public class CSRFRequestDataValueProcessor implements RequestDataValueProcessor
{/**
* 重载方法
*
* @param request
* @param action
* @return
*/
@Override
public String processAction(HttpServletRequest request, String action)
{
return action;
}
/**
* 重载方法
*
* @param request
* @param name
* @param value
* @param type
* @return
*/
@Override
public String processFormFieldValue(HttpServletRequest request, String name, String value,
String type)
{
return value;
}
/**
* 重载方法
*
* @param request
* @return
*/
@Override
public Map<String, String> getExtraHiddenFields(HttpServletRequest request)
{
Map<String, String> hiddenFields = new HashMap<String, String>();
hiddenFields.put(CSRFTokenManager.CSRF_PARAM_NAME,
CSRFTokenManager.getTokenForSession(request.getSession()));
return hiddenFields;
}
/**
* 重载方法
*
* @param request
* @param url
* @return
*/
@Override
public String processUrl(HttpServletRequest request, String url)
{
return url;
}
}
public class CSRFHandlerInterceptor extends HandlerInterceptorAdapter
{
/**
* 重载方法
*
* @param request
* @param response
* @param handler
* @return
* @throws Exception
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
Object handler) throws Exception
{
if (!request.getMethod().equalsIgnoreCase("POST"))
{
// Not a POST - allow the request
return true;
}
else
{
// This is a POST request - need to check the CSRF token
String sessionToken = CSRFTokenManager.getTokenForSession(request.getSession());
String requestToken = CSRFTokenManager.getTokenFromRequest(request);
if (sessionToken.equals(requestToken))
{
return true;
}
else
{
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Bad or missing CSRF value");
return false;
}
}
}
}
final class CSRFTokenManager
{
/**
* Token属性名称
*/
static final String CSRF_PARAM_NAME = "CSRF_SECURITY_TOKEN";
private final static String CSRF_TOKEN_FOR_SESSION_ATTR_NAME = CSRFTokenManager.class.getName()
+ ".tokenval";
private CSRFTokenManager()
{
}
/**
*
* 从Session中获取Token
*
* @author 曾云龙
* @version V001Z0001
* @date 2013-7-1
* @see [相关类/方法]
* @since [产品/模块版本]
*/
static String getTokenForSession(HttpSession httpSession)
{
String token = null;
synchronized (httpSession)
{
token = (String)httpSession.getAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME);
if (null == token)
{
token = UUID.randomUUID().toString();
httpSession.setAttribute(CSRF_TOKEN_FOR_SESSION_ATTR_NAME, token);
}
}
return token;
}
/**
*
* 从request中获取token
*
* @author 曾云龙
* @version V001Z0001
* @date 2013-7-1
* @see [相关类/方法]
* @since [产品/模块版本]
*/
static String getTokenFromRequest(HttpServletRequest request)
{
return request.getParameter(CSRF_PARAM_NAME);
}
}