Class SynchronizerTokenService
- java.lang.Object
-
- org.silverpeas.core.web.token.SynchronizerTokenService
-
@Service public class SynchronizerTokenService extends Object
A service to manage the synchronizer tokens used in Silverpeas to protect the user sessions or the web resources published by Silverpeas.Each resource in Silverpeas and accessible through the Web can be protected by one or more security tokens. These tokens are named synchronizer token as they are transmitted within each request and must match the ones expected by Silverpeas to access the asked resource. This service provides the functions to generate, to validate and to set such tokens for the Web resource in Silverpeas to protect (not all resources require to be protected in Silverpeas).
- Author:
- mmoquillon
-
-
Field Summary
Fields Modifier and Type Field Description static String
NAVIGATION_TOKEN_KEY
static String
SESSION_TOKEN_KEY
-
Constructor Summary
Constructors Modifier Constructor Description protected
SynchronizerTokenService()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static SynchronizerTokenService
getInstance()
Token
getNavigationToken(javax.servlet.http.HttpServletRequest request)
Gets the current one-time synchronizer token used to protect the web navigation within which the specified request is sent.Token
getSessionToken(javax.servlet.http.HttpServletRequest request)
Gets the synchronizer token used to protect the session of the user behind the specified request.Token
getSessionToken(SessionInfo session)
Gets the synchronizer token used to protect the specified user session.boolean
isAProtectedResource(javax.servlet.http.HttpServletRequest request, boolean onKeywordsOnly)
Is the resource targeted by the specified request must be protected by a synchronizer token?void
setUpNavigationTokens(javax.servlet.http.HttpServletRequest request)
Sets up a navigation token for the user behind the specified request.void
setUpSessionTokens(SessionInfo session)
Sets up a session token for the specified Silverpeas session.void
validate(javax.servlet.http.HttpServletRequest request, boolean onKeywordsOnly)
Validates the request to a Silverpeas web resource can be trusted.
-
-
-
Field Detail
-
SESSION_TOKEN_KEY
public static final String SESSION_TOKEN_KEY
- See Also:
- Constant Field Values
-
NAVIGATION_TOKEN_KEY
public static final String NAVIGATION_TOKEN_KEY
- See Also:
- Constant Field Values
-
-
Method Detail
-
getInstance
public static SynchronizerTokenService getInstance()
-
setUpSessionTokens
public void setUpSessionTokens(SessionInfo session)
Sets up a session token for the specified Silverpeas session. It creates a synchronizer token to protect the specified opened user session. If a token is already protecting the session, the token is then renewed.A session token is a token used to validate that any requests to a protected web resource are correctly sent within an opened and valid user session. The setting occurs only if the security mechanism by token is enabled.
- Parameters:
session
- the user session to protect with a synchronizer token.
-
setUpNavigationTokens
public void setUpNavigationTokens(javax.servlet.http.HttpServletRequest request)
Sets up a navigation token for the user behind the specified request. It creates a synchronizer token to protect the web navigation of the user from this start (the current resource targeted by the request). Within a protected navigation, each request must be stamped with the navigation token in order to be accepted (otherwise the request is rejected). Each time a request is validated with a navigation token, the token is then renewed.- Parameters:
request
- an HTTP request from which the navigation to protect is identified.
-
validate
public void validate(javax.servlet.http.HttpServletRequest request, boolean onKeywordsOnly) throws TokenValidationException
Validates the request to a Silverpeas web resource can be trusted. The request is validated only if both the security mechanism by token is enabled and the request targets a protected web resource.The access to a protected web resource is considered as trusted if and only if it is stamped with the expected security tokens for the requested resource. Otherwise, the request isn't considered as trusted and should be rejected. A request is stamped at least with the session token, that is to say with the token that is set with the user session.
- Parameters:
request
- the HTTP request to check.onKeywordsOnly
- true to verify the request URI against predefined keywords without taking care of the entire request URI. false to verify the keywords into request URI structure.- Throws:
TokenValidationException
- if the specified request cannot be trusted.
-
isAProtectedResource
public boolean isAProtectedResource(javax.servlet.http.HttpServletRequest request, boolean onKeywordsOnly)
Is the resource targeted by the specified request must be protected by a synchronizer token?A resource is protected if either the request is a POST, PUT or a DELETE HTTP method or if the requested URI is declared as to be protected.
- Parameters:
request
- the request to a possibly protected resource.onKeywordsOnly
- true to verify the request URI against predefined keywords without taking care of the entire request URI. false to verify the keywords into request URI structure.- Returns:
- true if the requested resource is a protected one and then the request should be validated.
-
getSessionToken
public Token getSessionToken(javax.servlet.http.HttpServletRequest request)
Gets the synchronizer token used to protect the session of the user behind the specified request.- Parameters:
request
- an HTTP request.- Returns:
- the synchronizer token. If no token was set for the session mapped with the specified request or if no session was opened, then the returned token isn't defined (NoneToken).
-
getSessionToken
public Token getSessionToken(SessionInfo session)
Gets the synchronizer token used to protect the specified user session.- Parameters:
session
- an opened session of a user in Silverpeas- Returns:
- the token protecting the specified session.
-
getNavigationToken
public Token getNavigationToken(javax.servlet.http.HttpServletRequest request)
Gets the current one-time synchronizer token used to protect the web navigation within which the specified request is sent.- Parameters:
request
- an HTTP request.- Returns:
- the synchronizer token. If no token carried by the specified request to validate its origin, then a NoneToken is returned.
-
-