com.google.gerrit.server.mail

Class SignedToken

java.lang.Object

com.google.gerrit.server.mail.SignedToken

public class SignedToken
extends Object

Utility function to compute and verify XSRF tokens.

SignedTokenEmailTokenVerifier uses this class to verify tokens appearing in the custom xsrfKey JSON request property. The tokens protect against cross-site request forgery by depending upon the browser's security model. The classic browser security model prohibits a script from site A from reading any data received from site B. By sending unforgeable tokens from the server and asking the client to return them to us, the client script must have had read access to the token at some point and is therefore also from our server.

Constructor Summary

Constructors

Constructor and Description
SignedToken(int age, String keyBase64) Create a new utility, using the specific key.

Method Summary

Modifier and Type	Method and Description
static String	generateRandomKey() Generate a random key for use with the XSRF library.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SignedToken

public SignedToken(int age,
                   String keyBase64)
            throws XsrfException

Create a new utility, using the specific key.

Parameters:

age - the number of seconds a token may remain valid.

keyBase64 - base 64 encoded representation of the key.

Throws:

XsrfException - the JVM doesn't support the necessary algorithms.

Method Detail

generateRandomKey

public static String generateRandomKey()

Generate a random key for use with the XSRF library.

Returns:

a new private key, base 64 encoded.