import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
-import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.itmill.toolkit.terminal.Terminal;
import com.itmill.toolkit.terminal.ThemeResource;
import com.itmill.toolkit.terminal.URIHandler;
-import com.itmill.toolkit.terminal.gwt.client.ApplicationConnection;
import com.itmill.toolkit.ui.Window;
/**
} catch (final GeneralSecurityException e) {
// TODO handle differently?
- // Invalid security key, show session expired message for now
+ // Invalid security key, show session expired message for now.
try {
Application.SystemMessages ci = getSystemMessages();
if (!UIDLrequest) {
HttpServletResponse response, Window window, String themeName,
Application application) throws IOException, MalformedURLException {
- // Security: double cookie submission pattern
- Cookie secCookie = new Cookie(
- ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, request
- .getSession().getId());
- response.addCookie(secCookie);
-
// e.g portlets only want a html fragment
boolean fragment = (request.getAttribute(REQUEST_FRAGMENT) != null);
if (fragment) {
// Manage bursts one by one
final String[] bursts = changes.split(VAR_BURST_SEPARATOR);
- // check security key (==sessionid, double cookie submission
- if (!request.getSession().getId().equals(bursts[0])) {
+ boolean nocheck = "true".equals(application2
+ .getProperty("disable-xsrf-protection"));
+ // Security: double cookie submission pattern
+ if (!nocheck && bursts.length == 1 && "undefined".equals(bursts[0])) {
+ // No seckey, but no variables: initial request
+ /*- don't set key, we're using JSESSIONID
+ Cookie secCookie = new Cookie(
+ ApplicationConnection.UIDL_SECURITY_COOKIE_NAME,
+ request.getSession().getId());
+ secCookie.setPath("/");
+ response.addCookie(secCookie);
+ -*/
+ return true;
+
+ } else if (!nocheck
+ && !request.getSession().getId().equals(bursts[0])) {
throw new InvalidUIDLSecurityKeyException(
"Invalid UIDL security key");
}