Source code

001/**
002 * Copyright 2005-2016 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.kuali.rice.krad.service.impl;
017
018import org.apache.commons.lang.StringUtils;
019import org.kuali.rice.core.api.CoreApiServiceLocator;
020import org.kuali.rice.core.api.config.property.ConfigurationService;
021import org.kuali.rice.coreservice.framework.CoreFrameworkServiceLocator;
022import org.kuali.rice.coreservice.framework.parameter.ParameterConstants;
023import org.kuali.rice.coreservice.framework.parameter.ParameterService;
024import org.kuali.rice.krad.service.CsrfService;
025import org.kuali.rice.krad.util.CsrfValidator;
026import org.kuali.rice.krad.util.KRADConstants;
027
028import javax.servlet.http.HttpServletRequest;
029import javax.servlet.http.HttpServletResponse;
030
031public class CsrfServiceImpl implements CsrfService {
032
033    private ConfigurationService configurationService;
034    private ParameterService parameterService;
035
036    @Override
037    public boolean validateCsrfIfNecessary(HttpServletRequest request, HttpServletResponse response) {
038        if (request == null || response == null) {
039            throw new IllegalArgumentException("request and response must not be null");
040        }
041        return !isEnabled() || isExemptPath(request) || CsrfValidator.validateCsrf(request, response);
042    }
043
044    /**
045     * Returns true if the given requestUri matches one of the provided exempt paths.
046     */
047    protected boolean isExemptPath(HttpServletRequest request) {
048        String requestURI = request.getRequestURI();
049        String[] exemptPaths = exemptPaths();
050        if (exemptPaths != null) {
051            for (String path : exemptPaths) {
052                if (requestURI.contains(path)) {
053                    return true;
054                }
055            }
056        }
057        return false;
058    }
059
060    protected String[] exemptPaths() {
061        // check parameter first
062        String exemptPaths = getParameterService().getParameterValueAsFilteredString(KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, ParameterConstants.ALL_COMPONENT, KRADConstants.ParameterNames.CSRF_EXEMPT_PATHS);
063        if (exemptPaths == null) {
064            // next check the config property
065            exemptPaths = getConfigurationService().getPropertyValueAsString(KRADConstants.Config.CSRF_EXEMPT_PATHS);
066        }
067        if (StringUtils.isBlank(exemptPaths)) {
068            return null;
069        }
070        return exemptPaths.split(",");
071    }
072
073    protected boolean isEnabled() {
074        // first check the system parameter
075        Boolean csrfEnabled = getParameterService().getParameterValueAsBoolean(KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, ParameterConstants.ALL_COMPONENT, KRADConstants.ParameterNames.CSRF_ENABLED_IND);
076        if (csrfEnabled == null) {
077            // next check the config property
078            csrfEnabled = getConfigurationService().getPropertyValueAsBoolean(KRADConstants.Config.CSRF_ENABLED, true);
079        }
080        return csrfEnabled;
081    }
082
083    @Override
084    public String getSessionToken(HttpServletRequest request) {
085        return CsrfValidator.getSessionToken(request);
086    }
087
088    public ConfigurationService getConfigurationService() {
089        if (configurationService == null) {
090            this.configurationService = CoreApiServiceLocator.getKualiConfigurationService();
091        }
092        return configurationService;
093    }
094
095    public void setConfigurationService(ConfigurationService configurationService) {
096        this.configurationService = configurationService;
097    }
098
099    public ParameterService getParameterService() {
100        if (parameterService == null) {
101            this.parameterService = CoreFrameworkServiceLocator.getParameterService();
102        }
103        return parameterService;
104    }
105
106    public void setParameterService(ParameterService parameterService) {
107        this.parameterService = parameterService;
108    }
109
110}