Play Framework/Scala example source code file (RequireCSRFCheckAction.java)

This example Play Framework source code file (RequireCSRFCheckAction.java) is included in my "Source Code Warehouse" project. The intent of this project is to help you more easily find Play Framework (and Scala) source code examples by using tags.

All credit for the original source code belongs to Play Framework; I'm just trying to make examples easier to find. (For my Scala work, see my Scala examples and tutorials.)

Play Framework tags/keywords

api, cookiename, csrf, csrfaction, csrfconf, csrferrorhandler, lib, library, module, mvc, option, override, play, play framework, requestheader, string

The RequireCSRFCheckAction.java Play Framework example source code

/*
 * Copyright (C) 2009-2013 Typesafe Inc. <http://www.typesafe.com>
 */
package play.filters.csrf;

import play.api.mvc.RequestHeader;
import play.libs.F;
import play.mvc.Action;
import play.mvc.Http;
import play.mvc.Result;
import scala.Option;

public class RequireCSRFCheckAction extends Action<RequireCSRFCheck> {

    private final String tokenName = CSRFConf$.MODULE$.TokenName();
    private final Option<String> cookieName = CSRFConf$.MODULE$.CookieName();
    private final CSRFAction$ CSRFAction = CSRFAction$.MODULE$;
    private final CSRF.TokenProvider tokenProvider = CSRFConf$.MODULE$.defaultTokenProvider();

    @Override
    public F.Promise<Result> call(Http.Context ctx) throws Throwable {
        RequestHeader request = ctx._requestHeader();
        // Check for bypass
        if (CSRFAction.checkCsrfBypass(request)) {
            return delegate.call(ctx);
        } else {
            // Get token from cookie/session
            Option<String> headerToken = CSRFAction.getTokenFromHeader(request, tokenName, cookieName);
            if (headerToken.isDefined()) {
                String tokenToCheck = null;

                // Get token from query string
                Option<String> queryStringToken = CSRFAction.getTokenFromQueryString(request, tokenName);
                if (queryStringToken.isDefined()) {
                    tokenToCheck = queryStringToken.get();
                } else {

                    // Get token from body
                    if (ctx.request().body().asFormUrlEncoded() != null) {
                        String[] values = ctx.request().body().asFormUrlEncoded().get(tokenName);
                        if (values != null && values.length > 0) {
                            tokenToCheck = values[0];
                        }
                    } else if (ctx.request().body().asMultipartFormData() != null) {
                        String[] values = ctx.request().body().asMultipartFormData().asFormUrlEncoded().get(tokenName);
                        if (values != null && values.length > 0) {
                            tokenToCheck = values[0];
                        }
                    }
                }

                if (tokenToCheck != null) {
                    if (tokenProvider.compareTokens(tokenToCheck, headerToken.get())) {
                        return delegate.call(ctx);
                    } else {
                        return F.Promise.pure(handleTokenError("CSRF tokens don't match"));
                    }
                } else {
                    return F.Promise.pure(handleTokenError("CSRF token not found in body or query string"));
                }
            } else {
                return F.Promise.pure(handleTokenError("CSRF token not found in session"));
            }
        }
    }

    private Result handleTokenError(String msg) throws Exception {
        CSRFErrorHandler handler = configuration.error().newInstance();
        return handler.handle(msg);
    }
}