Make XSRF tokens be application-wide

Instead of using a unique XSRF token for each servlet, we now use a
token for the entire web application context.  Proxies all share the
same token, but this can be overridden by the application developer
by creating their own XsrfManager instance.

Signed-off-by: Shawn O. Pearce <sop@google.com>

6 files changed, 101 insertions, 10 deletions

diff --git a/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java b/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java
index 7ddf123..5e80a62 100644
--- a/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java
+++ b/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java
@@ -17,20 +17,18 @@ package com.google.gwtjsonrpc.client;
 import com.google.gwt.core.client.JavaScriptObject;
 import com.google.gwt.user.client.rpc.AsyncCallback;
 import com.google.gwt.user.client.rpc.InvocationException;
-import com.google.gwt.user.client.rpc.ServiceDefTarget;
 
 /**
  * Base class for generated {@link RemoteJsonService} implementations.
  * <p>
  * At runtime <code>GWT.create(Foo.class)</code> returns a subclass of this
- * class, implementing the Foo and {@link ServiceDefTarget} interfaces.
+ * class, implementing the Foo and {@link JsonDefTarget} interfaces.
  */
-public abstract class AbstractJsonProxy implements ServiceDefTarget {
+public abstract class AbstractJsonProxy implements JsonDefTarget {
   /** URL of the service implementation. */
   String url;
 
-  /** Current XSRF token associated with this service. */
-  String xsrfKey;
+  private XsrfManager xsrfManager = JsonUtil.getDefaultXsrfManager();
 
   public String getServiceEntryPoint() {
     return url;
@@ -40,6 +38,17 @@ public abstract class AbstractJsonProxy implements ServiceDefTarget {
     url = address;
   }
 
+  @Override
+  public XsrfManager getXsrfManager() {
+    return xsrfManager;
+  }
+
+  @Override
+  public void setXsrfManager(final XsrfManager m) {
+    assert m != null;
+    xsrfManager = m;
+  }
+
   protected <T> void doInvoke(final String methodName, final String reqData,
       final ResultDeserializer<T> ser, final AsyncCallback<T> cb)
       throws InvocationException {
diff --git a/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java b/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java
index 1c28260..f34a48d 100644
--- a/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java
+++ b/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java
@@ -60,9 +60,10 @@ class JsonCall<T> implements RequestCallback {
     body.append("\",\"params\":[");
     body.append(requestParams);
     body.append("]");
-    if (proxy.xsrfKey != null) {
+    final String xsrfKey = proxy.getXsrfManager().getToken(proxy);
+    if (xsrfKey != null) {
       body.append(",\"xsrfKey\":");
-      body.append(JsonSerializer.escapeString(proxy.xsrfKey));
+      body.append(JsonSerializer.escapeString(xsrfKey));
     }
     body.append("}");
 
@@ -99,7 +100,7 @@ class JsonCall<T> implements RequestCallback {
       }
 
       if (r.xsrfKey() != null) {
-        proxy.xsrfKey = r.xsrfKey();
+        proxy.getXsrfManager().setToken(proxy, r.xsrfKey());
       }
 
       if (r.error() != null) {
diff --git a/src/main/java/com/google/gwtjsonrpc/client/JsonDefTarget.java b/src/main/java/com/google/gwtjsonrpc/client/JsonDefTarget.java
new file mode 100644
index 0000000..be05eca
--- /dev/null
+++ b/src/main/java/com/google/gwtjsonrpc/client/JsonDefTarget.java
@@ -0,0 +1,24 @@
+// Copyright 2009 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gwtjsonrpc.client;
+
+import com.google.gwt.user.client.rpc.ServiceDefTarget;
+
+/** Extension of {@code ServiceDefTarget} with an active {@link XsrfManager}. */
+public interface JsonDefTarget extends ServiceDefTarget {
+  public XsrfManager getXsrfManager();
+
+  public void setXsrfManager(XsrfManager m);
+}
diff --git a/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java b/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java
index d793ebd..7f1f47a 100644
--- a/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java
+++ b/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java
@@ -38,6 +38,43 @@ public class JsonUtil {
 
   private static final HandlerManager globalHandlers = new HandlerManager(null);
 
+  private static XsrfManager xsrfManager = new XsrfManager() {
+    private String token;
+
+    @Override
+    public String getToken(JsonDefTarget proxy) {
+      return token;
+    }
+
+    @Override
+    public void setToken(JsonDefTarget proxy, String token) {
+      this.token = token;
+    }
+  };
+
+  private static final XsrfManager defaultXsrfManager = new XsrfManager() {
+    @Override
+    public String getToken(JsonDefTarget proxy) {
+      return xsrfManager.getToken(proxy);
+    }
+
+    @Override
+    public void setToken(JsonDefTarget proxy, String token) {
+      xsrfManager.setToken(proxy, token);
+    }
+  };
+
+  /** A proxy {@link XsrfManager} that always points to the current default. */
+  public static XsrfManager getDefaultXsrfManager() {
+    return defaultXsrfManager;
+  }
+
+  /** Change the current default XsrfManager. */
+  public static void setDefaultXsrfManager(final XsrfManager m) {
+    assert m != null;
+    xsrfManager = m;
+  }
+
   /**
    * Bind a RemoteJsonService proxy to its server URL.
    * 
diff --git a/src/main/java/com/google/gwtjsonrpc/client/XsrfManager.java b/src/main/java/com/google/gwtjsonrpc/client/XsrfManager.java
new file mode 100644
index 0000000..6cc1f5e
--- /dev/null
+++ b/src/main/java/com/google/gwtjsonrpc/client/XsrfManager.java
@@ -0,0 +1,22 @@
+// Copyright 2009 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gwtjsonrpc.client;
+
+/** Tracks the current XSRF request token for a proxy. */
+public interface XsrfManager {
+  String getToken(JsonDefTarget proxy);
+
+  void setToken(JsonDefTarget proxy, String token);
+}
diff --git a/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java b/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java
index 6e696ac..711fcbe 100644
--- a/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java
+++ b/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java
@@ -192,8 +192,6 @@ public abstract class JsonServlet<CallType extends ActiveCall> extends
     } else {
       b.append("anonymous");
     }
-    b.append('$');
-    b.append(req.getServletPath());
     final String userpath = b.toString();
     final ValidToken t = xsrf.checkToken(call.getXsrfKeyIn(), userpath);
     if (t == null || t.needsRefresh()) {