Package com.microstrategy.web.platform

Class CSRFHelper

java.lang.Object

com.microstrategy.web.platform.CSRFHelper

public class CSRFHelper
extends java.lang.Object

The following 4 flags govern the behavior of CSRF protection in MicroStrategy Web: validateRandNum - Whether to turn on CSRF protection or not allowRandNumUserOverride - Allow user to choose to proceed with request even if there is CSRF error encountered (not safe if true!) allowRandNumOnURL - Whether to error out if CSRF random token is exposed in URL (not safe if true!) invalidateRandNumONURL - Whether to invalidate random tokens exposed in URL (new option) Customers who turn on invalidateRandNumOnURL are concerned about security, so we do not want to allow them to choose any option that is not absolutely safe. This class centralize the logic surrounding these 4 flags, because we whenever invalidateRandNumOnURL = 1 and validateRandNum = 1, we want to force allowRandNumUserOverride and allowRandNumOnURL to become 0 regardless of their actual values. validateRandNum | allowRandNumUserOverride | allowRandNumOnURL | invalidateRandNumOnURL 0 | X | X | X 1 | 1 | 1 | 0 1 | 0 | 1 | 0 1 | 1 | 0 | 0 1 | 0 | 0 | 0 1 | 1 | 1 | 1 ==> [1, 0, 0, 1] 1 | 0 | 1 | 1 ==> [1, 0, 0, 1] 1 | 1 | 0 | 1 ==> [1, 0, 0, 1] 1 | 0 | 0 | 1 This reduces the number of combinations from 9 to 6.

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	PROPERTY_ALLOW_RAND_NUM_ON_URL
static java.lang.String	PROPERTY_CSRF_PROTECTION_ENABLED
static java.lang.String	PROPERTY_INVALIDATE_RAND_NUM_ON_URL
static java.lang.String	PROPERTY_OVERRIDE_CSRF_CHECK_FAIL

Constructor Summary

Constructors

Constructor	Description
CSRFHelper()

Method Summary

Modifier and Type	Method	Description
static boolean	allowUserOverride()
static boolean	errorOnExposedTokens()
static boolean	invalidateExposedTokens()
static boolean	isCSRFEnabled()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PROPERTY_CSRF_PROTECTION_ENABLED

public static final java.lang.String PROPERTY_CSRF_PROTECTION_ENABLED

See Also:

Constant Field Values

PROPERTY_OVERRIDE_CSRF_CHECK_FAIL

public static final java.lang.String PROPERTY_OVERRIDE_CSRF_CHECK_FAIL

See Also:

Constant Field Values

PROPERTY_ALLOW_RAND_NUM_ON_URL

public static final java.lang.String PROPERTY_ALLOW_RAND_NUM_ON_URL

See Also:

Constant Field Values

PROPERTY_INVALIDATE_RAND_NUM_ON_URL

public static final java.lang.String PROPERTY_INVALIDATE_RAND_NUM_ON_URL

See Also:

Constant Field Values

Constructor Detail

CSRFHelper

public CSRFHelper()

Method Detail

isCSRFEnabled

public static boolean isCSRFEnabled()

invalidateExposedTokens

public static boolean invalidateExposedTokens()

errorOnExposedTokens

public static boolean errorOnExposedTokens()

allowUserOverride

public static boolean allowUserOverride()