Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.owasp.esapi
Class AccessReferenceMap

java.lang.Object
  extended byorg.owasp.esapi.AccessReferenceMap
All Implemented Interfaces:
IAccessReferenceMap
public class AccessReferenceMap
extends java.lang.Object
implements IAccessReferenceMap

Reference implementation of the IAccessReferenceMap interface. This implementation generates random 6 character alphanumeric strings for indirect references. It is possible to use simple integers as indirect references, but the random string approach provides a certain level of protection from CSRF attacks, because an attacker would have difficulty guessing the indirect reference.

Since:
June 1, 2007
Author:
Jeff Williams (jeff.williams@aspectsecurity.com)
See Also:
IAccessReferenceMap

Constructor Summary
AccessReferenceMap()
          This AccessReferenceMap implementation uses short random strings to create a layer of indirection.
AccessReferenceMap(java.util.Set directReferences)
          Instantiates a new access reference map.
 
Method Summary
 java.lang.String addDirectReference(java.lang.Object direct)
          Adds a direct reference and a new random indirect reference, overwriting any existing values.
 java.lang.Object getDirectReference(java.lang.String indirectReference)
          Get the original direct object reference from an indirect reference.
 java.lang.String getIndirectReference(java.lang.Object directReference)
          Get a safe indirect reference to use in place of a potentially sensitive direct object reference.
 java.util.Iterator iterator()
          Get an iterator through the direct object references.
 java.lang.String removeDirectReference(java.lang.Object direct)
          Remove a direct reference and the corresponding indirect reference.
 void update(java.util.Set directReferences)
          Update.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AccessReferenceMap

public AccessReferenceMap()
This AccessReferenceMap implementation uses short random strings to create a layer of indirection. Other possible implementations would use simple integers as indirect references.

AccessReferenceMap

public AccessReferenceMap(java.util.Set directReferences)
Instantiates a new access reference map.

Parameters:
directReferences - the direct references
Method Detail

iterator

public java.util.Iterator iterator()
Description copied from interface: IAccessReferenceMap
Get an iterator through the direct object references.

Specified by:
iterator in interface IAccessReferenceMap
Returns:
the iterator

addDirectReference

public java.lang.String addDirectReference(java.lang.Object direct)
Adds a direct reference and a new random indirect reference, overwriting any existing values.

Specified by:
addDirectReference in interface IAccessReferenceMap
Parameters:
direct -

removeDirectReference

public java.lang.String removeDirectReference(java.lang.Object direct)
                                       throws AccessControlException
Remove a direct reference and the corresponding indirect reference.

Specified by:
removeDirectReference in interface IAccessReferenceMap
Parameters:
direct -
Throws:
AccessControlException

update

public final void update(java.util.Set directReferences)
Update.

Parameters:
directReferences - the direct references

getIndirectReference

public java.lang.String getIndirectReference(java.lang.Object directReference)
Description copied from interface: IAccessReferenceMap
Get a safe indirect reference to use in place of a potentially sensitive direct object reference. Developers should use this call when building URL's, form fields, hidden fields, etc... to help protect their private implementation information.

Specified by:
getIndirectReference in interface IAccessReferenceMap
Parameters:
directReference - the direct reference
Returns:
the indirect reference

getDirectReference

public java.lang.Object getDirectReference(java.lang.String indirectReference)
                                    throws AccessControlException
Description copied from interface: IAccessReferenceMap
Get the original direct object reference from an indirect reference. Developers should use this when they get an indirect reference from an HTTP request to translate it back into the real direct reference. If an invalid indirectReference is requested, then an AccessControlException is thrown.

Specified by:
getDirectReference in interface IAccessReferenceMap
Parameters:
indirectReference - the indirect reference
Returns:
the direct reference
Throws:
AccessControlException - the access control exception
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD