KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > com > opensymphony > webwork > util > TokenHelper


1 /*
2  * Copyright (c) 2002-2003 by OpenSymphony
3  * All rights reserved.
4  */

5 package com.opensymphony.webwork.util;
6
7 import com.opensymphony.util.GUID;
8 import com.opensymphony.xwork.util.LocalizedTextUtil;
9 import org.apache.commons.logging.Log;
10 import org.apache.commons.logging.LogFactory;
11
12 import javax.servlet.http.HttpServletRequest JavaDoc;
13 import javax.servlet.http.HttpSession JavaDoc;
14 import java.util.Map JavaDoc;
15
16
17 /**
18  * TokenHelper
19  *
20  * @author Jason Carreira
21  * Created Apr 3, 2003 9:21:53 AM
22  */

23 public class TokenHelper {
24     //~ Static fields/initializers /////////////////////////////////////////////
25

26     /**
27      * The default name to map the token value
28      */

29     final public static String JavaDoc DEFAULT_TOKEN_NAME = "webwork.token";
30
31     /**
32      * The name of the field which will hold the token name
33      */

34     final public static String JavaDoc TOKEN_NAME_FIELD = "webwork.token.name";
35     private static final Log LOG = LogFactory.getLog(TokenHelper.class);
36
37     //~ Methods ////////////////////////////////////////////////////////////////
38

39     /**
40      * Sets a transaction token into the session using the default token name.
41      *
42      * @return the token string
43      */

44     public static String JavaDoc setToken(HttpServletRequest JavaDoc request) {
45         return setToken(DEFAULT_TOKEN_NAME, request);
46     }
47
48     /**
49      * Sets a transaction token into the session using the provided token name.
50      *
51      * @param tokenName the name to store into the session with the token as the value
52      * @return the token string
53      */

54     public static String JavaDoc setToken(String JavaDoc tokenName, HttpServletRequest JavaDoc request) {
55         HttpSession JavaDoc session = request.getSession(true);
56         String JavaDoc token = GUID.generateGUID();
57         session.setAttribute(tokenName, token);
58
59         return token;
60     }
61
62     /**
63      * Gets the Token value from the params in the ServletActionContext using the given name
64      *
65      * @param tokenName the name of the parameter which holds the token value
66      * @return the token String or null, if the token could not be found
67      */

68     public static String JavaDoc getToken(String JavaDoc tokenName, HttpServletRequest JavaDoc request) {
69         Map JavaDoc params = request.getParameterMap();
70         String JavaDoc[] tokens = (String JavaDoc[]) params.get(tokenName);
71         String JavaDoc token;
72
73         if ((tokens == null) || (tokens.length < 1)) {
74             LOG.warn("Could not find token mapped to token name " + tokenName);
75
76             return null;
77         }
78
79         token = tokens[0];
80
81         return token;
82     }
83
84     /**
85      * Gets the token name from the Parameters in the ServletActionContext
86      *
87      * @return the token name found in the params, or null if it could not be found
88      */

89     public static String JavaDoc getTokenName(HttpServletRequest JavaDoc request) {
90         Map JavaDoc params = request.getParameterMap();
91
92         if (!params.containsKey(TOKEN_NAME_FIELD)) {
93             LOG.warn("Could not find token name in params.");
94
95             return null;
96         }
97
98         String JavaDoc[] tokenNames = (String JavaDoc[]) params.get(TOKEN_NAME_FIELD);
99         String JavaDoc tokenName;
100
101         if ((tokenNames == null) || (tokenNames.length < 1)) {
102             LOG.warn("Got a null or empty token name.");
103
104             return null;
105         }
106
107         tokenName = tokenNames[0];
108
109         return tokenName;
110     }
111
112     /**
113      * Checks for a valid transaction token in the current request params. If a valid token is found, it is
114      * removed so the it is not valid again.
115      *
116      * @return false if there was no token set into the params (check by looking for {@link #TOKEN_NAME_FIELD}), true if a valid token is found
117      */

118     public static boolean validToken(HttpServletRequest JavaDoc request) {
119         String JavaDoc tokenName = getTokenName(request);
120
121         if (tokenName == null) {
122             return false;
123         }
124
125         String JavaDoc token = getToken(tokenName, request);
126
127         if (token == null) {
128             return false;
129         }
130
131         HttpSession JavaDoc session = request.getSession(true);
132         String JavaDoc sessionToken = (String JavaDoc) session.getAttribute(tokenName);
133
134         if (!token.equals(sessionToken)) {
135             LOG.warn(LocalizedTextUtil.findText(TokenHelper.class, "webwork.invalid.token", request.getLocale(), "Form token {0} does not match the session token {1}.", new Object JavaDoc[]{
136                 token, sessionToken
137             }));
138
139             return false;
140         }
141
142         // remove the token so it won't be used again
143
session.removeAttribute(tokenName);
144
145         return true;
146     }
147 }
148
Popular Tags