bayou.form

Class CsrfToken

java.lang.Object

bayou.form.CsrfToken

public class CsrfToken
extends Object

A name-value pair for CSRF detection.

A CSRF token is a name-value pair that exists both as a form field and as a cookie in a POST request, so that the server can identify the request as non-CSRF.

A typical usage in html builder:

     _form().method("POST").action("/addArticle").add(
         ...
         CsrfToken._input()
         ...
 

This creates a hidden <input> with a csrf token's name and value, at the same time, ensures that a cookie exists with the same name and value. When the form is submitted, the server will see that the csrf token in the form field agrees with the csrf token in the cookie.

To make sure all POST forms contain CSRF tokens, consider using a convenient builder method:

     default Html5.FORM _form_post()
     {
         return Html5.html5._form()
             .method("POST")
             .enctype(FormData.ENC_MULTIPART)
             .add( CsrfToken._input() );
     }

    // usage example

         _form_post().action("/logout").add( _button("Log Out") );

        // note: even though this form contains no fields (other than the CSRF token)
        // the server app should still do parse(request) to detect CSRF.

 

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_NAME The default name for CSRF tokens.

Constructor Summary

Constructors

Constructor and Description
CsrfToken() Create a CsrfToken with the default name and the default CookieJar.
CsrfToken(String name, CookieJar cookieJar) Create a CsrfToken.

Method Summary

Instance Methods
String	name() Name of the token.
String	value() Value of the token.
Html5.INPUT	_toInput() Build an <input> element representing this token.
CharSequence	toInputString() Make an <input> string representing this token.
Static Method
Html5.INPUT	_input() Build an <input> element using the default CSRF token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_NAME

public static final String DEFAULT_NAME

The default name for CSRF tokens.

Constructor Detail

CsrfToken

public CsrfToken()

Create a CsrfToken with the default name and the default CookieJar.

This constructor is equivalent to CsrfToken(CsrfToken.DEFAULT_NAME, CookieJar.current()).

See Also:

CsrfToken(String, CookieJar)

CsrfToken

public CsrfToken(String name,
                 CookieJar cookieJar)

Create a CsrfToken.

The CookieJar is used to lookup a cookie with the same name. If not found, one is created with a random value.

The value of this CsrfToken is the value of that cookie.

Method Detail

name

public String name()

Name of the token.

value

public String value()

Value of the token.

_toInput

public Html5.INPUT _toInput()

Build an <input> element representing this token.

This method is equivalent to _input().type("hidden").name(token.name()).value(token.value()); see Html5._input().

This method adds an <input> to the context parent; the method name starts with underscore to be consistent with html builder methods.

You may want to cast the return value to Html4.INPUT if you are building a strict HTML4 document.

toInputString

public CharSequence toInputString()

Make an <input> string representing this token.

An example return value: <input type="hidden" name="_csrf_token" value="rMNxKwixn7hC">

_input

public static Html5.INPUT _input()

Build an <input> element using the default CSRF token.

This method is shorthand for new CsrfToken()._toInput().

See Also:

_toInput()