-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathTokenValidator.groovy
39 lines (33 loc) · 1.51 KB
/
TokenValidator.groovy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class TokenValidator {
private static final String API_TOKEN_SESSION_ATTR = "api_token";
private static final String CSRF_TOKEN_HEADER = "X-Bonita-API-Token";
/**
* Logger
*/
private static final def LOGGER = Logger.getLogger("org.bonitasoft.custompage.TokenValidator");
public static boolean checkCSRFToken(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
//Get CSRF token from request in 'X-Bonita-API-Token' header
def headerFromRequest = httpRequest.getHeader(CSRF_TOKEN_HEADER);
def apiToken = httpRequest.getSession().getAttribute(API_TOKEN_SESSION_ATTR);
if (apiToken != null) {
if (headerFromRequest == null || !headerFromRequest.equals(apiToken)) {
LOGGER.severe( "Token Validation failed, expected: " + apiToken + ", received: " + headerFromRequest);
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return false;
} else {
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.log(Level.FINE, "Token Validation succeeded");
}
}
} else {
if (LOGGER.isLoggable(Level.FINE)) {
LOGGER.log(Level.FINE, "Token Validation is not active. No CSRF token in session.");
}
}
return true;
}
}