View Javadoc
1   /*
2    * Copyright (c) 2002-2014, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.service.security;
35  
36  import fr.paris.lutece.portal.service.spring.SpringContextService;
37  
38  import java.util.HashMap;
39  import java.util.HashSet;
40  import java.util.Map;
41  import java.util.Set;
42  import java.util.UUID;
43  
44  import javax.servlet.http.HttpServletRequest;
45  import javax.servlet.http.HttpSession;
46  
47  
48  /**
49   *
50   * This class provides a security service for getting and verify tokens
51   *
52   */
53  public class SecurityTokenService implements ISecurityTokenService
54  {
55      public static final String MARK_TOKEN = "token";
56      public static final String PARAMETER_TOKEN = "token";
57      private static final String BEAN_SECURITY_TOKEN_SERVICE = "securityTokenService";
58      private static final String PARAMETER_SESSION_TOKENS = "tokens";
59      private static ISecurityTokenService _singleton;
60  
61      /**
62       * SecurityTokenService
63       */
64      private SecurityTokenService(  )
65      {
66      }
67  
68      /**
69       * Returns the instance of the singleton
70       *
71       * @return The instance of the singleton
72       */
73      public static ISecurityTokenService getInstance(  )
74      {
75          if ( _singleton == null )
76          {
77              _singleton = SpringContextService.getBean( BEAN_SECURITY_TOKEN_SERVICE );
78          }
79  
80          return _singleton;
81      }
82  
83      /**
84       * {@inheritDoc}
85       */
86      @Override
87      public String getToken( HttpServletRequest request, String strAction )
88      {
89          String strToken = generateNewKey(  );
90          HttpSession session = request.getSession( true );
91          Map<String, Set<String>> hashTokens;
92  
93          if ( session.getAttribute( PARAMETER_SESSION_TOKENS ) == null )
94          {
95              hashTokens = new HashMap<String, Set<String>>(  );
96              session.setAttribute( PARAMETER_SESSION_TOKENS, hashTokens );
97          }
98  
99          hashTokens = (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS );
100 
101         if ( !hashTokens.containsKey( strAction ) )
102         {
103             hashTokens.put( strAction, new HashSet<String>(  ) );
104         }
105 
106         hashTokens.get( strAction ).add( strToken );
107 
108         return strToken;
109     }
110 
111     /**
112      * {@inheritDoc}
113      */
114     @Override
115     public boolean validate( HttpServletRequest request, String StrAction )
116     {
117         HttpSession session = request.getSession( true );
118 
119         String strToken = request.getParameter( PARAMETER_TOKEN );
120 
121         if ( ( session.getAttribute( PARAMETER_SESSION_TOKENS ) != null ) &&
122                 ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).containsKey( StrAction ) &&
123                 ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).get( StrAction )
124                       .contains( strToken ) )
125         {
126             ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).get( StrAction )
127               .remove( strToken );
128 
129             return true;
130         }
131 
132         return false;
133     }
134 
135     /**
136      * Generate a new key
137      *
138      * @return a new key
139      */
140     private String generateNewKey(  )
141     {
142         UUID key = UUID.randomUUID(  );
143 
144         return key.toString(  );
145     }
146 }