New tests.

[mono.git] / mcs / class / System.Web.Mvc2 / System.Web.Mvc / ValidateAntiForgeryTokenAttribute.cs

/* ****************************************************************************\r
 *\r
 * Copyright (c) Microsoft Corporation. All rights reserved.\r
 *\r
 * This software is subject to the Microsoft Public License (Ms-PL). \r
 * A copy of the license can be found in the license.htm file included \r
 * in this distribution.\r
 *\r
 * You must not remove this notice, or any other, from this software.\r
 *\r
 * ***************************************************************************/\r
\r
namespace System.Web.Mvc {\r
    using System;\r
    using System.Web;\r
    using System.Web.Mvc.Resources;\r
\r
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]\r
    public sealed class ValidateAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter {\r
\r
        private string _salt;\r
        private AntiForgeryDataSerializer _serializer;\r
\r
        public string Salt {\r
            get {\r
                return _salt ?? String.Empty;\r
            }\r
            set {\r
                _salt = value;\r
            }\r
        }\r
\r
        internal AntiForgeryDataSerializer Serializer {\r
            get {\r
                if (_serializer == null) {\r
                    _serializer = new AntiForgeryDataSerializer();\r
                }\r
                return _serializer;\r
            }\r
            set {\r
                _serializer = value;\r
            }\r
        }\r
\r
        private bool ValidateFormToken(AntiForgeryData token) {\r
            return (String.Equals(Salt, token.Salt, StringComparison.Ordinal));\r
        }\r
\r
        private static HttpAntiForgeryException CreateValidationException() {\r
            return new HttpAntiForgeryException(MvcResources.AntiForgeryToken_ValidationFailed);\r
        }\r
\r
        public void OnAuthorization(AuthorizationContext filterContext) {\r
            if (filterContext == null) {\r
                throw new ArgumentNullException("filterContext");\r
            }\r
\r
            string fieldName = AntiForgeryData.GetAntiForgeryTokenName(null);\r
            string cookieName = AntiForgeryData.GetAntiForgeryTokenName(filterContext.HttpContext.Request.ApplicationPath);\r
\r
            HttpCookie cookie = filterContext.HttpContext.Request.Cookies[cookieName];\r
            if (cookie == null || String.IsNullOrEmpty(cookie.Value)) {\r
                // error: cookie token is missing\r
                throw CreateValidationException();\r
            }\r
            AntiForgeryData cookieToken = Serializer.Deserialize(cookie.Value);\r
\r
            string formValue = filterContext.HttpContext.Request.Form[fieldName];\r
            if (String.IsNullOrEmpty(formValue)) {\r
                // error: form token is missing\r
                throw CreateValidationException();\r
            }\r
            AntiForgeryData formToken = Serializer.Deserialize(formValue);\r
\r
            if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal)) {\r
                // error: form token does not match cookie token\r
                throw CreateValidationException();\r
            }\r
\r
            string currentUsername = AntiForgeryData.GetUsername(filterContext.HttpContext.User);\r
            if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase)) {\r
                // error: form token is not valid for this user\r
                // (don't care about cookie token)\r
                throw CreateValidationException();\r
            }\r
\r
            if (!ValidateFormToken(formToken)) {\r
                // error: custom validation failed\r
                throw CreateValidationException();\r
            }\r
        }\r
\r
    }\r
}\r