Changed double cookie submission to use JSESSIONID, can be disabled, cleaned up.

author Marc Englund <marc.englund@itmill.com>

Tue, 11 Nov 2008 13:19:32 +0000 (13:19 +0000)

committer Marc Englund <marc.englund@itmill.com>

Tue, 11 Nov 2008 13:19:32 +0000 (13:19 +0000)
author Marc Englund <marc.englund@itmill.com>
Tue, 11 Nov 2008 13:19:32 +0000 (13:19 +0000)
committer Marc Englund <marc.englund@itmill.com>
Tue, 11 Nov 2008 13:19:32 +0000 (13:19 +0000)
diff --git a/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java b/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java

index b09a9bc08c144c47c33a7d03d8d3bfc2c30eeba4..dbbe7b6d2fddad7dd1d6c600285ed8adb03cb705 100755 (executable)
--- a/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java
+++ b/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java
@@ -61,7 +61,7 @@ public class ApplicationConnection {
  
      public static final String VAR_BURST_SEPARATOR = "\u001d";
  
-    public static final String UIDL_SECURITY_COOKIE_NAME = "com.itmill.toolkit.seckey";
+    public static final String UIDL_SECURITY_COOKIE_NAME = "JSESSIONID";
  
      private final HashMap resourcesMap = new HashMap();
  
diff --git a/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java b/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java

index 007843bef9fd18c71f8add7c5a5570c022ac1e8f..47d56f4cef125778a947ffaf1cd63de095e94eea 100644 (file)
--- a/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java
+++ b/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java
@@ -27,7 +27,6 @@ import java.util.Properties;
  import javax.servlet.ServletContext;
  import javax.servlet.ServletException;
  import javax.servlet.ServletOutputStream;
-import javax.servlet.http.Cookie;
  import javax.servlet.http.HttpServlet;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
@@ -44,7 +43,6 @@ import com.itmill.toolkit.terminal.ParameterHandler;
  import com.itmill.toolkit.terminal.Terminal;
  import com.itmill.toolkit.terminal.ThemeResource;
  import com.itmill.toolkit.terminal.URIHandler;
-import com.itmill.toolkit.terminal.gwt.client.ApplicationConnection;
  import com.itmill.toolkit.ui.Window;
  
  /**
@@ -531,7 +529,7 @@ public class ApplicationServlet extends HttpServlet {
  
          } catch (final GeneralSecurityException e) {
              // TODO handle differently?
-            // Invalid security key, show session expired message for now
+            // Invalid security key, show session expired message for now.
              try {
                  Application.SystemMessages ci = getSystemMessages();
                  if (!UIDLrequest) {
@@ -772,12 +770,6 @@ public class ApplicationServlet extends HttpServlet {
              HttpServletResponse response, Window window, String themeName,
              Application application) throws IOException, MalformedURLException {
  
-        // Security: double cookie submission pattern
-        Cookie secCookie = new Cookie(
-                ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, request
-                        .getSession().getId());
-        response.addCookie(secCookie);
-
          // e.g portlets only want a html fragment
          boolean fragment = (request.getAttribute(REQUEST_FRAGMENT) != null);
          if (fragment) {
diff --git a/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java b/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java

index 56d4559f22905697e7a2f6cd0e2579b3dcb63c18..a9e397d2d2b24ee89b6eaffc729550d17d7e1f7a 100644 (file)
--- a/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java
+++ b/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java
@@ -593,8 +593,22 @@ public class CommunicationManager implements Paintable.RepaintRequestListener {
              // Manage bursts one by one
              final String[] bursts = changes.split(VAR_BURST_SEPARATOR);
  
-            // check security key (==sessionid, double cookie submission
-            if (!request.getSession().getId().equals(bursts[0])) {
+            boolean nocheck = "true".equals(application2
+                    .getProperty("disable-xsrf-protection"));
+            // Security: double cookie submission pattern
+            if (!nocheck && bursts.length == 1 && "undefined".equals(bursts[0])) {
+                // No seckey, but no variables: initial request
+                /*- don't set key, we're using JSESSIONID
+                Cookie secCookie = new Cookie(
+                        ApplicationConnection.UIDL_SECURITY_COOKIE_NAME,
+                        request.getSession().getId());
+                secCookie.setPath("/");
+                response.addCookie(secCookie);
+                -*/
+                return true;
+
+            } else if (!nocheck
+                    && !request.getSession().getId().equals(bursts[0])) {
                  throw new InvalidUIDLSecurityKeyException(
                          "Invalid UIDL security key");
              }
author	Marc Englund <marc.englund@itmill.com>
	Tue, 11 Nov 2008 13:19:32 +0000 (13:19 +0000)
committer	Marc Englund <marc.englund@itmill.com>
	Tue, 11 Nov 2008 13:19:32 +0000 (13:19 +0000)
src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java		patch \| blob \| history
src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java		patch \| blob \| history
src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java		patch \| blob \| history