KEYCLOAK-5664 (#4604)

2017-11-07 10:09:34 +01:00 · 2017-11-07 10:09:34 +01:00 · b1a05dfce2
commit b1a05dfce2
parent 1db3134df8
1 changed files with 15 additions and 19 deletions
--- a/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
@ -116,9 +116,7 @@ public class WelcomeResource {
                throw new WebApplicationException(Response.Status.BAD_REQUEST);
            }

-            String cookieStateChecker = getCsrfCookie();
-            String formStateChecker = formData.getFirst("stateChecker");
-            csrfCheck(cookieStateChecker, formStateChecker);
+            csrfCheck(formData);

            String username = formData.getFirst("username");
            String password = formData.getFirst("password");
@ -183,7 +181,7 @@ public class WelcomeResource {
                map.put("localUser", isLocal);

                if (isLocal) {
-                    String stateChecker = updateCsrfChecks();
+                    String stateChecker = setCsrfCookie();
                    map.put("stateChecker", stateChecker);
                }
            }
@ -242,25 +240,23 @@ public class WelcomeResource {
        return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress();
    }

-    private String updateCsrfChecks() {
-        String stateChecker = getCsrfCookie();
-        if (stateChecker != null) {
-            return stateChecker;
-        } else {
-            stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
-            String cookiePath = uriInfo.getPath();
-            boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
-            CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
-            return stateChecker;
-        }
+    private String setCsrfCookie() {
+        String stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
+        String cookiePath = uriInfo.getPath();
+        boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
+        CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
+        return stateChecker;
    }

-    private String getCsrfCookie() {
+    private void csrfCheck(final MultivaluedMap<String, String> formData) {
+        String formStateChecker = formData.getFirst("stateChecker");
        Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
-        return cookie==null ? null : cookie.getValue();
-    }
+        if (cookie == null) {
+            throw new ForbiddenException();
+        }
+
+        String cookieStateChecker = cookie.getValue();

-    private void csrfCheck(String cookieStateChecker, String formStateChecker) {
        if (cookieStateChecker == null || !cookieStateChecker.equals(formStateChecker)) {
            throw new ForbiddenException();
        }