|
|
@@ -24,10 +24,12 @@ import java.io.OutputStream; |
|
|
|
import java.io.OutputStreamWriter; |
|
|
|
import java.io.PrintWriter; |
|
|
|
import java.io.Serializable; |
|
|
|
import java.io.UnsupportedEncodingException; |
|
|
|
import java.lang.reflect.Constructor; |
|
|
|
import java.lang.reflect.Method; |
|
|
|
import java.net.MalformedURLException; |
|
|
|
import java.net.URL; |
|
|
|
import java.security.MessageDigest; |
|
|
|
import java.util.ArrayList; |
|
|
|
import java.util.Collections; |
|
|
|
import java.util.HashMap; |
|
|
@@ -1761,7 +1763,15 @@ public abstract class VaadinService implements Serializable { |
|
|
|
.isXsrfProtectionEnabled()) { |
|
|
|
String sessionToken = session.getCsrfToken(); |
|
|
|
|
|
|
|
if (sessionToken == null || !sessionToken.equals(requestToken)) { |
|
|
|
try { |
|
|
|
if (sessionToken == null || !MessageDigest.isEqual( |
|
|
|
sessionToken.getBytes("UTF-8"), |
|
|
|
requestToken.getBytes("UTF-8"))) { |
|
|
|
return false; |
|
|
|
} |
|
|
|
} catch (UnsupportedEncodingException e) { |
|
|
|
getLogger().log(Level.WARNING, |
|
|
|
"Session token was not UTF-8, this should never happen."); |
|
|
|
return false; |
|
|
|
} |
|
|
|
} |