View Javadoc
1   /**
2    * Copyright 2005-2016 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.rice.krad.service.impl;
17  
18  import org.apache.commons.lang.StringUtils;
19  import org.kuali.rice.core.api.CoreApiServiceLocator;
20  import org.kuali.rice.core.api.config.property.ConfigurationService;
21  import org.kuali.rice.coreservice.framework.CoreFrameworkServiceLocator;
22  import org.kuali.rice.coreservice.framework.parameter.ParameterConstants;
23  import org.kuali.rice.coreservice.framework.parameter.ParameterService;
24  import org.kuali.rice.krad.service.CsrfService;
25  import org.kuali.rice.krad.util.CsrfValidator;
26  import org.kuali.rice.krad.util.KRADConstants;
27  
28  import javax.servlet.http.HttpServletRequest;
29  import javax.servlet.http.HttpServletResponse;
30  
31  public class CsrfServiceImpl implements CsrfService {
32  
33      private ConfigurationService configurationService;
34      private ParameterService parameterService;
35  
36      @Override
37      public boolean validateCsrfIfNecessary(HttpServletRequest request, HttpServletResponse response) {
38          if (request == null || response == null) {
39              throw new IllegalArgumentException("request and response must not be null");
40          }
41          return !isEnabled() || isExemptPath(request) || CsrfValidator.validateCsrf(request, response);
42      }
43  
44      /**
45       * Returns true if the given requestUri matches one of the provided exempt paths.
46       */
47      protected boolean isExemptPath(HttpServletRequest request) {
48          String requestURI = request.getRequestURI();
49          String[] exemptPaths = exemptPaths();
50          if (exemptPaths != null) {
51              for (String path : exemptPaths) {
52                  if (requestURI.contains(path)) {
53                      return true;
54                  }
55              }
56          }
57          return false;
58      }
59  
60      protected String[] exemptPaths() {
61          // check parameter first
62          String exemptPaths = getParameterService().getParameterValueAsString(KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, ParameterConstants.ALL_COMPONENT, KRADConstants.ParameterNames.CSRF_EXEMPT_PATHS);
63          if (exemptPaths == null) {
64              // next check the config property
65              exemptPaths = getConfigurationService().getPropertyValueAsString(KRADConstants.Config.CSRF_EXEMPT_PATHS);
66          }
67          if (StringUtils.isBlank(exemptPaths)) {
68              return null;
69          }
70          return exemptPaths.split(",");
71      }
72  
73      protected boolean isEnabled() {
74          // first check the system parameter
75          Boolean csrfEnabled = getParameterService().getParameterValueAsBoolean(KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, ParameterConstants.ALL_COMPONENT, KRADConstants.ParameterNames.CSRF_ENABLED_IND);
76          if (csrfEnabled == null) {
77              // next check the config property
78              csrfEnabled = getConfigurationService().getPropertyValueAsBoolean(KRADConstants.Config.CSRF_ENABLED, true);
79          }
80          return csrfEnabled;
81      }
82  
83      @Override
84      public String getSessionToken(HttpServletRequest request) {
85          return CsrfValidator.getSessionToken(request);
86      }
87  
88      public ConfigurationService getConfigurationService() {
89          if (configurationService == null) {
90              this.configurationService = CoreApiServiceLocator.getKualiConfigurationService();
91          }
92          return configurationService;
93      }
94  
95      public void setConfigurationService(ConfigurationService configurationService) {
96          this.configurationService = configurationService;
97      }
98  
99      public ParameterService getParameterService() {
100         if (parameterService == null) {
101             this.parameterService = CoreFrameworkServiceLocator.getParameterService();
102         }
103         return parameterService;
104     }
105 
106     public void setParameterService(ParameterService parameterService) {
107         this.parameterService = parameterService;
108     }
109 
110 }