in redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.java [477:523]
private void checkValidationToken( ContainerRequestContext containerRequestContext, HttpServletRequest request )
{
RedbackAuthorization redbackAuthorization = getRedbackAuthorization( resourceInfo );
// We check only services that are restricted
if ( !redbackAuthorization.noRestriction() )
{
String tokenString = request.getHeader( X_XSRF_TOKEN );
if ( tokenString == null || tokenString.length() == 0 )
{
log.warn( "No validation token header found: {}", X_XSRF_TOKEN );
containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
try
{
TokenData td = tokenManager.decryptToken( tokenString );
AuthenticationResult auth = getAuthenticationResult( containerRequestContext, httpAuthenticator, request );
if ( auth == null )
{
log.error( "Not authentication data found" );
containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
User loggedIn = auth.getUser();
if ( loggedIn == null )
{
log.error( "User not logged in" );
containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
return;
}
String username = loggedIn.getUsername();
if ( !td.isValid() || !td.getUser().equals( username ) )
{
log.error( "Invalid data in validation token header {} for user {}: isValid={}, username={}",
X_XSRF_TOKEN, username, td.isValid(), td.getUser() );
containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
}
}
catch ( InvalidTokenException e )
{
log.error( "Token validation failed {}", e.getMessage() );
containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
}
}
log.debug( "Token validated" );
}