From 558d81f9e1b2e00975f91d9f9cd1d83611fca0c5 Mon Sep 17 00:00:00 2001 From: Marc Englund Date: Tue, 11 Nov 2008 13:19:32 +0000 Subject: [PATCH] Changed double cookie submission to use JSESSIONID, can be disabled, cleaned up. svn changeset:5863/svn branch:trunk --- .../gwt/client/ApplicationConnection.java | 2 +- .../gwt/server/ApplicationServlet.java | 10 +--------- .../gwt/server/CommunicationManager.java | 18 ++++++++++++++++-- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java b/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java index b09a9bc08c..dbbe7b6d2f 100755 --- a/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java +++ b/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java @@ -61,7 +61,7 @@ public class ApplicationConnection { public static final String VAR_BURST_SEPARATOR = "\u001d"; - public static final String UIDL_SECURITY_COOKIE_NAME = "com.itmill.toolkit.seckey"; + public static final String UIDL_SECURITY_COOKIE_NAME = "JSESSIONID"; private final HashMap resourcesMap = new HashMap(); diff --git a/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java b/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java index 007843bef9..47d56f4cef 100644 --- a/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java +++ b/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java @@ -27,7 +27,6 @@ import java.util.Properties; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; -import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -44,7 +43,6 @@ import com.itmill.toolkit.terminal.ParameterHandler; import com.itmill.toolkit.terminal.Terminal; import com.itmill.toolkit.terminal.ThemeResource; import com.itmill.toolkit.terminal.URIHandler; -import com.itmill.toolkit.terminal.gwt.client.ApplicationConnection; import com.itmill.toolkit.ui.Window; /** @@ -531,7 +529,7 @@ public class ApplicationServlet extends HttpServlet { } catch (final GeneralSecurityException e) { // TODO handle differently? - // Invalid security key, show session expired message for now + // Invalid security key, show session expired message for now. try { Application.SystemMessages ci = getSystemMessages(); if (!UIDLrequest) { @@ -772,12 +770,6 @@ public class ApplicationServlet extends HttpServlet { HttpServletResponse response, Window window, String themeName, Application application) throws IOException, MalformedURLException { - // Security: double cookie submission pattern - Cookie secCookie = new Cookie( - ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, request - .getSession().getId()); - response.addCookie(secCookie); - // e.g portlets only want a html fragment boolean fragment = (request.getAttribute(REQUEST_FRAGMENT) != null); if (fragment) { diff --git a/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java b/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java index 56d4559f22..a9e397d2d2 100644 --- a/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java +++ b/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java @@ -593,8 +593,22 @@ public class CommunicationManager implements Paintable.RepaintRequestListener { // Manage bursts one by one final String[] bursts = changes.split(VAR_BURST_SEPARATOR); - // check security key (==sessionid, double cookie submission - if (!request.getSession().getId().equals(bursts[0])) { + boolean nocheck = "true".equals(application2 + .getProperty("disable-xsrf-protection")); + // Security: double cookie submission pattern + if (!nocheck && bursts.length == 1 && "undefined".equals(bursts[0])) { + // No seckey, but no variables: initial request + /*- don't set key, we're using JSESSIONID + Cookie secCookie = new Cookie( + ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, + request.getSession().getId()); + secCookie.setPath("/"); + response.addCookie(secCookie); + -*/ + return true; + + } else if (!nocheck + && !request.getSession().getId().equals(bursts[0])) { throw new InvalidUIDLSecurityKeyException( "Invalid UIDL security key"); } -- 2.39.5