Package com.microstrategy.web.platform
Class CSRFHelper
- java.lang.Object
-
- com.microstrategy.web.platform.CSRFHelper
-
public class CSRFHelper extends java.lang.Object
The following 4 flags govern the behavior of CSRF protection in MicroStrategy Web: validateRandNum - Whether to turn on CSRF protection or not allowRandNumUserOverride - Allow user to choose to proceed with request even if there is CSRF error encountered (not safe if true!) allowRandNumOnURL - Whether to error out if CSRF random token is exposed in URL (not safe if true!) invalidateRandNumONURL - Whether to invalidate random tokens exposed in URL (new option) Customers who turn on invalidateRandNumOnURL are concerned about security, so we do not want to allow them to choose any option that is not absolutely safe. This class centralize the logic surrounding these 4 flags, because we whenever invalidateRandNumOnURL = 1 and validateRandNum = 1, we want to force allowRandNumUserOverride and allowRandNumOnURL to become 0 regardless of their actual values. validateRandNum | allowRandNumUserOverride | allowRandNumOnURL | invalidateRandNumOnURL 0 | X | X | X 1 | 1 | 1 | 0 1 | 0 | 1 | 0 1 | 1 | 0 | 0 1 | 0 | 0 | 0 1 | 1 | 1 | 1 ==> [1, 0, 0, 1] 1 | 0 | 1 | 1 ==> [1, 0, 0, 1] 1 | 1 | 0 | 1 ==> [1, 0, 0, 1] 1 | 0 | 0 | 1 This reduces the number of combinations from 9 to 6.
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
PROPERTY_ALLOW_RAND_NUM_ON_URL
static java.lang.String
PROPERTY_CSRF_PROTECTION_ENABLED
static java.lang.String
PROPERTY_INVALIDATE_RAND_NUM_ON_URL
static java.lang.String
PROPERTY_OVERRIDE_CSRF_CHECK_FAIL
-
Constructor Summary
Constructors Constructor Description CSRFHelper()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static boolean
allowUserOverride()
static boolean
errorOnExposedTokens()
static boolean
invalidateExposedTokens()
static boolean
isCSRFEnabled()
-
-
-
Field Detail
-
PROPERTY_CSRF_PROTECTION_ENABLED
public static final java.lang.String PROPERTY_CSRF_PROTECTION_ENABLED
- See Also:
- Constant Field Values
-
PROPERTY_OVERRIDE_CSRF_CHECK_FAIL
public static final java.lang.String PROPERTY_OVERRIDE_CSRF_CHECK_FAIL
- See Also:
- Constant Field Values
-
PROPERTY_ALLOW_RAND_NUM_ON_URL
public static final java.lang.String PROPERTY_ALLOW_RAND_NUM_ON_URL
- See Also:
- Constant Field Values
-
PROPERTY_INVALIDATE_RAND_NUM_ON_URL
public static final java.lang.String PROPERTY_INVALIDATE_RAND_NUM_ON_URL
- See Also:
- Constant Field Values
-
-