import java.util.Locale;
import java.util.Map;
import java.util.Set;
-import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
@SuppressWarnings("serial")
public class LegacyCommunicationManager implements Serializable {
- // TODO PUSH move
- public static final String WRITE_SECURITY_TOKEN_FLAG = "writeSecurityToken";
-
// TODO Refactor (#11410)
private final HashMap<Integer, ClientCache> uiToClientCache = new HashMap<Integer, ClientCache>();
return session;
}
- /**
- * Gets the security key (and generates one if needed) as UIDL.
- *
- * @param request
- * @return the security key UIDL or "" if the feature is turned off
- */
- public String getSecurityKeyUIDL(VaadinRequest request) {
- final String seckey = getSecurityKey(request);
- if (seckey != null) {
- return "\"" + ApplicationConstants.UIDL_SECURITY_TOKEN_ID + "\":\""
- + seckey + "\",";
- } else {
- return "";
- }
- }
-
- /**
- * Gets the security key (and generates one if needed).
- *
- * @param request
- * @return the security key
- */
- protected String getSecurityKey(VaadinRequest request) {
- String seckey = null;
- WrappedSession session = request.getWrappedSession();
- seckey = (String) session
- .getAttribute(ApplicationConstants.UIDL_SECURITY_TOKEN_ID);
- if (seckey == null) {
- seckey = UUID.randomUUID().toString();
- session.setAttribute(ApplicationConstants.UIDL_SECURITY_TOKEN_ID,
- seckey);
- }
-
- return seckey;
- }
-
/**
* @deprecated As of 7.1. See #11411.
*/
import com.vaadin.server.communication.PublishedFileHandler;
import com.vaadin.server.communication.SessionRequestHandler;
import com.vaadin.server.communication.UidlRequestHandler;
-import com.vaadin.shared.ApplicationConstants;
import com.vaadin.shared.JsonConstants;
import com.vaadin.shared.ui.ui.UIConstants;
import com.vaadin.ui.UI;
if (session.getService().getDeploymentConfiguration()
.isXsrfProtectionEnabled()) {
- String keyInSession = (String) session.getSession().getAttribute(
- ApplicationConstants.UIDL_SECURITY_TOKEN_ID);
+ String sessionToken = session.getCsrfToken();
- if (keyInSession == null || !keyInSession.equals(requestToken)) {
+ if (sessionToken == null || !sessionToken.equals(requestToken)) {
return false;
}
}
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import java.util.UUID;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.logging.Logger;
private int connectorIdSequence = 0;
+ private final String csrfToken = UUID.randomUUID().toString();
+
/**
* Generate an id for the given Connector. Connectors must not call this
* method more than once, the first time they need an id.
}
+ /**
+ * Gets the CSRF token (aka double submit cookie) that is used to protect
+ * against Cross Site Request Forgery attacks.
+ *
+ * @since 7.1
+ * @return the csrf token string
+ */
+ public String getCsrfToken() {
+ assert hasLock();
+ return csrfToken;
+ }
+
}
private static final int MAX_BUFFER_SIZE = 64 * 1024;
- // flag used in the request to indicate that the security token should be
- // written to the response
- private static final String WRITE_SECURITY_TOKEN_FLAG = "writeSecurityToken";
-
/**
* Reads JSON containing zero or more serialized RPC calls (including legacy
* variable changes) and executes the calls.
import com.vaadin.server.VaadinResponse;
import com.vaadin.server.VaadinService;
import com.vaadin.server.VaadinSession;
+import com.vaadin.shared.ApplicationConstants;
import com.vaadin.shared.communication.PushMode;
import com.vaadin.shared.ui.ui.UIConstants;
import com.vaadin.ui.UI;
StringWriter writer = new StringWriter();
try {
writer.write("{");
- if (uI.getSession().getConfiguration().isXsrfProtectionEnabled()) {
- writer.write(uI.getSession().getCommunicationManager()
- .getSecurityKeyUIDL(request));
+
+ VaadinSession session = uI.getSession();
+ if (session.getConfiguration().isXsrfProtectionEnabled()) {
+ writer.write(getSecurityKeyUIDL(session));
}
new UidlWriter().write(uI, writer, true, false, false);
writer.write("}");
}
}
+ /**
+ * Gets the security key (and generates one if needed) as UIDL.
+ *
+ * @param session
+ * the vaadin session to which the security key belongs
+ * @return the security key UIDL or "" if the feature is turned off
+ */
+ private static String getSecurityKeyUIDL(VaadinSession session) {
+ String seckey = session.getCsrfToken();
+
+ return "\"" + ApplicationConstants.UIDL_SECURITY_TOKEN_ID + "\":\""
+ + seckey + "\",";
+ }
+
private static final Logger getLogger() {
return Logger.getLogger(UIInitHandler.class.getName());
}
import com.vaadin.server.ClientConnector;
import com.vaadin.server.Constants;
-import com.vaadin.server.LegacyCommunicationManager;
import com.vaadin.server.LegacyCommunicationManager.InvalidUIDLSecurityKeyException;
import com.vaadin.server.ServletPortletHelper;
import com.vaadin.server.SessionExpiredHandler;
throws IOException, JSONException {
openJsonMessage(writer, response);
- // security key
- Object writeSecurityTokenFlag = request
- .getAttribute(LegacyCommunicationManager.WRITE_SECURITY_TOKEN_FLAG);
-
- if (writeSecurityTokenFlag != null) {
- writer.write(ui.getSession().getCommunicationManager()
- .getSecurityKeyUIDL(request));
- }
-
new UidlWriter().write(ui, writer, repaintAll, analyzeLayouts, false);
closeJsonMessage(writer);