public static final String VAR_ARRAYITEM_SEPARATOR = "\u001c";
- public static final String UIDL_SECURITY_HEADER = "X-Vaadin-Security-Key";
+ public static final String UIDL_SECURITY_TOKEN_ID = "Vaadin-Security-Key";
+ /**
+ * @deprecated use UIDL_SECURITY_TOKEN_ID instead
+ */
+ public static final String UIDL_SECURITY_HEADER = UIDL_SECURITY_TOKEN_ID;
public static final String PARAM_UNLOADBURST = "onunloadburst";
private native void initializeTestbenchHooks(
ComponentLocator componentLocator, String TTAppId)
/*-{
- var ap = this;
- var client = {};
- client.isActive = function() {
- return ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::hasActiveRequest()();
- }
- var vi = ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::getVersionInfo()();
- if (vi) {
- client.getVersionInfo = function() {
- return vi;
- }
- }
-
- client.getElementByPath = function(id) {
- return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getElementByPath(Ljava/lang/String;)(id);
- }
- client.getPathForElement = function(element) {
- return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getPathForElement(Lcom/google/gwt/user/client/Element;)(element);
- }
-
- if(!$wnd.vaadin.clients) {
- $wnd.vaadin.clients = {};
- }
+ var ap = this;
+ var client = {};
+ client.isActive = function() {
+ return ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::hasActiveRequest()();
+ }
+ var vi = ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::getVersionInfo()();
+ if (vi) {
+ client.getVersionInfo = function() {
+ return vi;
+ }
+ }
+
+ client.getElementByPath = function(id) {
+ return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getElementByPath(Ljava/lang/String;)(id);
+ }
+ client.getPathForElement = function(element) {
+ return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getPathForElement(Lcom/google/gwt/user/client/Element;)(element);
+ }
+
+ if(!$wnd.vaadin.clients) {
+ $wnd.vaadin.clients = {};
+ }
$wnd.vaadin.clients[TTAppId] = client;
}-*/;
} else {
return false;
}
- }-*/;
+ }-*/;
private native static boolean isQuietDebugMode()
/*-{
- var uri = $wnd.location;
- var re = /debug=q[^\/]*$/;
- return re.test(uri);
- }-*/;
+ var uri = $wnd.location;
+ var re = /debug=q[^\/]*$/;
+ return re.test(uri);
+ }-*/;
public String getAppUri() {
return configuration.getApplicationUri();
return;
}
- if ("init".equals(uidl_security_key)) {
- // Read security key
- String key = response
- .getHeader(UIDL_SECURITY_HEADER);
- if (null != key) {
- uidl_security_key = key;
- }
- }
+
if (applicationRunning) {
handleReceivedJSONMessage(response);
} else {
private native void syncSendForce(JavaScriptObject xmlHttpRequest,
String uri, String requestData)
/*-{
- try {
- xmlHttpRequest.open("POST", uri, false);
- xmlHttpRequest.setRequestHeader("Content-Type", "text/plain;charset=utf-8");
- xmlHttpRequest.send(requestData);
+ try {
+ xmlHttpRequest.open("POST", uri, false);
+ xmlHttpRequest.setRequestHeader("Content-Type", "text/plain;charset=utf-8");
+ xmlHttpRequest.send(requestData);
} catch (e) {
- // No errors are managed as this is synchronous forceful send that can just fail
+ // No errors are managed as this is synchronous forceful send that can just fail
}
this.@com.vaadin.terminal.gwt.client.ApplicationConnection::endRequest()();
}-*/;
private static native ValueMap parseJSONResponse(String jsonText)
/*-{
return eval('(' + jsonText + ')');
- }-*/;
+ }-*/;
private void handleReceivedJSONMessage(Response response) {
final Date start = new Date();
return;
}
+ // Get security key
+ if (json.containsKey(UIDL_SECURITY_TOKEN_ID)) {
+ uidl_security_key = json.getString(UIDL_SECURITY_TOKEN_ID);
+ }
+
if (json.containsKey("resources")) {
ValueMap resources = json.getValueMap("resources");
JsArrayString keyArray = resources.getKeyArray();
// Redirect browser, null reloads current page
private static native void redirect(String url)
/*-{
- if (url) {
- $wnd.location = url;
- } else {
- $wnd.location.reload(false);
- }
- }-*/;
+ if (url) {
+ $wnd.location = url;
+ } else {
+ $wnd.location.reload(false);
+ }
+ }-*/;
public void registerPaintable(String id, Paintable paintable) {
ComponentDetail componentDetail = new ComponentDetail();
private static String GET_PARAM_REPAINT_ALL = "repaintAll";
+ // flag used in the request to indicate that the security token should be
+ // written to the response
+ private static final String WRITE_SECURITY_TOKEN_FLAG = "writeSecurityToken";
+
/* Variable records indexes */
private static final int VAR_PID = 1;
private static final int VAR_NAME = 2;
// some dirt to prevent cross site scripting
outWriter.print("for(;;);[{");
+ // security key
+ if (request.getAttribute(WRITE_SECURITY_TOKEN_FLAG) != null) {
+ String seckey = (String) request.getSession().getAttribute(
+ ApplicationConnection.UIDL_SECURITY_TOKEN_ID);
+ if (seckey == null) {
+ seckey = "" + (int) (Math.random() * 1000000);
+ request.getSession().setAttribute(
+ ApplicationConnection.UIDL_SECURITY_TOKEN_ID, seckey);
+ }
+ outWriter.print("\"" + ApplicationConnection.UIDL_SECURITY_TOKEN_ID
+ + "\":\"");
+ outWriter.print(seckey);
+ outWriter.print("\",");
+ }
+
outWriter.print("\"changes\":[");
ArrayList<Paintable> paintables = null;
.equals(application2
.getProperty(AbstractApplicationServlet.SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION))) {
if (bursts.length == 1 && "init".equals(bursts[0])) {
- // initial request, no variable changes: send key
- String seckey = (String) request.getSession().getAttribute(
- ApplicationConnection.UIDL_SECURITY_HEADER);
- if (seckey == null) {
- seckey = "" + (int) (Math.random() * 1000000);
- }
- /*
- * Cookie c = new Cookie(
- * ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, uuid);
- * response.addCookie(c);
- */
- response.setHeader(
- ApplicationConnection.UIDL_SECURITY_HEADER, seckey);
- request.getSession().setAttribute(
- ApplicationConnection.UIDL_SECURITY_HEADER, seckey);
+ // init request; don't handle any variables, key sent in
+ // response.
+ request.setAttribute(WRITE_SECURITY_TOKEN_FLAG, true);
return true;
} else {
- // check the key
+ // ApplicationServlet has stored the security token in the
+ // session; check that it matched the one sent in the UIDL
String sessId = (String) request.getSession().getAttribute(
- ApplicationConnection.UIDL_SECURITY_HEADER);
+ ApplicationConnection.UIDL_SECURITY_TOKEN_ID);
if (sessId == null || !sessId.equals(bursts[0])) {
throw new InvalidUIDLSecurityKeyException(
"Security key mismatch");
}
}
+
}
for (int bi = 1; bi < bursts.length; bi++) {