From 1ed019413c5fa59616e01315b7bb1750a3dd930c Mon Sep 17 00:00:00 2001 From: Marc Englund Date: Thu, 24 Sep 2009 06:24:29 +0000 Subject: [PATCH] Merged from 6.2; Implements security key w/o use of headers, fixes #3305 svn changeset:8895/svn branch:6.1 --- .../gwt/client/ApplicationConnection.java | 98 ++++++++++--------- .../gwt/server/CommunicationManager.java | 43 ++++---- 2 files changed, 76 insertions(+), 65 deletions(-) diff --git a/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java b/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java index 0e1270901f..c238d4bc2e 100755 --- a/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java +++ b/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java @@ -59,7 +59,11 @@ public class ApplicationConnection { public static final String VAR_ARRAYITEM_SEPARATOR = "\u001c"; - public static final String UIDL_SECURITY_HEADER = "X-Vaadin-Security-Key"; + public static final String UIDL_SECURITY_TOKEN_ID = "Vaadin-Security-Key"; + /** + * @deprecated use UIDL_SECURITY_TOKEN_ID instead + */ + public static final String UIDL_SECURITY_HEADER = UIDL_SECURITY_TOKEN_ID; public static final String PARAM_UNLOADBURST = "onunloadburst"; @@ -155,28 +159,28 @@ public class ApplicationConnection { private native void initializeTestbenchHooks( ComponentLocator componentLocator, String TTAppId) /*-{ - var ap = this; - var client = {}; - client.isActive = function() { - return ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::hasActiveRequest()(); - } - var vi = ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::getVersionInfo()(); - if (vi) { - client.getVersionInfo = function() { - return vi; - } - } - - client.getElementByPath = function(id) { - return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getElementByPath(Ljava/lang/String;)(id); - } - client.getPathForElement = function(element) { - return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getPathForElement(Lcom/google/gwt/user/client/Element;)(element); - } - - if(!$wnd.vaadin.clients) { - $wnd.vaadin.clients = {}; - } + var ap = this; + var client = {}; + client.isActive = function() { + return ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::hasActiveRequest()(); + } + var vi = ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::getVersionInfo()(); + if (vi) { + client.getVersionInfo = function() { + return vi; + } + } + + client.getElementByPath = function(id) { + return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getElementByPath(Ljava/lang/String;)(id); + } + client.getPathForElement = function(element) { + return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getPathForElement(Lcom/google/gwt/user/client/Element;)(element); + } + + if(!$wnd.vaadin.clients) { + $wnd.vaadin.clients = {}; + } $wnd.vaadin.clients[TTAppId] = client; }-*/; @@ -275,14 +279,14 @@ public class ApplicationConnection { } else { return false; } - }-*/; + }-*/; private native static boolean isQuietDebugMode() /*-{ - var uri = $wnd.location; - var re = /debug=q[^\/]*$/; - return re.test(uri); - }-*/; + var uri = $wnd.location; + var re = /debug=q[^\/]*$/; + return re.test(uri); + }-*/; public String getAppUri() { return configuration.getApplicationUri(); @@ -376,14 +380,7 @@ public class ApplicationConnection { return; } - if ("init".equals(uidl_security_key)) { - // Read security key - String key = response - .getHeader(UIDL_SECURITY_HEADER); - if (null != key) { - uidl_security_key = key; - } - } + if (applicationRunning) { handleReceivedJSONMessage(response); } else { @@ -469,12 +466,12 @@ public class ApplicationConnection { private native void syncSendForce(JavaScriptObject xmlHttpRequest, String uri, String requestData) /*-{ - try { - xmlHttpRequest.open("POST", uri, false); - xmlHttpRequest.setRequestHeader("Content-Type", "text/plain;charset=utf-8"); - xmlHttpRequest.send(requestData); + try { + xmlHttpRequest.open("POST", uri, false); + xmlHttpRequest.setRequestHeader("Content-Type", "text/plain;charset=utf-8"); + xmlHttpRequest.send(requestData); } catch (e) { - // No errors are managed as this is synchronous forceful send that can just fail + // No errors are managed as this is synchronous forceful send that can just fail } this.@com.vaadin.terminal.gwt.client.ApplicationConnection::endRequest()(); }-*/; @@ -608,7 +605,7 @@ public class ApplicationConnection { private static native ValueMap parseJSONResponse(String jsonText) /*-{ return eval('(' + jsonText + ')'); - }-*/; + }-*/; private void handleReceivedJSONMessage(Response response) { final Date start = new Date(); @@ -632,6 +629,11 @@ public class ApplicationConnection { return; } + // Get security key + if (json.containsKey(UIDL_SECURITY_TOKEN_ID)) { + uidl_security_key = json.getString(UIDL_SECURITY_TOKEN_ID); + } + if (json.containsKey("resources")) { ValueMap resources = json.getValueMap("resources"); JsArrayString keyArray = resources.getKeyArray(); @@ -813,12 +815,12 @@ public class ApplicationConnection { // Redirect browser, null reloads current page private static native void redirect(String url) /*-{ - if (url) { - $wnd.location = url; - } else { - $wnd.location.reload(false); - } - }-*/; + if (url) { + $wnd.location = url; + } else { + $wnd.location.reload(false); + } + }-*/; public void registerPaintable(String id, Paintable paintable) { ComponentDetail componentDetail = new ComponentDetail(); diff --git a/src/com/vaadin/terminal/gwt/server/CommunicationManager.java b/src/com/vaadin/terminal/gwt/server/CommunicationManager.java index ee5a22c3f3..737258a68d 100644 --- a/src/com/vaadin/terminal/gwt/server/CommunicationManager.java +++ b/src/com/vaadin/terminal/gwt/server/CommunicationManager.java @@ -78,6 +78,10 @@ public class CommunicationManager implements Paintable.RepaintRequestListener, private static String GET_PARAM_REPAINT_ALL = "repaintAll"; + // flag used in the request to indicate that the security token should be + // written to the response + private static final String WRITE_SECURITY_TOKEN_FLAG = "writeSecurityToken"; + /* Variable records indexes */ private static final int VAR_PID = 1; private static final int VAR_NAME = 2; @@ -343,6 +347,21 @@ public class CommunicationManager implements Paintable.RepaintRequestListener, // some dirt to prevent cross site scripting outWriter.print("for(;;);[{"); + // security key + if (request.getAttribute(WRITE_SECURITY_TOKEN_FLAG) != null) { + String seckey = (String) request.getSession().getAttribute( + ApplicationConnection.UIDL_SECURITY_TOKEN_ID); + if (seckey == null) { + seckey = "" + (int) (Math.random() * 1000000); + request.getSession().setAttribute( + ApplicationConnection.UIDL_SECURITY_TOKEN_ID, seckey); + } + outWriter.print("\"" + ApplicationConnection.UIDL_SECURITY_TOKEN_ID + + "\":\""); + outWriter.print(seckey); + outWriter.print("\","); + } + outWriter.print("\"changes\":["); ArrayList paintables = null; @@ -636,31 +655,21 @@ public class CommunicationManager implements Paintable.RepaintRequestListener, .equals(application2 .getProperty(AbstractApplicationServlet.SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION))) { if (bursts.length == 1 && "init".equals(bursts[0])) { - // initial request, no variable changes: send key - String seckey = (String) request.getSession().getAttribute( - ApplicationConnection.UIDL_SECURITY_HEADER); - if (seckey == null) { - seckey = "" + (int) (Math.random() * 1000000); - } - /* - * Cookie c = new Cookie( - * ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, uuid); - * response.addCookie(c); - */ - response.setHeader( - ApplicationConnection.UIDL_SECURITY_HEADER, seckey); - request.getSession().setAttribute( - ApplicationConnection.UIDL_SECURITY_HEADER, seckey); + // init request; don't handle any variables, key sent in + // response. + request.setAttribute(WRITE_SECURITY_TOKEN_FLAG, true); return true; } else { - // check the key + // ApplicationServlet has stored the security token in the + // session; check that it matched the one sent in the UIDL String sessId = (String) request.getSession().getAttribute( - ApplicationConnection.UIDL_SECURITY_HEADER); + ApplicationConnection.UIDL_SECURITY_TOKEN_ID); if (sessId == null || !sessId.equals(bursts[0])) { throw new InvalidUIDLSecurityKeyException( "Security key mismatch"); } } + } for (int bi = 1; bi < bursts.length; bi++) { -- 2.39.5