use of java.util.Arrays in project flow by vaadin.
the class CsrfIndexHtmlRequestListener method ensureCsrfTokenCookieIsSet.
private void ensureCsrfTokenCookieIsSet(VaadinRequest request, VaadinResponse response) {
if (isSpringCsrfTokenPresent(request)) {
return;
}
final String csrfCookieValue = Optional.ofNullable(request.getCookies()).map(Arrays::stream).orElse(Stream.empty()).filter(cookie -> cookie.getName().equals(ApplicationConstants.CSRF_TOKEN)).findFirst().map(Cookie::getValue).orElse(null);
if (csrfCookieValue != null && !csrfCookieValue.isEmpty()) {
return;
}
/*
* Despite section 6 of RFC 4122, this particular use of UUID *is*
* adequate for security capabilities. Type 4 UUIDs contain 122 bits of
* random data, and UUID.randomUUID() is defined to use a
* cryptographically secure random generator.
*/
final String csrfToken = UUID.randomUUID().toString();
Cookie csrfCookie = new Cookie(ApplicationConstants.CSRF_TOKEN, csrfToken);
csrfCookie.setSecure(request.isSecure());
String path = request.getContextPath();
if (path == null || path.isEmpty()) {
path = "/";
}
csrfCookie.setPath(path);
csrfCookie.setHttpOnly(false);
response.addCookie(csrfCookie);
}
Aggregations