Class CSRFHelper


  • public class CSRFHelper
    extends java.lang.Object
    The following 4 flags govern the behavior of CSRF protection in MicroStrategy Web: validateRandNum - Whether to turn on CSRF protection or not allowRandNumUserOverride - Allow user to choose to proceed with request even if there is CSRF error encountered (not safe if true!) allowRandNumOnURL - Whether to error out if CSRF random token is exposed in URL (not safe if true!) invalidateRandNumONURL - Whether to invalidate random tokens exposed in URL (new option) Customers who turn on invalidateRandNumOnURL are concerned about security, so we do not want to allow them to choose any option that is not absolutely safe. This class centralize the logic surrounding these 4 flags, because we whenever invalidateRandNumOnURL = 1 and validateRandNum = 1, we want to force allowRandNumUserOverride and allowRandNumOnURL to become 0 regardless of their actual values. validateRandNum | allowRandNumUserOverride | allowRandNumOnURL | invalidateRandNumOnURL 0 | X | X | X 1 | 1 | 1 | 0 1 | 0 | 1 | 0 1 | 1 | 0 | 0 1 | 0 | 0 | 0 1 | 1 | 1 | 1 ==> [1, 0, 0, 1] 1 | 0 | 1 | 1 ==> [1, 0, 0, 1] 1 | 1 | 0 | 1 ==> [1, 0, 0, 1] 1 | 0 | 0 | 1 This reduces the number of combinations from 9 to 6.
    • Field Detail

      • PROPERTY_CSRF_PROTECTION_ENABLED

        public static final java.lang.String PROPERTY_CSRF_PROTECTION_ENABLED
        See Also:
        Constant Field Values
      • PROPERTY_OVERRIDE_CSRF_CHECK_FAIL

        public static final java.lang.String PROPERTY_OVERRIDE_CSRF_CHECK_FAIL
        See Also:
        Constant Field Values
      • PROPERTY_ALLOW_RAND_NUM_ON_URL

        public static final java.lang.String PROPERTY_ALLOW_RAND_NUM_ON_URL
        See Also:
        Constant Field Values
      • PROPERTY_INVALIDATE_RAND_NUM_ON_URL

        public static final java.lang.String PROPERTY_INVALIDATE_RAND_NUM_ON_URL
        See Also:
        Constant Field Values
    • Constructor Detail

      • CSRFHelper

        public CSRFHelper()
    • Method Detail

      • isCSRFEnabled

        public static boolean isCSRFEnabled()
      • invalidateExposedTokens

        public static boolean invalidateExposedTokens()
      • errorOnExposedTokens

        public static boolean errorOnExposedTokens()
      • allowUserOverride

        public static boolean allowUserOverride()