHttpOnly(true) .setExpiry(FIVE_MINUTES_IN_SECONDS) .build()); }
public String generateState(HttpServletRequest request, HttpServletResponse response) { // Create a state token to prevent request forgery. // Store it in the session for later validation. String state = new BigInteger(130, new SecureRandom()).toString(32); response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(sha256Hex(state)).setHttpOnly(true).setExpiry(-1).build()); return state; }
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider) { Cookie cookie = findCookie(CSRF_STATE_COOKIE, request) .orElseThrow(AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage(format("Cookie '%s' is missing", CSRF_STATE_COOKIE))::build); String hashInCookie = cookie.getValue(); // remove cookie response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(true).setExpiry(0).build()); String stateInRequest = request.getParameter("state"); if (isBlank(stateInRequest) || !sha256Hex(stateInRequest).equals(hashInCookie)) { throw AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage("CSRF state value is invalid") .build(); } }
public void removeState(HttpServletRequest request, HttpServletResponse response) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(false).setExpiry(0).build()); }
private static Cookie createCookie(HttpServletRequest request, String name, @Nullable String value, int expirationInSeconds) { return newCookieBuilder(request).setName(name).setValue(value).setHttpOnly(true).setExpiry(expirationInSeconds).build(); }
public void refreshState(HttpServletRequest request, HttpServletResponse response, String csrfState, int timeoutInSeconds) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(csrfState).setHttpOnly(false).setExpiry(timeoutInSeconds).build()); }
public String generateState(HttpServletRequest request, HttpServletResponse response, int timeoutInSeconds) { // Create a state token to prevent request forgery. // Store it in the cookie for later validation. String state = new BigInteger(130, new SecureRandom()).toString(32); response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(state).setHttpOnly(false).setExpiry(timeoutInSeconds).build()); return state; }
public String generateState(HttpServletRequest request, HttpServletResponse response) { // Create a state token to prevent request forgery. // Store it in the session for later validation. String state = new BigInteger(130, new SecureRandom()).toString(32); response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(sha256Hex(state)).setHttpOnly(true).setExpiry(-1).build()); return state; }
@Override public void delete(HttpServletRequest request, HttpServletResponse response) { response.addCookie(newCookieBuilder(request) .setName(AUTHENTICATION_COOKIE_NAME) .setValue(null) .setHttpOnly(true) .setExpiry(0) .build()); }
public void verifyState(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider, String parameterName) { Cookie cookie = findCookie(CSRF_STATE_COOKIE, request) .orElseThrow(AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage(format("Cookie '%s' is missing", CSRF_STATE_COOKIE))::build); String hashInCookie = cookie.getValue(); // remove cookie response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(true).setExpiry(0).build()); String stateInRequest = request.getParameter(parameterName); if (isBlank(stateInRequest) || !sha256Hex(stateInRequest).equals(hashInCookie)) { throw AuthenticationException.newBuilder() .setSource(Source.oauth2(provider)) .setMessage("CSRF state value is invalid") .build(); } }
public void removeState(HttpServletRequest request, HttpServletResponse response) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(null).setHttpOnly(false).setExpiry(0).build()); }
public void refreshState(HttpServletRequest request, HttpServletResponse response, String csrfState, int timeoutInSeconds) { response.addCookie(newCookieBuilder(request).setName(CSRF_STATE_COOKIE).setValue(csrfState).setHttpOnly(false).setExpiry(timeoutInSeconds).build()); }
@Test public void create_cookie_when_web_context() { when(request.getContextPath()).thenReturn("/sonarqube"); Cookie cookie = newCookieBuilder(request).setName("name").setValue("value").setHttpOnly(true).setExpiry(10).build(); assertThat(cookie.getName()).isEqualTo("name"); assertThat(cookie.getValue()).isEqualTo("value"); assertThat(cookie.isHttpOnly()).isTrue(); assertThat(cookie.getMaxAge()).isEqualTo(10); assertThat(cookie.getSecure()).isFalse(); assertThat(cookie.getPath()).isEqualTo("/sonarqube"); }
@Test public void create_cookie() { Cookie cookie = newCookieBuilder(request).setName("name").setValue("value").setHttpOnly(true).setExpiry(10).build(); assertThat(cookie.getName()).isEqualTo("name"); assertThat(cookie.getValue()).isEqualTo("value"); assertThat(cookie.isHttpOnly()).isTrue(); assertThat(cookie.getMaxAge()).isEqualTo(10); assertThat(cookie.getSecure()).isFalse(); assertThat(cookie.getPath()).isEqualTo("/"); }
@Override public void delete(HttpServletRequest request, HttpServletResponse response) { response.addCookie(newCookieBuilder(request) .setName(AUTHENTICATION_COOKIE_NAME) .setValue(null) .setHttpOnly(true) .setExpiry(0) .build()); }
@Test public void create_not_secured_cookie_when_header_is_not_http() { when(request.getHeader(HTTPS_HEADER)).thenReturn("http"); Cookie cookie = newCookieBuilder(request).setName("name").setValue("value").setHttpOnly(true).setExpiry(10).build(); assertThat(cookie.getSecure()).isFalse(); }
@Test public void create_secured_cookie_when_X_Forwarded_Proto_header_is_HTTPS() { when(request.getHeader(HTTPS_HEADER)).thenReturn("HTTPS"); Cookie cookie = newCookieBuilder(request).setName("name").setValue("value").setHttpOnly(true).setExpiry(10).build(); assertThat(cookie.getSecure()).isTrue(); }
@Test public void create_secured_cookie_when_X_Forwarded_Proto_header_is_https() { when(request.getHeader(HTTPS_HEADER)).thenReturn("https"); Cookie cookie = newCookieBuilder(request).setName("name").setValue("value").setHttpOnly(true).setExpiry(10).build(); assertThat(cookie.getSecure()).isTrue(); }
private static Cookie createCookie(HttpServletRequest request, String name, @Nullable String value, int expirationInSeconds) { return newCookieBuilder(request).setName(name).setValue(value).setHttpOnly(true).setExpiry(expirationInSeconds).build(); }