diff options
| author | Artur Signell <artur.signell@itmill.com> | 2009-06-29 14:49:54 +0000 |
|---|---|---|
| committer | Artur Signell <artur.signell@itmill.com> | 2009-06-29 14:49:54 +0000 |
| commit | 94b13d6ddaf92d0abd9c8a7883adca95d9192fd5 (patch) | |
| tree | 5307ba5a72b96400d38bfa067fb84be79ccf01f0 | |
| parent | 42af2df434d96a993e90a46e08bbaa883f5c3b3b (diff) | |
| download | vaadin-framework-94b13d6ddaf92d0abd9c8a7883adca95d9192fd5.tar.gz vaadin-framework-94b13d6ddaf92d0abd9c8a7883adca95d9192fd5.zip | |
Fix for #3060 - Warn if cross site scripting prevention is turned off
svn changeset:8268/svn branch:6.0
| -rw-r--r-- | src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java index a07d1114a6..ff03e8d1a5 100644 --- a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java +++ b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java @@ -118,6 +118,8 @@ public abstract class AbstractApplicationServlet extends HttpServlet { private static final String NOT_PRODUCTION_MODE_INFO = "=================================================================\nVaadin is running in DEBUG MODE.\nAdd productionMode=true to web.xml to disable debug features.\nTo show debug window, add ?debug to your application URL.\n================================================================="; + private static final String WARNING_XSRF_PROTECTION_DISABLED = "===========================================================\nWARNING: Cross-site request forgery protection is disabled!\n==========================================================="; + private boolean productionMode = false; private static final String URL_PARAMETER_RESTART_APPLICATION = "restartApplication"; @@ -127,6 +129,7 @@ public abstract class AbstractApplicationServlet extends HttpServlet { private static final String SERVLET_PARAMETER_DEBUG = "Debug"; private static final String SERVLET_PARAMETER_PRODUCTION_MODE = "productionMode"; + static final String SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION = "disable-xsrf-protection"; // Configurable parameter names private static final String PARAMETER_VAADIN_RESOURCES = "Resources"; @@ -190,8 +193,20 @@ public abstract class AbstractApplicationServlet extends HttpServlet { applicationProperties.setProperty(name, context .getInitParameter(name)); } - checkProductionMode(); + checkCrossSiteProtection(); + } + + private void checkCrossSiteProtection() { + if (getApplicationOrSystemProperty( + SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION, "false").equals( + "true")) { + /* + * Print an information/warning message about running with xsrf + * protection disabled + */ + System.err.println(WARNING_XSRF_PROTECTION_DISABLED); + } } private void checkProductionMode() { |