View Javadoc
1   /*
2    * Copyright (c) 2002-2022, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.service.security;
35  
36  import fr.paris.lutece.portal.service.spring.SpringContextService;
37  
38  import java.util.HashMap;
39  import java.util.HashSet;
40  import java.util.Map;
41  import java.util.Set;
42  import java.util.UUID;
43  
44  import javax.servlet.http.HttpServletRequest;
45  import javax.servlet.http.HttpSession;
46  
47  /**
48   *
49   * This class provides a security service for getting and verify tokens
50   *
51   */
52  public class SecurityTokenService implements ISecurityTokenService
53  {
54      public static final String MARK_TOKEN = "token";
55      public static final String PARAMETER_TOKEN = "token";
56      private static final String BEAN_SECURITY_TOKEN_SERVICE = "securityTokenService";
57      private static final String PARAMETER_SESSION_TOKENS = "tokens";
58      private static ISecurityTokenService _singleton;
59  
60      /**
61       * SecurityTokenService
62       */
63      private SecurityTokenService( )
64      {
65      }
66  
67      /**
68       * Returns the instance of the singleton
69       *
70       * @return The instance of the singleton
71       */
72      public static synchronized ISecurityTokenService getInstance( )
73      {
74          if ( _singleton == null )
75          {
76              _singleton = SpringContextService.getBean( BEAN_SECURITY_TOKEN_SERVICE );
77          }
78  
79          return _singleton;
80      }
81  
82      /**
83       * {@inheritDoc}
84       */
85      @Override
86      public String getToken( HttpServletRequest request, String strAction )
87      {
88          String strToken = generateNewKey( );
89          HttpSession session = request.getSession( true );
90  
91          if ( session.getAttribute( PARAMETER_SESSION_TOKENS ) == null )
92          {
93              session.setAttribute( PARAMETER_SESSION_TOKENS, new HashMap<String, HashSet<String>>( ) );
94          }
95  
96          Map<String, HashSet<String>> hashTokens = (Map<String, HashSet<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS );
97  
98          if ( !hashTokens.containsKey( strAction ) )
99          {
100             hashTokens.put( strAction, new HashSet<>( ) );
101         }
102 
103         hashTokens.get( strAction ).add( strToken );
104 
105         return strToken;
106     }
107 
108     /**
109      * {@inheritDoc}
110      */
111     @Override
112     public boolean validate( HttpServletRequest request, String strAction )
113     {
114         HttpSession session = request.getSession( true );
115 
116         String strToken = request.getParameter( PARAMETER_TOKEN );
117 
118         if ( ( session.getAttribute( PARAMETER_SESSION_TOKENS ) != null )
119                 && ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).containsKey( strAction )
120                 && ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).get( strAction ).contains( strToken ) )
121         {
122             ( (Map<String, Set<String>>) session.getAttribute( PARAMETER_SESSION_TOKENS ) ).get( strAction ).remove( strToken );
123 
124             return true;
125         }
126 
127         return false;
128     }
129 
130     /**
131      * Generate a new key
132      *
133      * @return a new key
134      */
135     private String generateNewKey( )
136     {
137         UUID key = UUID.randomUUID( );
138 
139         return key.toString( );
140     }
141 }