Java tutorial
/** * Copyright 2016 Sean Kavanagh - sean.p.kavanagh6@gmail.com * <p/> * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * <p/> * http://www.apache.org/licenses/LICENSE-2.0 * <p/> * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.ec2box.common.interceptor; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import com.ec2box.common.util.AuthUtil; import org.apache.commons.lang3.StringUtils; import org.apache.struts2.ServletActionContext; import com.opensymphony.xwork2.ActionInvocation; import org.apache.struts2.interceptor.TokenInterceptor; /** * Interceptor class to prevent cross-site request forgery */ public class CSRFInterceptor extends TokenInterceptor { private static final long serialVersionUID = 7234421386123543997L; @Override protected String handleToken(ActionInvocation invocation) throws Exception { HttpServletRequest request = ServletActionContext.getRequest(); HttpSession session = request.getSession(true); synchronized (session) { String sessionToken = (String) session.getAttribute(AuthUtil.CSRF_TOKEN_NM); String token = request.getParameter(AuthUtil.CSRF_TOKEN_NM); if (StringUtils.isEmpty(token) || StringUtils.isEmpty(sessionToken) || !token.equals(sessionToken)) { AuthUtil.deleteAllSession(session); return this.handleInvalidToken(invocation); } //generate new token upon post if ("POST".equals(request.getMethod()) && !request.getContentType().contains("multipart/form-data")) { AuthUtil.generateCSRFToken(session); } } return this.handleValidToken(invocation); } }