import com.google.gwt.json.client.JSONString;
import com.google.gwt.json.client.JSONValue;
import com.google.gwt.user.client.Command;
+import com.google.gwt.user.client.Cookies;
import com.google.gwt.user.client.DOM;
import com.google.gwt.user.client.DeferredCommand;
import com.google.gwt.user.client.Element;
public static final String VAR_BURST_SEPARATOR = "\u001d";
+ public static final String UIDL_SECURITY_COOKIE_NAME = "com.itmill.toolkit.seckey";
+
private final HashMap resourcesMap = new HashMap();
private static Console console;
boolean forceSync) {
startRequest();
+ // cookie double submission pattern
+ requestData = Cookies.getCookie(UIDL_SECURITY_COOKIE_NAME)
+ + VAR_BURST_SEPARATOR + requestData;
+
console.log("Making UIDL Request with params: " + requestData);
String uri = getAppUri() + "UIDL" + configuration.getPathInfo();
if (repaintAll) {
}
if (html.length() != 0) {
- INotification n = new INotification(1000 * 60 * 45); // 45min
+ INotification n = new INotification(1000 * 60 * 45); //45min
n.addEventListener(new NotificationRedirect(url));
n.show(html, INotification.CENTERED_TOP,
INotification.STYLE_SYSTEM);
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
+import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.itmill.toolkit.terminal.Terminal;
import com.itmill.toolkit.terminal.ThemeResource;
import com.itmill.toolkit.terminal.URIHandler;
+import com.itmill.toolkit.terminal.gwt.client.ApplicationConnection;
import com.itmill.toolkit.ui.Window;
/**
throw new ServletException(ee);
}
+ } catch (final GeneralSecurityException e) {
+ // TODO handle differently?
+ // Invalid security key, show session expired message for now
+ try {
+ Application.SystemMessages ci = getSystemMessages();
+ if (!UIDLrequest) {
+ // 'plain' http req - e.g. browser reload;
+ // just go ahead redirect the browser
+ response.sendRedirect(ci.getSessionExpiredURL());
+ } else {
+ // send uidl redirect
+ criticalNotification(request, response, ci
+ .getSessionExpiredCaption(), ci
+ .getSessionExpiredMessage(), ci
+ .getSessionExpiredURL());
+ }
+ request.getSession().invalidate();
+ } catch (SystemMessageException ee) {
+ throw new ServletException(ee);
+ }
+
} catch (final Throwable e) {
// if this was an UIDL request, response UIDL back to client
if (UIDLrequest) {
HttpServletResponse response, Window window, String themeName,
Application application) throws IOException, MalformedURLException {
+ // Security: double cookie submission pattern
+ Cookie secCookie = new Cookie(
+ ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, request
+ .getSession().getId());
+ response.addCookie(secCookie);
+
// e.g portlets only want a html fragment
boolean fragment = (request.getAttribute(REQUEST_FRAGMENT) != null);
if (fragment) {
import java.io.PrintWriter;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.GeneralSecurityException;
import java.text.DateFormatSymbols;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
*/
public void handleUidlRequest(HttpServletRequest request,
HttpServletResponse response, ApplicationServlet applicationServlet)
- throws IOException, ServletException {
+ throws IOException, ServletException,
+ InvalidUIDLSecurityKeyException {
// repaint requested or session has timed out and new one is created
boolean repaintAll = (request.getParameter(GET_PARAM_REPAINT_ALL) != null)
*/
private boolean handleVariables(HttpServletRequest request,
HttpServletResponse response, Application application2,
- Window window) throws IOException {
+ Window window) throws IOException, InvalidUIDLSecurityKeyException {
boolean success = true;
if (request.getContentLength() > 0) {
// Manage bursts one by one
final String[] bursts = changes.split(VAR_BURST_SEPARATOR);
- for (int bi = 0; bi < bursts.length; bi++) {
+ // check security key (==sessionid, double cookie submission
+ if (!request.getSession().getId().equals(bursts[0])) {
+ throw new InvalidUIDLSecurityKeyException(
+ "Invalid UIDL security key");
+ }
+
+ for (int bi = 1; bi < bursts.length; bi++) {
// extract variables to two dim string array
final String[] tmp = bursts[bi].split(VAR_RECORD_SEPARATOR);
&& variable[VAR_PID]
.equals(nextVariable[VAR_PID])) {
// we have more than one value changes in row for
- // one
- // variable owner, collect em in HashMap
+ // one variable owner, collect em in HashMap
m = new HashMap();
m.put(variable[VAR_NAME], convertVariableValue(
variable[VAR_TYPE].charAt(0),
try {
owner.changeVariables(request, m);
- // Special-case of closing browser-level
- // windows: track browser-windows currently open in
- // client
+ // Special-case of closing browser-level windows:
+ // track browser-windows currently open in client
if (owner instanceof Window
&& ((Window) owner).getParent() == null) {
final Boolean close = (Boolean) m.get("close");
// not interested in sending any UIDL changes back to client.
// Still we must clear component tree between bursts to ensure
// that no removed components are updated. The painting after
- // the
- // last burst is handled normally by the calling method.
+ // the last burst is handled normally by the calling method.
if (bi < bursts.length - 1) {
// We will be discarding all changes
if (logoutUrl == null) {
logoutUrl = application.getURL().toString();
}
- // clients JS app is still running, send a special json file to
- // tell client that application has quit and where to point browser now
+ // clients JS app is still running, send a special json file to tell
+ // client that application has quit and where to point browser now
// Set the response type
response.setContentType("application/json; charset=UTF-8");
final ServletOutputStream out = response.getOutputStream();
final ArrayList resultset = new ArrayList(dirtyPaintabletSet);
// The following algorithm removes any components that would be painted
- // as
- // a direct descendant of other components from the dirty components
- // list.
- // The result is that each component should be painted exactly once and
- // any unmodified components will be painted as "cached=true".
+ // as a direct descendant of other components from the dirty components
+ // list. The result is that each component should be painted exactly
+ // once and any unmodified components will be painted as "cached=true".
for (final Iterator i = dirtyPaintabletSet.iterator(); i.hasNext();) {
final Paintable p = (Paintable) i.next();
return false;
}
+ private class InvalidUIDLSecurityKeyException extends
+ GeneralSecurityException {
+
+ InvalidUIDLSecurityKeyException(String message) {
+ super(message);
+ }
+
+ }
}
projects / vaadin-framework.git / commitdiff