Package de.elo.ix.client.plugin
Class SessionManagement
java.lang.Object
de.elo.ix.client.plugin.SessionManagement
This class is internally used by Indexserver and plugins to mange HTTP session attributes.
EIX-1817: CSRF protection for REST calls
-
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptionstatic voidapply(IXConnection conn, Optional<String> csrfTokenOpt, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Add ticket, IXConnection and CSRF token into HTTP session.static booleanisApproved(jakarta.servlet.http.HttpServletRequest request) Check CSRF token.
-
Field Details
-
HTTP_SESSION_HEADER_APPROVED
Header name for approved token.
-
-
Method Details
-
apply
public static void apply(IXConnection conn, Optional<String> csrfTokenOpt, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Add ticket, IXConnection and CSRF token into HTTP session.- Parameters:
conn- IXConnectioncsrfTokenOpt- Token to refuse CSRF attacks aganist rest-plugin.request- HTTP requestresponse- HTTP response
-
isApproved
public static boolean isApproved(jakarta.servlet.http.HttpServletRequest request) Check CSRF token. This function is called by the REST framework for methods annotated with de.elo.ix.rest.api.Approved to check for a CSRF attack. The client application receives a CSRF token as HTTP cookie in the login response. In each subsequent request to the rest-plugin, the token must be submitted as HTTP header. The cookie name and header name for the CSRF token isHTTP_SESSION_HEADER_APPROVED.- Parameters:
request- HTTP request- Returns:
- true, if CSRF token is correct.
-