• R/O
  • HTTP
  • SSH
  • HTTPS

RabbitBTS: Commit

RabbitBTSのgitリポジトリ


Commit MetaInfo

Revision83aaccae5021b9e6a8163d2dfd72ae3a12bc4ab0 (tree)
Time2009-08-23 18:26:56
Authorsenju <senju@user...>
Commitersenju

Log Message

CSRFインターセプターをマシに。

期限チェックを実装し、タブブラウザ等に対応。

Change Summary

Incremental Difference

--- a/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java
+++ b/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java
@@ -17,9 +17,11 @@
1717
1818 package jp.sourceforge.rabbitBTS.interceptors;
1919
20+import java.util.ArrayList;
2021 import java.util.Date;
21-import java.util.LinkedList;
22+import java.util.HashMap;
2223 import java.util.List;
24+import java.util.Map;
2325
2426 import javax.servlet.http.HttpServletRequest;
2527 import javax.servlet.http.HttpServletResponse;
@@ -36,6 +38,7 @@ import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
3638 * CSRF対策用インターセプター
3739 */
3840 public class CSRFInterceptor extends HandlerInterceptorAdapter {
41+ private int expireInSecond;
3942
4043 /**
4144 * POSTの場合チェック処理
@@ -84,17 +87,29 @@ public class CSRFInterceptor extends HandlerInterceptorAdapter {
8487 }
8588 }
8689
90+ /**
91+ * チェック用クラス
92+ */
8793 class CsrfChecker {
8894 private final HttpServletRequest req;
89- private List<Object> tokenList;
95+ private Map<String, Date> tokens;
9096
97+ /**
98+ * コンストラクタ
99+ *
100+ * <p>
101+ * セッションにトークンのリストが存在しない場合、新規に作成しセッションに保存する。
102+ *
103+ * @param request
104+ */
105+ @SuppressWarnings("unchecked")
91106 public CsrfChecker(HttpServletRequest request) {
92107 this.req = request;
93- this.tokenList = (List) request.getSession().getAttribute(
94- "tokenList");
95- if (this.tokenList == null) {
96- this.tokenList = new LinkedList<Object>();
97- request.getSession().setAttribute("tokenList", this.tokenList);
108+ this.tokens = (Map<String, Date>) request.getSession()
109+ .getAttribute("tokens");
110+ if (this.tokens == null) {
111+ this.tokens = new HashMap<String, Date>();
112+ request.getSession().setAttribute("tokens", this.tokens);
98113 }
99114 }
100115
@@ -105,26 +120,62 @@ public class CSRFInterceptor extends HandlerInterceptorAdapter {
105120 */
106121 public String saveNewToken() {
107122 final String token = RandomStringUtils.randomAlphanumeric(128);
108- this.tokenList.add(token);
109- this.tokenList.add(new Date());
110-
123+ this.tokens.put(token, new Date());
111124 return token;
112125 }
113126
127+ /**
128+ * チェックを行う
129+ *
130+ * @return 正しいパラメータが送信された場合true
131+ */
114132 public boolean checkTokenValid() {
115133 final String reqToken = this.req.getParameter("secureToken");
134+ final Date datenow = new Date();
135+ // トークンチェック
116136 boolean found = false;
117- for (int i = 0; i < this.tokenList.size(); i += 2) {
118- final String token = (String) this.tokenList.get(i);
119- if (token.equals(reqToken)) {
120- // TODO:期限チェック
121- found = true;
122- break;
137+ if (this.tokens.containsKey(reqToken)) {
138+ found = checkExpire(datenow, this.tokens.get(reqToken));
139+ }
140+
141+ // 削除チェック
142+ if (this.tokens.size() > 30) {
143+ final List<String> removeList = new ArrayList<String>();
144+ for (final String token : this.tokens.keySet()) {
145+ final Date created = this.tokens.get(token);
146+ if (!this.checkExpire(datenow, created)) {
147+ // 期限切れの場合
148+ removeList.add(token);
149+ Sht.log(this).finer("delete token: " + token);
150+ }
151+ }
152+ for (final String token : removeList) {
153+ this.tokens.remove(token);
123154 }
124155 }
125- // TODO:期限切れ削除
156+
126157 return found;
127158 }
159+
160+ /**
161+ * 期限切れかチェックする。
162+ *
163+ * @param datenow
164+ * @param created
165+ * @return 期限以内の場合true
166+ */
167+ private boolean checkExpire(Date datenow, Date created) {
168+ final long ageInMils = datenow.getTime() - created.getTime();
169+ return ageInMils / 1000 < CSRFInterceptor.this.expireInSecond;
170+ }
171+ }
172+
173+ /**
174+ * @param expireInSecond
175+ * the expireInSecond to set
176+ */
177+ public void setExpireInSecond(int expireInMinute) {
178+ this.expireInSecond = expireInMinute;
128179 }
129180
130181 }
--- a/war/WEB-INF/rabbitBTS-servlet.xml
+++ b/war/WEB-INF/rabbitBTS-servlet.xml
@@ -35,7 +35,9 @@
3535 <bean class="jp.sourceforge.rabbitBTS.interceptors.AuthenticationInterceptor"
3636 id="authInterceptor" />
3737 <bean class="jp.sourceforge.rabbitBTS.interceptors.CSRFInterceptor"
38- id="csrf" />
38+ id="csrf">
39+ <property name="expireInSecond" value="60" />
40+ </bean>
3941 <bean
4042 class="org.springframework.orm.jdo.support.OpenPersistenceManagerInViewInterceptor"
4143 id="openInView">
Show on old repository browser