001: /*
002: * $Id: TokenProcessor.java 471754 2006-11-06 14:55:09Z husted $
003: *
004: * Licensed to the Apache Software Foundation (ASF) under one
005: * or more contributor license agreements. See the NOTICE file
006: * distributed with this work for additional information
007: * regarding copyright ownership. The ASF licenses this file
008: * to you under the Apache License, Version 2.0 (the
009: * "License"); you may not use this file except in compliance
010: * with the License. You may obtain a copy of the License at
011: *
012: * http://www.apache.org/licenses/LICENSE-2.0
013: *
014: * Unless required by applicable law or agreed to in writing,
015: * software distributed under the License is distributed on an
016: * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
017: * KIND, either express or implied. See the License for the
018: * specific language governing permissions and limitations
019: * under the License.
020: */
021: package org.apache.struts.util;
022:
023: import org.apache.struts.Globals;
024:
025: import javax.servlet.http.HttpServletRequest;
026: import javax.servlet.http.HttpSession;
027:
028: import java.security.MessageDigest;
029: import java.security.NoSuchAlgorithmException;
030:
031: /**
032: * TokenProcessor is responsible for handling all token related functionality.
033: * The methods in this class are synchronized to protect token processing from
034: * multiple threads. Servlet containers are allowed to return a different
035: * HttpSession object for two threads accessing the same session so it is not
036: * possible to synchronize on the session.
037: *
038: * @since Struts 1.1
039: */
040: public class TokenProcessor {
041: /**
042: * The singleton instance of this class.
043: */
044: private static TokenProcessor instance = new TokenProcessor();
045:
046: /**
047: * The timestamp used most recently to generate a token value.
048: */
049: private long previous;
050:
051: /**
052: * Protected constructor for TokenProcessor. Use TokenProcessor.getInstance()
053: * to obtain a reference to the processor.
054: */
055: protected TokenProcessor() {
056: super ();
057: }
058:
059: /**
060: * Retrieves the singleton instance of this class.
061: */
062: public static TokenProcessor getInstance() {
063: return instance;
064: }
065:
066: /**
067: * <p>Return <code>true</code> if there is a transaction token stored in
068: * the user's current session, and the value submitted as a request
069: * parameter with this action matches it. Returns <code>false</code>
070: * under any of the following circumstances:</p>
071: *
072: * <ul>
073: *
074: * <li>No session associated with this request</li>
075: *
076: * <li>No transaction token saved in the session</li>
077: *
078: * <li>No transaction token included as a request parameter</li>
079: *
080: * <li>The included transaction token value does not match the transaction
081: * token in the user's session</li>
082: *
083: * </ul>
084: *
085: * @param request The servlet request we are processing
086: */
087: public synchronized boolean isTokenValid(HttpServletRequest request) {
088: return this .isTokenValid(request, false);
089: }
090:
091: /**
092: * Return <code>true</code> if there is a transaction token stored in the
093: * user's current session, and the value submitted as a request parameter
094: * with this action matches it. Returns <code>false</code>
095: *
096: * <ul>
097: *
098: * <li>No session associated with this request</li> <li>No transaction
099: * token saved in the session</li>
100: *
101: * <li>No transaction token included as a request parameter</li>
102: *
103: * <li>The included transaction token value does not match the transaction
104: * token in the user's session</li>
105: *
106: * </ul>
107: *
108: * @param request The servlet request we are processing
109: * @param reset Should we reset the token after checking it?
110: */
111: public synchronized boolean isTokenValid(
112: HttpServletRequest request, boolean reset) {
113: // Retrieve the current session for this request
114: HttpSession session = request.getSession(false);
115:
116: if (session == null) {
117: return false;
118: }
119:
120: // Retrieve the transaction token from this session, and
121: // reset it if requested
122: String saved = (String) session
123: .getAttribute(Globals.TRANSACTION_TOKEN_KEY);
124:
125: if (saved == null) {
126: return false;
127: }
128:
129: if (reset) {
130: this .resetToken(request);
131: }
132:
133: // Retrieve the transaction token included in this request
134: String token = request.getParameter(Globals.TOKEN_KEY);
135:
136: if (token == null) {
137: return false;
138: }
139:
140: return saved.equals(token);
141: }
142:
143: /**
144: * Reset the saved transaction token in the user's session. This
145: * indicates that transactional token checking will not be needed on the
146: * next request that is submitted.
147: *
148: * @param request The servlet request we are processing
149: */
150: public synchronized void resetToken(HttpServletRequest request) {
151: HttpSession session = request.getSession(false);
152:
153: if (session == null) {
154: return;
155: }
156:
157: session.removeAttribute(Globals.TRANSACTION_TOKEN_KEY);
158: }
159:
160: /**
161: * Save a new transaction token in the user's current session, creating a
162: * new session if necessary.
163: *
164: * @param request The servlet request we are processing
165: */
166: public synchronized void saveToken(HttpServletRequest request) {
167: HttpSession session = request.getSession();
168: String token = generateToken(request);
169:
170: if (token != null) {
171: session.setAttribute(Globals.TRANSACTION_TOKEN_KEY, token);
172: }
173: }
174:
175: /**
176: * Generate a new transaction token, to be used for enforcing a single
177: * request for a particular transaction.
178: *
179: * @param request The request we are processing
180: */
181: public synchronized String generateToken(HttpServletRequest request) {
182: HttpSession session = request.getSession();
183:
184: return generateToken(session.getId());
185: }
186:
187: /**
188: * Generate a new transaction token, to be used for enforcing a single
189: * request for a particular transaction.
190: *
191: * @param id a unique Identifier for the session or other context in which
192: * this token is to be used.
193: */
194: public synchronized String generateToken(String id) {
195: try {
196: long current = System.currentTimeMillis();
197:
198: if (current == previous) {
199: current++;
200: }
201:
202: previous = current;
203:
204: byte[] now = new Long(current).toString().getBytes();
205: MessageDigest md = MessageDigest.getInstance("MD5");
206:
207: md.update(id.getBytes());
208: md.update(now);
209:
210: return toHex(md.digest());
211: } catch (NoSuchAlgorithmException e) {
212: return null;
213: }
214: }
215:
216: /**
217: * Convert a byte array to a String of hexadecimal digits and return it.
218: *
219: * @param buffer The byte array to be converted
220: */
221: private String toHex(byte[] buffer) {
222: StringBuffer sb = new StringBuffer(buffer.length * 2);
223:
224: for (int i = 0; i < buffer.length; i++) {
225: sb.append(Character.forDigit((buffer[i] & 0xf0) >> 4, 16));
226: sb.append(Character.forDigit(buffer[i] & 0x0f, 16));
227: }
228:
229: return sb.toString();
230: }
231: }
|