Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.owasp.esapi
Class RandomAccessReferenceMap

java.lang.Object
  extended byorg.owasp.esapi.RandomAccessReferenceMap
All Implemented Interfaces:
AccessReferenceMap
public class RandomAccessReferenceMap
extends java.lang.Object
implements AccessReferenceMap

Reference implementation of the AccessReferenceMap interface. This implementation generates random 6 character alphanumeric strings for indirect references. It is possible to use simple integers as indirect references, but the random string approach provides a certain level of protection from CSRF attacks, because an attacker would have difficulty guessing the indirect reference.

Since:
June 1, 2007
Author:
Jeff Williams (jeff.williams@aspectsecurity.com)
See Also:
AccessReferenceMap

Constructor Summary
RandomAccessReferenceMap()
          This AccessReferenceMap implementation uses short random strings to create a layer of indirection.
RandomAccessReferenceMap(java.util.Set directReferences)
          Instantiates a new access reference map.
 
Method Summary
 java.lang.String addDirectReference(java.lang.Object direct)
          Adds a direct reference and a new random indirect reference, overwriting any existing values.
 java.lang.Object getDirectReference(java.lang.String indirectReference)
          Get the original direct object reference from an indirect reference.
 java.lang.String getIndirectReference(java.lang.Object directReference)
          Get a safe indirect reference to use in place of a potentially sensitive direct object reference.
 java.util.Iterator iterator()
          Get an iterator through the direct object references.
 java.lang.String removeDirectReference(java.lang.Object direct)
          Remove a direct reference and the corresponding indirect reference.
 void update(java.util.Set directReferences)
          This preserves any existing mappings for items that are still in the new list.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

RandomAccessReferenceMap

public RandomAccessReferenceMap()
This AccessReferenceMap implementation uses short random strings to create a layer of indirection. Other possible implementations would use simple integers as indirect references.

RandomAccessReferenceMap

public RandomAccessReferenceMap(java.util.Set directReferences)
Instantiates a new access reference map.

Parameters:
directReferences - the direct references
Method Detail

iterator

public java.util.Iterator iterator()
Description copied from interface: AccessReferenceMap
Get an iterator through the direct object references. No guarantee is made as to the order of items returned.

Specified by:
iterator in interface AccessReferenceMap
Returns:
the iterator

addDirectReference

public java.lang.String addDirectReference(java.lang.Object direct)
Adds a direct reference and a new random indirect reference, overwriting any existing values.

Specified by:
addDirectReference in interface AccessReferenceMap
Parameters:
direct -
Returns:
the corresponding indirect reference

removeDirectReference

public java.lang.String removeDirectReference(java.lang.Object direct)
                                       throws AccessControlException
Remove a direct reference and the corresponding indirect reference.

Specified by:
removeDirectReference in interface AccessReferenceMap
Parameters:
direct -
Returns:
the corresponding indirect reference
Throws:
AccessControlException - FIXME Why might we throw an ACE here?

update

public final void update(java.util.Set directReferences)
This preserves any existing mappings for items that are still in the new list. You could regenerate new indirect references every time, but that might mess up anything that previously used an indirect reference, such as a URL parameter.

Parameters:
directReferences - the direct references

getIndirectReference

public java.lang.String getIndirectReference(java.lang.Object directReference)
Description copied from interface: AccessReferenceMap
Get a safe indirect reference to use in place of a potentially sensitive direct object reference. Developers should use this call when building URL's, form fields, hidden fields, etc... to help protect their private implementation information.

Specified by:
getIndirectReference in interface AccessReferenceMap
Parameters:
directReference - the direct reference
Returns:
the indirect reference

getDirectReference

public java.lang.Object getDirectReference(java.lang.String indirectReference)
                                    throws AccessControlException
Description copied from interface: AccessReferenceMap
Get the original direct object reference from an indirect reference. Developers should use this when they get an indirect reference from a request to translate it back into the real direct reference. If an invalid indirectReference is requested, then an AccessControlException is thrown.

Specified by:
getDirectReference in interface AccessReferenceMap
Parameters:
indirectReference - the indirect reference
Returns:
the direct reference
Throws:
AccessControlException - if no direct reference exists for the specified indirect reference
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD