package org.directwebremoting.dwrp;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.directwebremoting.extend.Handler;

/* loaded from: input_file:WEB-INF/lib/dwr-3.0.RC1.jar:org/directwebremoting/dwrp/BaseDwrpHandler.class */
public abstract class BaseDwrpHandler implements Handler {
    private boolean crossDomainSessionSecurity = true;
    private boolean allowGetForSafariButMakeForgeryEasier = false;
    private String sessionCookieName = "JSESSIONID";
    private static final Log log = LogFactory.getLog(BaseDwrpHandler.class);

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkGetAllowed(Batch batch) {
        if (this.allowGetForSafariButMakeForgeryEasier || !batch.isGet()) {
            return;
        }
        log.error("GET is disallowed because it makes request forgery easier. See http://getahead.org/dwr/security/allowGetForSafariButMakeForgeryEasier for more details.");
        throw new SecurityException("GET Disallowed");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkNotCsrfAttack(HttpServletRequest httpServletRequest, Batch batch) {
        if (this.crossDomainSessionSecurity && httpServletRequest.isRequestedSessionIdValid() && httpServletRequest.isRequestedSessionIdFromCookie()) {
            String requestedSessionId = httpServletRequest.getRequestedSessionId();
            if (requestedSessionId.length() > 0) {
                String httpSessionId = batch.getHttpSessionId();
                if (requestedSessionId.equals(httpSessionId)) {
                    return;
                }
                for (Cookie cookie : httpServletRequest.getCookies()) {
                    if (cookie.getName().equals(this.sessionCookieName) && cookie.getValue().equals(httpSessionId)) {
                        return;
                    }
                }
                log.error("A request has been denied as a potential CSRF attack.");
                throw new SecurityException("CSRF Security Error");
            }
        }
    }

    public void setCrossDomainSessionSecurity(boolean z) {
        this.crossDomainSessionSecurity = z;
    }

    public void setAllowGetForSafariButMakeForgeryEasier(boolean z) {
        this.allowGetForSafariButMakeForgeryEasier = z;
    }

    public void setSessionCookieName(String str) {
        this.sessionCookieName = str;
    }
}
