Package org.silverpeas.core.web.token

Class SynchronizerTokenService

  • @Technical
@Bean
public class SynchronizerTokenService
extends Object
    A service to manage the synchronizer tokens used in Silverpeas to protect the user sessions or the web resources published by Silverpeas. Each resource in Silverpeas and accessible through the Web can be protected by one or more security tokens. These tokens are named synchronizer token as they are transmitted within each request and must match the ones expected by Silverpeas to access the asked resource. This service provides the functions to generate, to validate and to set such tokens for the Web resource in Silverpeas to protect (not all resources require to be protected in Silverpeas).
    Author:
    mmoquillon

    • Constructor Detail

      • SynchronizerTokenService

        protected SynchronizerTokenService()

    • Method Detail

      • setUpSessionTokens

        public void setUpSessionTokens​(SessionInfo session)
        Sets up a session token for the specified Silverpeas session. It creates a synchronizer token to protect the specified opened user session. If a token is already protecting the session, the token is then renewed. A session token is a token used to validate that any requests to a protected web resource are correctly sent within an opened and valid user session. The setting occurs only if the security mechanism by token is enabled.
        Parameters:
        session - the user session to protect with a synchronizer token.

      • setUpNavigationTokens

        public void setUpNavigationTokens​(javax.servlet.http.HttpServletRequest request)
        Sets up a navigation token for the user behind the specified request. It creates a synchronizer token to protect the web navigation of the user from this start (the current resource targeted by the request). Within a protected navigation, each request must be stamped with the navigation token in order to be accepted (otherwise the request is rejected). Each time a request is validated with a navigation token, the token is then renewed.
        Parameters:
        request - an HTTP request from which the navigation to protect is identified.

      • validate

        public void validate​(javax.servlet.http.HttpServletRequest request)
              throws TokenValidationException
        Validates the request to a Silverpeas web resource can be trusted. The request is validated only if both the security mechanism by token is enabled and the request targets a protected web resource. The access to a protected web resource is considered as trusted if and only if it is stamped with the expected security tokens for the requested resource. Otherwise, the request isn't considered as trusted and should be rejected. A request is stamped at least with the session token, that is to say with the token that is set with the user session.
        Parameters:
        request - the HTTP request to check.
        Throws:
        TokenValidationException - if the specified request cannot be trusted.

      • isAProtectedResource

        public boolean isAProtectedResource​(javax.servlet.http.HttpServletRequest request)
        Is the resource targeted by the specified request must be protected by a synchronizer token? A resource is protected if either the request is a POST, PUT or a DELETE HTTP method or if the requested URI is declared as to be protected.
        Parameters:
        request - the request to a possibly protected resource.
        Returns:
        true if the requested resource is a protected one and then the request should be validate.

      • getSessionToken

        public Token getSessionToken​(javax.servlet.http.HttpServletRequest request)
        Gets the synchronizer token used to protect the session of the user behind the specified request.
        Parameters:
        request - an HTTP request.
        Returns:
        the synchronizer token. If no token was set for the session mapped with the specified request or if no session was opened, then the returned token isn't defined (NoneToken).

      • getSessionToken

        public Token getSessionToken​(SessionInfo session)
        Gets the synchronizer token used to protect the specified user session.
        Parameters:
        session - an opened session of a user in Silverpeas
        Returns:
        the token protecting the specified session.

      • getNavigationToken

        public Token getNavigationToken​(javax.servlet.http.HttpServletRequest request)
        Gets the current one-time synchronizer token used to protect the web navigation within which the specified request is sent.
        Parameters:
        request - an HTTP request.
        Returns:
        the synchronizer token. If no token carried by the specified request to validate its origin, then a NoneToken is returned.