// src/main/java/com/example/web/CsrfStateServlet.java
package com.example.web;
import com.example.security.StateUtil;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.*;
import java.io.IOException;
@WebServlet("/api/oauth/state")
public class CsrfStateServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
HttpSession session = req.getSession(true);
String state = StateUtil.generateState();
session.setAttribute("oauth_state", state);
resp.setContentType("application/json; charset=UTF-8");
resp.getWriter().printf("{\"state\":\"%s\"}", state);
}
}
// src/main/java/com/example/security/StateUtil.java
package com.example.security;
import java.security.SecureRandom;
import java.util.Base64;
public final class StateUtil {
private static final SecureRandom RANDOM = new SecureRandom();
private StateUtil() {}
public static String generateState() {
byte[] bytes = new byte[24]; // 192 bits
RANDOM.nextBytes(bytes);
return Base64.getUrlEncoder().withoutPadding().encodeToString(bytes);
}
}
Set-Cookie
No comments:
Post a Comment