diff options
author | Shawn O. Pearce <sop@google.com> | 2009-08-01 12:21:50 -0700 |
---|---|---|
committer | Shawn O. Pearce <sop@google.com> | 2009-08-01 12:21:50 -0700 |
commit | 031518ca0cdbddacb29c365669510b6c302203fd (patch) | |
tree | a671ab7688c8c535c838fb6712b23689031a532f | |
parent | 8cb9c478f0d6c424a35b37d9d592bab899ceaf63 (diff) | |
download | gwtjsonrpc-031518ca0cdbddacb29c365669510b6c302203fd.tar.gz |
Make XSRF tokens be application-wide
Instead of using a unique XSRF token for each servlet, we now use a
token for the entire web application context. Proxies all share the
same token, but this can be overridden by the application developer
by creating their own XsrfManager instance.
Signed-off-by: Shawn O. Pearce <sop@google.com>
6 files changed, 101 insertions, 10 deletions
diff --git a/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java b/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java index 7ddf123..5e80a62 100644 --- a/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java +++ b/src/main/java/com/google/gwtjsonrpc/client/AbstractJsonProxy.java @@ -17,20 +17,18 @@ package com.google.gwtjsonrpc.client; import com.google.gwt.core.client.JavaScriptObject; import com.google.gwt.user.client.rpc.AsyncCallback; import com.google.gwt.user.client.rpc.InvocationException; -import com.google.gwt.user.client.rpc.ServiceDefTarget; /** * Base class for generated {@link RemoteJsonService} implementations. * <p> * At runtime <code>GWT.create(Foo.class)</code> returns a subclass of this - * class, implementing the Foo and {@link ServiceDefTarget} interfaces. + * class, implementing the Foo and {@link JsonDefTarget} interfaces. */ -public abstract class AbstractJsonProxy implements ServiceDefTarget { +public abstract class AbstractJsonProxy implements JsonDefTarget { /** URL of the service implementation. */ String url; - /** Current XSRF token associated with this service. */ - String xsrfKey; + private XsrfManager xsrfManager = JsonUtil.getDefaultXsrfManager(); public String getServiceEntryPoint() { return url; @@ -40,6 +38,17 @@ public abstract class AbstractJsonProxy implements ServiceDefTarget { url = address; } + @Override + public XsrfManager getXsrfManager() { + return xsrfManager; + } + + @Override + public void setXsrfManager(final XsrfManager m) { + assert m != null; + xsrfManager = m; + } + protected <T> void doInvoke(final String methodName, final String reqData, final ResultDeserializer<T> ser, final AsyncCallback<T> cb) throws InvocationException { diff --git a/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java b/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java index 1c28260..f34a48d 100644 --- a/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java +++ b/src/main/java/com/google/gwtjsonrpc/client/JsonCall.java @@ -60,9 +60,10 @@ class JsonCall<T> implements RequestCallback { body.append("\",\"params\":["); body.append(requestParams); body.append("]"); - if (proxy.xsrfKey != null) { + final String xsrfKey = proxy.getXsrfManager().getToken(proxy); + if (xsrfKey != null) { body.append(",\"xsrfKey\":"); - body.append(JsonSerializer.escapeString(proxy.xsrfKey)); + body.append(JsonSerializer.escapeString(xsrfKey)); } body.append("}"); @@ -99,7 +100,7 @@ class JsonCall<T> implements RequestCallback { } if (r.xsrfKey() != null) { - proxy.xsrfKey = r.xsrfKey(); + proxy.getXsrfManager().setToken(proxy, r.xsrfKey()); } if (r.error() != null) { diff --git a/src/main/java/com/google/gwtjsonrpc/client/JsonDefTarget.java b/src/main/java/com/google/gwtjsonrpc/client/JsonDefTarget.java new file mode 100644 index 0000000..be05eca --- /dev/null +++ b/src/main/java/com/google/gwtjsonrpc/client/JsonDefTarget.java @@ -0,0 +1,24 @@ +// Copyright 2009 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gwtjsonrpc.client; + +import com.google.gwt.user.client.rpc.ServiceDefTarget; + +/** Extension of {@code ServiceDefTarget} with an active {@link XsrfManager}. */ +public interface JsonDefTarget extends ServiceDefTarget { + public XsrfManager getXsrfManager(); + + public void setXsrfManager(XsrfManager m); +} diff --git a/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java b/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java index d793ebd..7f1f47a 100644 --- a/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java +++ b/src/main/java/com/google/gwtjsonrpc/client/JsonUtil.java @@ -38,6 +38,43 @@ public class JsonUtil { private static final HandlerManager globalHandlers = new HandlerManager(null); + private static XsrfManager xsrfManager = new XsrfManager() { + private String token; + + @Override + public String getToken(JsonDefTarget proxy) { + return token; + } + + @Override + public void setToken(JsonDefTarget proxy, String token) { + this.token = token; + } + }; + + private static final XsrfManager defaultXsrfManager = new XsrfManager() { + @Override + public String getToken(JsonDefTarget proxy) { + return xsrfManager.getToken(proxy); + } + + @Override + public void setToken(JsonDefTarget proxy, String token) { + xsrfManager.setToken(proxy, token); + } + }; + + /** A proxy {@link XsrfManager} that always points to the current default. */ + public static XsrfManager getDefaultXsrfManager() { + return defaultXsrfManager; + } + + /** Change the current default XsrfManager. */ + public static void setDefaultXsrfManager(final XsrfManager m) { + assert m != null; + xsrfManager = m; + } + /** * Bind a RemoteJsonService proxy to its server URL. * diff --git a/src/main/java/com/google/gwtjsonrpc/client/XsrfManager.java b/src/main/java/com/google/gwtjsonrpc/client/XsrfManager.java new file mode 100644 index 0000000..6cc1f5e --- /dev/null +++ b/src/main/java/com/google/gwtjsonrpc/client/XsrfManager.java @@ -0,0 +1,22 @@ +// Copyright 2009 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.google.gwtjsonrpc.client; + +/** Tracks the current XSRF request token for a proxy. */ +public interface XsrfManager { + String getToken(JsonDefTarget proxy); + + void setToken(JsonDefTarget proxy, String token); +} diff --git a/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java b/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java index 6e696ac..711fcbe 100644 --- a/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java +++ b/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java @@ -192,8 +192,6 @@ public abstract class JsonServlet<CallType extends ActiveCall> extends } else { b.append("anonymous"); } - b.append('$'); - b.append(req.getServletPath()); final String userpath = b.toString(); final ValidToken t = xsrf.checkToken(call.getXsrfKeyIn(), userpath); if (t == null || t.needsRefresh()) { |