Coverage Report

Coverage Report - org.apache.myfaces.application.viewstate.SecureRandomKeyFactory

Classes in this File

Line Coverage

Branch Coverage

Complexity

SecureRandomKeyFactory

0/41

0/12

2.6

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.myfaces.application.viewstate;
 
 import java.util.Map;
 import javax.faces.context.ExternalContext;
 import javax.faces.context.FacesContext;
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.myfaces.shared.renderkit.RendererUtils;
 import org.apache.myfaces.shared.util.WebConfigParamUtils;
 
 /**
  * This factory generate a key composed by a counter and a random number. The
  * counter ensures uniqueness, and the random number prevents guess the next
  * session token.
  */
 class SecureRandomKeyFactory extends KeyFactory<byte[]>
 {
     private final SessionIdGenerator sessionIdGenerator;
     private final int length;
 
     public SecureRandomKeyFactory(FacesContext facesContext)
     {
         length = WebConfigParamUtils.getIntegerInitParameter(
             facesContext.getExternalContext(), 
             ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_LENGTH_PARAM, 
             ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_LENGTH_PARAM_DEFAULT);
         sessionIdGenerator = new SessionIdGenerator();
         sessionIdGenerator.setSessionIdLength(length);
         String secureRandomClass = WebConfigParamUtils.getStringInitParameter(
             facesContext.getExternalContext(), 
             ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_CLASS_PARAM);
         if (secureRandomClass != null)
         {
             sessionIdGenerator.setSecureRandomClass(secureRandomClass);
         }
         String secureRandomProvider = WebConfigParamUtils.getStringInitParameter(
             facesContext.getExternalContext(), 
             ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_PROVIDER_PARAM);
         if (secureRandomProvider != null)
         {
             sessionIdGenerator.setSecureRandomProvider(secureRandomProvider);
         }
         String secureRandomAlgorithm = WebConfigParamUtils.getStringInitParameter(
             facesContext.getExternalContext(), 
             ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITM_PARAM);
         if (secureRandomAlgorithm != null)
         {
             sessionIdGenerator.setSecureRandomAlgorithm(secureRandomAlgorithm);
         }
     }
 
     public Integer generateCounterKey(FacesContext facesContext)
     {
         ExternalContext externalContext = facesContext.getExternalContext();
         Object sessionObj = externalContext.getSession(true);
         Integer sequence;
         synchronized (sessionObj) // are handled at the same time for the session
         {
             Map<String, Object> map = externalContext.getSessionMap();
             sequence = (Integer) map.get(RendererUtils.SEQUENCE_PARAM);
             if (sequence == null || sequence.intValue() == Integer.MAX_VALUE)
             {
                 sequence = Integer.valueOf(1);
             }
             else
             {
                 sequence = Integer.valueOf(sequence.intValue() + 1);
             }
             map.put(RendererUtils.SEQUENCE_PARAM, sequence);
         }
         return sequence;
     }
 
     @Override
     public byte[] generateKey(FacesContext facesContext)
     {
         byte[] array = new byte[length];
         byte[] key = new byte[length + 4];
         sessionIdGenerator.getRandomBytes(array);
         for (int i = 0; i < array.length; i++)
         {
             key[i] = array[i];
         }
         int value = generateCounterKey(facesContext);
         key[array.length] = (byte) (value >>> 24);
         key[array.length + 1] = (byte) (value >>> 16);
         key[array.length + 2] = (byte) (value >>> 8);
         key[array.length + 3] = (byte) (value);
         return key;
     }
 
     @Override
     public String encode(byte[] key)
     {
         return new String(Hex.encodeHex(key));
     }
 
     @Override
     public byte[] decode(String value)
     {
         try
         {
             return Hex.decodeHex(value.toCharArray());
         }
         catch (DecoderException ex)
         {
             // Cannot decode, ignore silently, later it will be handled as
             // ViewExpiredException
         }
         return null;
     }
     
 }

1		/*
2		* Licensed to the Apache Software Foundation (ASF) under one
3		* or more contributor license agreements. See the NOTICE file
4		* distributed with this work for additional information
5		* regarding copyright ownership. The ASF licenses this file
6		* to you under the Apache License, Version 2.0 (the
7		* "License"); you may not use this file except in compliance
8		* with the License. You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing,
13		* software distributed under the License is distributed on an
14		* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15		* KIND, either express or implied. See the License for the
16		* specific language governing permissions and limitations
17		* under the License.
18		*/
19		package org.apache.myfaces.application.viewstate;
20
21		import java.util.Map;
22		import javax.faces.context.ExternalContext;
23		import javax.faces.context.FacesContext;
24		import org.apache.commons.codec.DecoderException;
25		import org.apache.commons.codec.binary.Hex;
26		import org.apache.myfaces.shared.renderkit.RendererUtils;
27		import org.apache.myfaces.shared.util.WebConfigParamUtils;
28
29		/**
30		* This factory generate a key composed by a counter and a random number. The
31		* counter ensures uniqueness, and the random number prevents guess the next
32		* session token.
33		*/
34	0	class SecureRandomKeyFactory extends KeyFactory<byte[]>
35		{
36		private final SessionIdGenerator sessionIdGenerator;
37		private final int length;
38
39		public SecureRandomKeyFactory(FacesContext facesContext)
40	0	{
41	0	length = WebConfigParamUtils.getIntegerInitParameter(
42		facesContext.getExternalContext(),
43		ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_LENGTH_PARAM,
44		ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_LENGTH_PARAM_DEFAULT);
45	0	sessionIdGenerator = new SessionIdGenerator();
46	0	sessionIdGenerator.setSessionIdLength(length);
47	0	String secureRandomClass = WebConfigParamUtils.getStringInitParameter(
48		facesContext.getExternalContext(),
49		ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_CLASS_PARAM);
50	0	if (secureRandomClass != null)
51		{
52	0	sessionIdGenerator.setSecureRandomClass(secureRandomClass);
53		}
54	0	String secureRandomProvider = WebConfigParamUtils.getStringInitParameter(
55		facesContext.getExternalContext(),
56		ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_PROVIDER_PARAM);
57	0	if (secureRandomProvider != null)
58		{
59	0	sessionIdGenerator.setSecureRandomProvider(secureRandomProvider);
60		}
61	0	String secureRandomAlgorithm = WebConfigParamUtils.getStringInitParameter(
62		facesContext.getExternalContext(),
63		ServerSideStateCacheImpl.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITM_PARAM);
64	0	if (secureRandomAlgorithm != null)
65		{
66	0	sessionIdGenerator.setSecureRandomAlgorithm(secureRandomAlgorithm);
67		}
68	0	}
69
70		public Integer generateCounterKey(FacesContext facesContext)
71		{
72	0	ExternalContext externalContext = facesContext.getExternalContext();
73	0	Object sessionObj = externalContext.getSession(true);
74		Integer sequence;
75	0	synchronized (sessionObj) // are handled at the same time for the session
76		{
77	0	Map<String, Object> map = externalContext.getSessionMap();
78	0	sequence = (Integer) map.get(RendererUtils.SEQUENCE_PARAM);
79	0	if (sequence == null \|\| sequence.intValue() == Integer.MAX_VALUE)
80		{
81	0	sequence = Integer.valueOf(1);
82		}
83		else
84		{
85	0	sequence = Integer.valueOf(sequence.intValue() + 1);
86		}
87	0	map.put(RendererUtils.SEQUENCE_PARAM, sequence);
88	0	}
89	0	return sequence;
90		}
91
92		@Override
93		public byte[] generateKey(FacesContext facesContext)
94		{
95	0	byte[] array = new byte[length];
96	0	byte[] key = new byte[length + 4];
97	0	sessionIdGenerator.getRandomBytes(array);
98	0	for (int i = 0; i < array.length; i++)
99		{
100	0	key[i] = array[i];
101		}
102	0	int value = generateCounterKey(facesContext);
103	0	key[array.length] = (byte) (value >>> 24);
104	0	key[array.length + 1] = (byte) (value >>> 16);
105	0	key[array.length + 2] = (byte) (value >>> 8);
106	0	key[array.length + 3] = (byte) (value);
107	0	return key;
108		}
109
110		@Override
111		public String encode(byte[] key)
112		{
113	0	return new String(Hex.encodeHex(key));
114		}
115
116		@Override
117		public byte[] decode(String value)
118		{
119		try
120		{
121	0	return Hex.decodeHex(value.toCharArray());
122		}
123	0	catch (DecoderException ex)
124		{
125		// Cannot decode, ignore silently, later it will be handled as
126		// ViewExpiredException
127		}
128	0	return null;
129		}
130
131		}