Changes between Version 1 and Version 2 of proposals/CSRFTokens

Timestamp:

02/24/13 11:45:19 (12 years ago)

Author:

josegar74

Comment:

--

proposals/CSRFTokens

@@ -44 +44 @@
 '''1)''' A new base service class for services that require CSRF (Cross Site Request Forgery) tokens: {{{BaseSecureService}}}
 
-This class validates the CSRF token:
+This class validates the CSRF token before processing the service:
 
  * If it's not valid and exception {{{ServiceNotAllowedEx}}} is thrown.
  * If it's valid, the service processing continues.
 
+{{{
+package jeeves.services;
+
+public abstract class BaseSecureService implements Service {
+    public final Element exec(Element params, ServiceContext context) throws Exception {
+        if (!CSRFUtil.isValidToken(params, context)) {
+            throw new ServiceNotAllowedEx("Service not allowed. CSRF Token is not valid");
+        }
+
+        return doExec(params, context);
+    }
+
+    /** Services that require CSRF tokens must implement doExec instead of exec **/
+    protected abstract Element doExec(Element params, ServiceContext context) throws Exception;
+}
+}}}
+
 Services that require CSRF tokens must extend this class and implement the logic in {{{doExec}}} method instead of {{{exec}}} method.
 
+
+{{{
+package org.fao.geonet.services.user;
+
+public class Update extends BaseSecureService
+{
+        public Element doExec(Element params, ServiceContext context) throws Exception
+        {
+                // Service logic  
+        }
+}
+}}}
+
 Code: https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/services/BaseSecureService.java
+
 Example service requiring CSRF token: https://github.com/josegar74/core-geonetwork/blob/csrf/web/src/main/java/org/fao/geonet/services/user/Update.java
 
 '''2)''' A new service to create/retrieve a CSRF token: {{{secure.token}}}. This service is used to provide the secure token in services that create forms (see next point) and can be used from scripts that use actual !GeoNetwork services that have been changed to require CSRF tokens. For example, a script that call {{{metadata.category}}} to update the categories of metadata, will require to call first {{{secure.token}}} to get the token and use it in {{{metadata.category}}} calls.
 
-CSRF tokens are created using SecureRandom java class
+CSRF tokens are created using {{{SecureRandom}}} java class.
 
 Code: https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/services/GetSecureToken.java, https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/utils/CSRFUtil.java
@@ -97 +128 @@
 === Backwards Compatibility Issues ===
 
-User scripts using !GeoNetwork services to update data will require to be updated to use {{{secure.token}}} to retrieve the CSRF token and use it in the services. See Proposal description (point 2) for more details.
+User scripts using !GeoNetwork services to update data will require to be updated to use {{{secure.token}}} to retrieve the CSRF token and use it in the services. See Proposal description (point 2) for more details. These changes don't affect interfaces like CSW.
 
-These changes don't affect interfaces like CSW.
+UI WIdgets requires to be changed to use the CSRF token.
 
 === New libraries added ===