org.silverpeas.web.token
Class SynchronizerTokenService

java.lang.Object
  org.silverpeas.web.token.SynchronizerTokenService

public class SynchronizerTokenService
extends Object

A service to manage the synchronizer tokens used in Silverpeas to protect the user sessions or the web resources published by Silverpeas. Each resource in Silverpeas and accessible through the Web can be protected by one or more security tokens. These tokens are named synchronizer token as they are transmitted within each request and must match the ones expected by Silverpeas to access the asked resource. This service provides the functions to generate, to validate and to set such tokens for the Web resource in Silverpeas to protect (not all resources require to be protected in Silverpeas).

Author:

mmoquillon

Field Summary

static String	NAVIGATION_TOKEN_KEY
static String	SESSION_TOKEN_KEY

Constructor Summary

protected

SynchronizerTokenService()

Method Summary

Token	getNavigationToken(javax.servlet.http.HttpServletRequest request) Gets the current one-time synchronizer token used to protect the web navigation within which the specified request is sent.
Token	getSessionToken(javax.servlet.http.HttpServletRequest request) Gets the synchronizer token used to protect the session of the user behind the specified request.
Token	getSessionToken(SessionInfo session) Gets the synchronizer token used to protect the specified user session.
protected boolean	isAProtectedResource(javax.servlet.http.HttpServletRequest request) Is the resource targeted by the specified request must be protected by a synchronizer token?
void	setUpNavigationTokens(javax.servlet.http.HttpServletRequest request) Sets up a navigation token for the user behind the specified request.
void	setUpSessionTokens(SessionInfo session) Sets up a session token for the specified Silverpeas session.
void	validate(javax.servlet.http.HttpServletRequest request) Validates the request to a Silverpeas web resource can be trusted.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SESSION_TOKEN_KEY

public static final String SESSION_TOKEN_KEY

See Also:

Constant Field Values

NAVIGATION_TOKEN_KEY

public static final String NAVIGATION_TOKEN_KEY

See Also:

Constant Field Values

Constructor Detail

SynchronizerTokenService

protected SynchronizerTokenService()

Method Detail

setUpSessionTokens

public void setUpSessionTokens(SessionInfo session)

Sets up a session token for the specified Silverpeas session. It creates a synchronizer token to protect the specified opened user session. If a token is already protecting the session, the token is then renewed. A session token is a token used to validate that any requests to a protected web resource are correctly sent within an opened and valid user session. The setting occurs only if the security mechanism by token is enabled.

Parameters:

session - the user session to protect with a synchronizer token.

setUpNavigationTokens

public void setUpNavigationTokens(javax.servlet.http.HttpServletRequest request)

Sets up a navigation token for the user behind the specified request. It creates a synchronizer token to protect the web navigation of the user from this start (the current resource targeted by the request). Within a protected navigation, each request must be stamped with the navigation token in order to be accepted (otherwise the request is rejected). Each time a request is validated with a navigation token, the token is then renewed.

Parameters:

request - an HTTP request from which the navigation to protect is identified.

validate

public void validate(javax.servlet.http.HttpServletRequest request)
              throws TokenValidationException

Validates the request to a Silverpeas web resource can be trusted. The request is validated only if both the security mechanism by token is enabled and the request targets a protected web resource. The access to a protected web resource is considered as trusted if and only if it is stamped with the expected security tokens for the requested resource. Otherwise, the request isn't considered as trusted and should be rejected. A request is stamped at least with the session token, that is to say with the token that is set with the user session.

Parameters:

request - the HTTP request to check.

Throws:

TokenValidationException - if the specified request cannot be trusted.

isAProtectedResource

protected boolean isAProtectedResource(javax.servlet.http.HttpServletRequest request)

Is the resource targeted by the specified request must be protected by a synchronizer token? A resource is protected if either the request is a POST, PUT or a DELETE HTTP method or if the requested URI is declared as to be protected.

Parameters:

request - the request to a possibly protected resource.

Returns:

true if the requested resource is a protected one and then the request should be validate.

getSessionToken

public Token getSessionToken(javax.servlet.http.HttpServletRequest request)

Gets the synchronizer token used to protect the session of the user behind the specified request.

Parameters:

request - an HTTP request.

Returns:

the synchronizer token. If no token was set for the session mapped with the specified request or if no session was opened, then the returned token isn't defined (NoneToken).

getSessionToken

public Token getSessionToken(SessionInfo session)

Gets the synchronizer token used to protect the specified user session.

Parameters:

session - an opened session of a user in Silverpeas

Returns:

the token protecting the specified session.

getNavigationToken

public Token getNavigationToken(javax.servlet.http.HttpServletRequest request)

Gets the current one-time synchronizer token used to protect the web navigation within which the specified request is sent.

Parameters:

request - an HTTP request.

Returns:

the synchronizer token. If no token carried by the specified request to validate its origin, then a NoneToken is returned.