Package hudson.security.csrf
Class CrumbIssuer
java.lang.Object
hudson.security.csrf.CrumbIssuer
- All Implemented Interfaces:
ExtensionPoint
,Describable<CrumbIssuer>
- Direct Known Subclasses:
DefaultCrumbIssuer
@ExportedBean
@StaplerAccessibleType
public abstract class CrumbIssuer
extends Object
implements Describable<CrumbIssuer>, ExtensionPoint
A CrumbIssuer represents an algorithm to generate a nonce value, known as a
crumb, to counter cross site request forgery exploits. Crumbs are typically
hashes incorporating information that uniquely identifies an agent that sends
a request, along with a guarded secret so that the crumb value cannot be
forged by a third party.
- Author:
- dty
- See Also:
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionall()
Returns all the registeredCrumbIssuer
descriptors.getApi()
getCrumb()
Get a crumb value based on user specific information in the current request.getCrumb
(javax.servlet.ServletRequest request) Get a crumb value based on user specific information in the request.Get the name of the request parameter the crumb will be stored in.Access global configuration for the crumb issuer.static void
Sets up Stapler to use our crumb issuer.protected abstract String
issueCrumb
(javax.servlet.ServletRequest request, String salt) Create a crumb value based on user specific information in the request.boolean
validateCrumb
(javax.servlet.ServletRequest request) Get a crumb from a request parameter and validate it against other data in the current request.boolean
validateCrumb
(javax.servlet.ServletRequest request, MultipartFormDataParser parser) Get a crumb from multipart form data and validate it against other data in the current request.abstract boolean
validateCrumb
(javax.servlet.ServletRequest request, String salt, String crumb) Validate a previously created crumb against information in the current request.
-
Field Details
-
DEFAULT_CRUMB_NAME
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public static final String DEFAULT_CRUMB_NAME- See Also:
-
-
Constructor Details
-
CrumbIssuer
public CrumbIssuer()
-
-
Method Details
-
getCrumbRequestField
Get the name of the request parameter the crumb will be stored in. Exposed here for the remote API. -
getCrumb
Get a crumb value based on user specific information in the current request. Intended for use only by the remote API. -
getCrumb
Get a crumb value based on user specific information in the request. -
issueCrumb
Create a crumb value based on user specific information in the request. The crumb should be generated by building a cryptographic hash of:- relevant information in the request that can uniquely identify the client
- the salt value
- an implementation specific guarded secret.
-
validateCrumb
public boolean validateCrumb(javax.servlet.ServletRequest request) Get a crumb from a request parameter and validate it against other data in the current request. The salt and request parameter that is used is defined by the current configuration. -
validateCrumb
Get a crumb from multipart form data and validate it against other data in the current request. The salt and request parameter that is used is defined by the current configuration. -
validateCrumb
public abstract boolean validateCrumb(javax.servlet.ServletRequest request, String salt, String crumb) Validate a previously created crumb against information in the current request.- Parameters:
crumb
- The previously generated crumb to validate against information in the current request
-
getDescriptor
Access global configuration for the crumb issuer.- Specified by:
getDescriptor
in interfaceDescribable<CrumbIssuer>
-
all
Returns all the registeredCrumbIssuer
descriptors. -
getApi
-
initStaplerCrumbIssuer
Sets up Stapler to use our crumb issuer.
-