/*******************************************************************************
* Copyright (c) 2011, 2016 Eurotech and/or its affiliates
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* Eurotech
*******************************************************************************/
package org.eclipse.kura.web.server;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.eclipse.kura.web.shared.model.GwtXSRFToken;
import org.eclipse.kura.web.shared.service.GwtSecurityTokenService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.gwt.user.client.rpc.SerializationException;
/**
* This is the security token service, a concrete implementation to fix the XSFR security problem.
*/
public class GwtSecurityTokenServiceImpl extends OsgiRemoteServiceServlet implements GwtSecurityTokenService {
/**
*
*/
private static final long serialVersionUID = 5333012054583792499L;
private static ThreadLocal<HttpServletRequest> perThreadRequest = new ThreadLocal<HttpServletRequest>();
public static Logger s_logger = LoggerFactory.getLogger(GwtSecurityTokenServiceImpl.class);
public static final String XSRF_TOKEN_KEY = "XSRF_TOKEN";
@Override
public String processCall(String payload) throws SerializationException {
try {
perThreadRequest.set(getThreadLocalRequest());
return super.processCall(payload);
}
finally {
perThreadRequest.set(null);
}
}
public static HttpServletRequest getRequest() {
return perThreadRequest.get();
}
public HttpSession getHttpSession() {
HttpServletRequest request = GwtSecurityTokenServiceImpl.getRequest();
return request.getSession();
}
@Override
public GwtXSRFToken generateSecurityToken() {
GwtXSRFToken token = null;
// Before to generate a token we must to check if the user is correctly authenticated
HttpSession session = getHttpSession();
if (session != null) {
token = new GwtXSRFToken(UUID.randomUUID().toString());
session.setAttribute(XSRF_TOKEN_KEY, token);
s_logger.debug("Generated XSRF token: {} for HTTP session: {}", token.getToken(), session.getId());
}
return token;
}
}