CsrfTokenHandler.java

/////////////////////////////////////////////////////////////////////////////
//
// Project ProjectForge Community Edition
//         www.projectforge.org
//
// Copyright (C) 2001-2014 Kai Reinhard (k.reinhard@micromata.de)
//
// ProjectForge is dual-licensed.
//
// This community edition is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License as published
// by the Free Software Foundation; version 3 of the License.
//
// This community edition is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
// Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, see http://www.gnu.org/licenses/.
//
/////////////////////////////////////////////////////////////////////////////

package org.projectforge.web.wicket;

import java.io.Serializable;

import org.apache.commons.lang.StringUtils;
import org.apache.wicket.Session;
import org.apache.wicket.markup.html.form.Form;
import org.apache.wicket.markup.html.form.HiddenField;
import org.apache.wicket.model.PropertyModel;
import org.projectforge.core.InternalErrorException;

/**
 * Every form should use this handler for preventing cross site request forgery attacks.
 * @author Kai Reinhard (k.reinhard@micromata.de)
 * 
 */
public class CsrfTokenHandler implements Serializable
{
  private static final long serialVersionUID = -9129345307409567900L;

  private static final org.apache.log4j.Logger log = org.apache.log4j.Logger.getLogger(CsrfTokenHandler.class);

  private final String csrfToken;

  /**
   * The given form should contain a hidden field named 'csrfToken'.
   * @param form
   */
  public CsrfTokenHandler(final Form< ? > form)
  {
    csrfToken = getCsrfSessionToken();
    form.add(new HiddenField<String>("csrfToken", new PropertyModel<String>(this, "csrfToken")));
  }

  /**
   * This parameter should be set as hidden field in every formular and should be tested on every submit action for preventing CSRF attacks.
   * @return the randomized cross site request forgery token.
   */
  private String getCsrfSessionToken()
  {
    final MySession session = (MySession) Session.get();
    return session.getCsrfToken();
  }

  /**
   * Checks the cross site request forgery token (as posted hidden field) and if it doesn't match an exception is thrown.
   * @see org.apache.wicket.markup.html.form.Form#onSubmit()
   */
  public void onSubmit()
  {
    final String sessionCsrfToken = getCsrfSessionToken();
    if (StringUtils.equals(sessionCsrfToken, csrfToken) == false) {
      log.error("Cross site request forgery alert. csrf token doesn't match! session csrf token="
          + sessionCsrfToken
          + ", posted csrf token="
          + csrfToken);
      throw new InternalErrorException("errorpage.csrfError");
    }
  }
}