• R/O
  • HTTP
  • SSH
  • HTTPS

RabbitBTS: Commit

RabbitBTSのgitリポジトリ


Commit MetaInfo

Revision9088d3d69e664524d7b4290000a93b8bc2b32efe (tree)
Time2009-08-25 20:10:11
Authorsenju <senju@user...>
Commitersenju

Log Message

Merge branch 'master' of senju@git.sourceforge.jp:/gitroot/rabbit-bts/RabbitBTS

Change Summary

Incremental Difference

--- a/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java
+++ b/src/jp/sourceforge/rabbitBTS/interceptors/CSRFInterceptor.java
@@ -17,9 +17,11 @@
1717
1818 package jp.sourceforge.rabbitBTS.interceptors;
1919
20-import java.util.List;
20+import java.util.ArrayList;
2121 import java.util.Date;
22-import java.util.LinkedList;
22+import java.util.HashMap;
23+import java.util.List;
24+import java.util.Map;
2325
2426 import javax.servlet.http.HttpServletRequest;
2527 import javax.servlet.http.HttpServletResponse;
@@ -36,6 +38,7 @@ import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
3638 * CSRF対策用インターセプター
3739 */
3840 public class CSRFInterceptor extends HandlerInterceptorAdapter {
41+ private int expireInSecond;
3942
4043 /**
4144 * POSTの場合チェック処理
@@ -84,44 +87,95 @@ public class CSRFInterceptor extends HandlerInterceptorAdapter {
8487 }
8588 }
8689
87- class CsrfChecker{
88- private HttpServletRequest req;
89- private List<Object> tokenList;
90- public CsrfChecker(HttpServletRequest request){
90+ /**
91+ * チェック用クラス
92+ */
93+ class CsrfChecker {
94+ private final HttpServletRequest req;
95+ private Map<String, Date> tokens;
96+
97+ /**
98+ * コンストラクタ
99+ *
100+ * <p>
101+ * セッションにトークンのリストが存在しない場合、新規に作成しセッションに保存する。
102+ *
103+ * @param request
104+ */
105+ @SuppressWarnings("unchecked")
106+ public CsrfChecker(HttpServletRequest request) {
91107 this.req = request;
92- this.tokenList = (List)request.getSession().getAttribute("tokenList");
93- if(this.tokenList == null){
94- this.tokenList = new LinkedList<Object>();
95- request.getSession().setAttribute("tokenList", this.tokenList);
108+ this.tokens = (Map<String, Date>) request.getSession()
109+ .getAttribute("tokens");
110+ if (this.tokens == null) {
111+ this.tokens = new HashMap<String, Date>();
112+ request.getSession().setAttribute("tokens", this.tokens);
96113 }
97114 }
98115
99116 /**
100117 * トークンをセッションに保存する。
118+ *
101119 * @return 保存された新規トークン
102120 */
103- public String saveNewToken(){
121+ public String saveNewToken() {
104122 final String token = RandomStringUtils.randomAlphanumeric(128);
105- this.tokenList.add(token);
106- this.tokenList.add(new Date());
107-
123+ this.tokens.put(token, new Date());
108124 return token;
109125 }
110126
111- public boolean checkTokenValid(){
127+ /**
128+ * チェックを行う
129+ *
130+ * @return 正しいパラメータが送信された場合true
131+ */
132+ public boolean checkTokenValid() {
112133 final String reqToken = this.req.getParameter("secureToken");
134+ final Date datenow = new Date();
135+ // トークンチェック
113136 boolean found = false;
114- for(int i = 0; i < tokenList.size(); i+=2){
115- final String token = (String)this.tokenList.get(i);
116- if(token.equals(reqToken)){
117- // TODO:期限チェック
118- found = true;
119- break;
137+ if (this.tokens.containsKey(reqToken)) {
138+ found = checkExpire(datenow, this.tokens.get(reqToken));
139+ }
140+
141+ // 削除チェック
142+ if (this.tokens.size() > 30) {
143+ final List<String> removeList = new ArrayList<String>();
144+ for (final String token : this.tokens.keySet()) {
145+ final Date created = this.tokens.get(token);
146+ if (!this.checkExpire(datenow, created)) {
147+ // 期限切れの場合
148+ removeList.add(token);
149+ Sht.log(this).finer("delete token: " + token);
150+ }
151+ }
152+ for (final String token : removeList) {
153+ this.tokens.remove(token);
120154 }
121155 }
122- // TODO:期限切れ削除
156+
123157 return found;
124158 }
159+
160+ /**
161+ * 期限切れかチェックする。
162+ *
163+ * @param datenow
164+ * @param created
165+ * @return 期限以内の場合true
166+ */
167+ private boolean checkExpire(Date datenow, Date created) {
168+ final long ageInMils = datenow.getTime() - created.getTime();
169+ return ageInMils / 1000 < CSRFInterceptor.this.expireInSecond;
170+ }
171+ }
172+
173+ /**
174+ * @param expireInSecond
175+ * the expireInSecond to set
176+ */
177+ public void setExpireInSecond(int expireInMinute) {
178+ this.expireInSecond = expireInMinute;
125179 }
126180
127181 }
--- a/war/WEB-INF/logging.properties
+++ b/war/WEB-INF/logging.properties
@@ -29,3 +29,9 @@ DataNucleus.SchemaTool.level=WARNING
2929
3030 org.springframework.level=INFO
3131 jp.sourceforge.rabbitBTS.level=FINEST
32+jp.sourceforge.rabuibbitBTS.interceptors.TraceInterceptor.level=SEVERE
33+org.springframework.web.servlet.view.freemarker.FreeMarkerViewResolver.level=SEVERE
34+
35+#handlers=java.util.logging.SocketHandler
36+#java.util.logging.SocketHandler.port = 9999
37+#java.util.logging.SocketHandler.host = localhost
\ No newline at end of file
--- a/war/WEB-INF/rabbitBTS-servlet.xml
+++ b/war/WEB-INF/rabbitBTS-servlet.xml
@@ -35,7 +35,9 @@
3535 <bean class="jp.sourceforge.rabbitBTS.interceptors.AuthenticationInterceptor"
3636 id="authInterceptor" />
3737 <bean class="jp.sourceforge.rabbitBTS.interceptors.CSRFInterceptor"
38- id="csrf" />
38+ id="csrf">
39+ <property name="expireInSecond" value="60" />
40+ </bean>
3941 <bean
4042 class="org.springframework.orm.jdo.support.OpenPersistenceManagerInViewInterceptor"
4143 id="openInView">
Show on old repository browser