Package org.codelibs.fess.api.v2
Class SessionCsrfTokenManager
java.lang.Object
org.codelibs.fess.api.v2.SessionCsrfTokenManager
Helper that issues, verifies, and rotates per-session CSRF tokens.
Tokens are 256-bit random strings encoded with the URL-safe Base64
alphabet (no padding) and stored under SESSION_ATTR on the
HttpSession. The verification path uses a constant-time string
comparison to avoid timing side-channels.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringSession attribute name under which the CSRF token is stored. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionissue(jakarta.servlet.http.HttpSession session) Returns the token bound tosession, creating one if absent.rotate(jakarta.servlet.http.HttpSession session) Rotates the session's CSRF token: invalidates any existing token and issues a fresh one in a single atomic call from the session's perspective.booleanVerifies thatprovidedmatches the token bound tosession.
-
Field Details
-
SESSION_ATTR
Session attribute name under which the CSRF token is stored.- See Also:
-
-
Constructor Details
-
SessionCsrfTokenManager
public SessionCsrfTokenManager()Default constructor used by the DI container.
-
-
Method Details
-
issue
Returns the token bound tosession, creating one if absent.- Parameters:
session- the HTTP session to read or update- Returns:
- the existing or newly issued token
-
verify
Verifies thatprovidedmatches the token bound tosession.- Parameters:
session- the HTTP session holding the stored tokenprovided- the candidate token to validate (typically from a request header or form field)- Returns:
truewhen both tokens are non-empty and equal in constant time
-
rotate
Rotates the session's CSRF token: invalidates any existing token and issues a fresh one in a single atomic call from the session's perspective.Callers that previously paired
rotate(); issue();will continue to work correctly because the secondissue(HttpSession)call is idempotent — it returns the token already set by this method.- Parameters:
session- the HTTP session to rotate the token in- Returns:
- the newly issued token, or
nullifsessionisnull
-