Package org.forgerock.oauth2.core
Class CsrfProtection
- java.lang.Object
-
- org.forgerock.oauth2.core.CsrfProtection
-
public class CsrfProtection extends Object
This class provides methods for checking if a request is a part of a cross-site request forgery attack (CSRF).The CSRF token used by the OAuth2/OIDC consent flow is a dedicated, random value bound to the authorization request. It is no longer derived from the SSO cookie, so the SSO cookie no longer needs to be script-readable and can be shipped as
HttpOnly. For stateful sessions the token is stored as a protected session property; for stateless sessions a double-submit cookie is used as a fallback.
-
-
Field Summary
Fields Modifier and Type Field Description static StringCSRF_SESSION_PROPERTYProtected session property (seeConstants.AM_PROTECTED_PROPERTY_PREFIX) holding the consent CSRF token.
-
Constructor Summary
Constructors Constructor Description CsrfProtection(ResourceOwnerSessionValidator resourceOwnerSessionValidator)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description StringcreateCsrfToken(OAuth2Request request)Creates a fresh, random CSRF token bound to the current authorization request.protected booleanisCookieSecure()Whether cookies are issued with theSecureattribute (i.e. the deployment is HTTPS).booleanisCsrfAttack(OAuth2Request request)Checks if the request contains the required "csrf" parameter and that it matches the token bound to the resource owner's authorization request (either the protected session property or the double-submit cookie).protected StringreadCookie(OAuth2Request request, String name)Reads the value of the named cookie from the underlying servlet request.
-
-
-
Field Detail
-
CSRF_SESSION_PROPERTY
public static final String CSRF_SESSION_PROPERTY
Protected session property (seeConstants.AM_PROTECTED_PROPERTY_PREFIX) holding the consent CSRF token.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
CsrfProtection
@Inject public CsrfProtection(ResourceOwnerSessionValidator resourceOwnerSessionValidator)
-
-
Method Detail
-
createCsrfToken
public String createCsrfToken(OAuth2Request request)
Creates a fresh, random CSRF token bound to the current authorization request. The token is stored as a protected session property (for stateful sessions) and also issued as a double-submit cookie (the fallback used by stateless sessions). The returned value must be rendered into the consent page.- Parameters:
request- The request.- Returns:
- The freshly minted CSRF token.
-
isCsrfAttack
public boolean isCsrfAttack(OAuth2Request request)
Checks if the request contains the required "csrf" parameter and that it matches the token bound to the resource owner's authorization request (either the protected session property or the double-submit cookie).- Parameters:
request- The request.- Returns:
trueif the request is a CSRF attack,falseif not.
-
readCookie
protected String readCookie(OAuth2Request request, String name)
Reads the value of the named cookie from the underlying servlet request. Extracted as a seam so that the double-submit logic can be unit-tested without static mocking.- Parameters:
request- The OAuth2 request.name- The cookie name.- Returns:
- The cookie value, or
nullif absent.
-
isCookieSecure
protected boolean isCookieSecure()
Whether cookies are issued with theSecureattribute (i.e. the deployment is HTTPS). Extracted as a seam so that the double-submit logic can be unit-tested without static mocking.- Returns:
trueif cookies are marked secure.
-
-