1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.myfaces.application.viewstate;
20
21 import javax.faces.context.FacesContext;
22 import javax.xml.bind.DatatypeConverter;
23
24 import org.apache.myfaces.application.StateCache;
25 import org.apache.myfaces.shared.util.WebConfigParamUtils;
26
27
28
29
30
31
32
33
34
35 class SecureRandomCsrfSessionTokenFactory extends CsrfSessionTokenFactory
36 {
37 private final SessionIdGenerator sessionIdGenerator;
38 private final int length;
39
40 public SecureRandomCsrfSessionTokenFactory(FacesContext facesContext)
41 {
42 length = WebConfigParamUtils.getIntegerInitParameter(
43 facesContext.getExternalContext(),
44 StateCache.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_LENGTH_PARAM,
45 StateCache.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_LENGTH_PARAM_DEFAULT);
46 sessionIdGenerator = new SessionIdGenerator();
47 sessionIdGenerator.setSessionIdLength(length);
48 String secureRandomClass = WebConfigParamUtils.getStringInitParameter(
49 facesContext.getExternalContext(),
50 StateCache.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_CLASS_PARAM);
51 if (secureRandomClass != null)
52 {
53 sessionIdGenerator.setSecureRandomClass(secureRandomClass);
54 }
55 String secureRandomProvider = WebConfigParamUtils.getStringInitParameter(
56 facesContext.getExternalContext(),
57 StateCache.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_PROVIDER_PARAM);
58 if (secureRandomProvider != null)
59 {
60 sessionIdGenerator.setSecureRandomProvider(secureRandomProvider);
61 }
62 String secureRandomAlgorithm = WebConfigParamUtils.getStringInitParameter(
63 facesContext.getExternalContext(),
64 StateCache.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_ALGORITM_PARAM);
65 if (secureRandomAlgorithm != null)
66 {
67 sessionIdGenerator.setSecureRandomAlgorithm(secureRandomAlgorithm);
68 }
69 }
70
71 public byte[] generateKey(FacesContext facesContext)
72 {
73 byte[] array = new byte[length];
74 sessionIdGenerator.getRandomBytes(array);
75 return array;
76 }
77
78 @Override
79 public String createCryptographicallyStrongTokenFromSession(FacesContext context)
80 {
81 byte[] key = generateKey(context);
82 return DatatypeConverter.printHexBinary(key);
83 }
84 }