Package com.ptc.core.appsec

Class CSRFProtector

java.lang.Object
com.ptc.core.appsec.CSRFProtector
public class CSRFProtector extends Object
CSRFProtector is a utility class that can be used to protect against cross-site request forgery (CSRF) attacks. When a new session is created, CSRFSessionListener will add a nonce to the session using addNonce(javax.servlet.http.HttpSession). When an action is generated, clients should use getNonce(javax.servlet.http.HttpServletRequest) to retrieve the nonce from the session, and add it to the URL and/or form using NONCE_KEY as the key. When the action is invoked, clients should call checkNonce(javax.servlet.http.HttpServletRequest) to validate the nonce in the request with the nonce in the session. If these nonces are different, checkNonce(javax.servlet.http.HttpServletRequest) will throw a user-friendly error message.

Supported API: true

Extendable: true

  • Method Summary

    Modifier and Type
    Method
    Description
    static void
    checkNonce(javax.servlet.http.HttpServletRequest httpRequest)
    Checks the nonce in the request to verify it is valid and has not expired.
    static String
    getNonce(javax.servlet.http.HttpServletRequest httpRequest)
    Returns the nonce stored in the session for the request.
    static String
    getNonce(javax.servlet.http.HttpSession httpSession)
    Returns the nonce stored in the session.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • getNonce

      public static String getNonce(javax.servlet.http.HttpServletRequest httpRequest)
      Returns the nonce stored in the session for the request. This nonce should be added to a URL and/or form using the NONCE_KEY as the parameter name. If the session doesn't have a nonce, a new nonce will be added to the session and returned.

      Supported API: true
      Parameters:
      httpRequest - The request.
      Returns:
      The nonce stored in the session for the request.

    • getNonce

      public static String getNonce(javax.servlet.http.HttpSession httpSession)
      Returns the nonce stored in the session. This nonce should be added to a URL and/or form using the NONCE_KEY as the parameter name. If the session doesn't have a nonce, a new nonce will be added to the session and returned.

      Supported API: true
      Parameters:
      httpSession - The session.
      Returns:
      The nonce stored in the session.

    • checkNonce

      public static void checkNonce(javax.servlet.http.HttpServletRequest httpRequest) throws WTException
      Checks the nonce in the request to verify it is valid and has not expired. The nonce is retrieved from the request parameters using NONCE_KEY as the key. Throws an exception with a user-friendly error message if the nonce is invalid or expired.

      Supported API: true
      Parameters:
      httpRequest - The request to validate.
      Throws:
      WTException - Thrown if the nonce is invalid.