SecurityTokenService.java

  1. /*
  2.  * Copyright (c) 2002-2022, City of Paris
  3.  * All rights reserved.
  4.  *
  5.  * Redistribution and use in source and binary forms, with or without
  6.  * modification, are permitted provided that the following conditions
  7.  * are met:
  8.  *
  9.  *  1. Redistributions of source code must retain the above copyright notice
  10.  *     and the following disclaimer.
  11.  *
  12.  *  2. Redistributions in binary form must reproduce the above copyright notice
  13.  *     and the following disclaimer in the documentation and/or other materials
  14.  *     provided with the distribution.
  15.  *
  16.  *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
  17.  *     contributors may be used to endorse or promote products derived from
  18.  *     this software without specific prior written permission.
  19.  *
  20.  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21.  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23.  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
  24.  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  25.  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  26.  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  27.  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  28.  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  29.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  30.  * POSSIBILITY OF SUCH DAMAGE.
  31.  *
  32.  * License 1.0
  33.  */
  34. package fr.paris.lutece.portal.service.security;

  36. import fr.paris.lutece.portal.service.spring.SpringContextService;

  38. import java.util.HashMap;
  39. import java.util.HashSet;
  40. import java.util.Map;
  41. import java.util.Set;
  42. import java.util.UUID;

  44. import javax.servlet.http.HttpServletRequest;
  45. import javax.servlet.http.HttpSession;

  47. /**
  48.  *
  49.  * This class provides a security service for getting and verify tokens
  50.  *
  51.  */
  52. public class SecurityTokenService implements ISecurityTokenService
  53. {
  54.     public static final String MARK_TOKEN = "token";
  55.     public static final String PARAMETER_TOKEN = "token";
  56.     private static final String BEAN_SECURITY_TOKEN_SERVICE = "securityTokenService";
  57.     private static final String PARAMETER_SESSION_TOKENS = "tokens";
  58.     private static ISecurityTokenService _singleton;

  60.     /**
  61.      * SecurityTokenService
  62.      */
  63.     private SecurityTokenService( )
  64.     {
  65.     }

  67.     /**
  68.      * Returns the instance of the singleton
  69.      *
  70.      * @return The instance of the singleton
  71.      */
  72.     public static synchronized ISecurityTokenService getInstance( )
  73.     {
  74.         if ( _singleton == null )
  75.         {
  76.             _singleton = SpringContextService.getBean( BEAN_SECURITY_TOKEN_SERVICE );
  77.         }

  79.         return _singleton;
  80.     }

  82.     /**
  83.      * {@inheritDoc}
  84.      */
  85.     @Override
  86.     public String getToken( HttpServletRequest request, String strAction )
  87.     {
  88.         String strToken = generateNewKey( );
  89.         HttpSession session = request.getSession( true );

  91.         if ( session.getAttribute( PARAMETER_SESSION_TOKENS ) == null )
  92.         {
  93.             session.setAttribute( PARAMETER_SESSION_TOKENS, new HashMap<String, HashSet<String>>( ) );
  94.         }

  96.         Map<String, HashSet<String>> hashTokens = (Map<String, HashSet<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS );

  98.         if ( !hashTokens.containsKey( strAction ) )
  99.         {
  100.             hashTokens.put( strAction, new HashSet<>( ) );
  101.         }

  103.         hashTokens.get( strAction ).add( strToken );

  105.         return strToken;
  106.     }

  108.     /**
  109.      * {@inheritDoc}
  110.      */
  111.     @Override
  112.     public boolean validate( HttpServletRequest request, String strAction )
  113.     {
  114.         HttpSession session = request.getSession( true );

  116.         String strToken = request.getParameter( PARAMETER_TOKEN );

  118.         if ( ( session.getAttribute( PARAMETER_SESSION_TOKENS ) != null )
  119.                 && ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).containsKey( strAction )
  120.                 && ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).get( strAction ).contains( strToken ) )
  121.         {
  122.             ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).get( strAction ).remove( strToken );

  124.             return true;
  125.         }

  127.         return false;
  128.     }

  130.     /**
  131.      * Generate a new key
  132.      *
  133.      * @return a new key
  134.      */
  135.     private String generateNewKey( )
  136.     {
  137.         UUID key = UUID.randomUUID( );

  139.         return key.toString( );
  140.     }
  141. }
Created with JaCoCo 0.8.4.201905082037