Store security key in VaadinSession (#11717)

* Also removes the WRITE_SECURITY_TOKEN_FLAG flag that was defined twice
but never set

Change-Id: I02d172b7ccd230df7c59b3b17227235bea9d2e7d

6 files changed, 36 insertions, 61 deletions

diff --git a/server/src/com/vaadin/server/LegacyCommunicationManager.java b/server/src/com/vaadin/server/LegacyCommunicationManager.java
index 7dea5890e9..c0194db243 100644
--- a/server/src/com/vaadin/server/LegacyCommunicationManager.java
+++ b/server/src/com/vaadin/server/LegacyCommunicationManager.java
@@ -30,7 +30,6 @@ import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
-import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -62,9 +61,6 @@ import com.vaadin.ui.UI;
 @SuppressWarnings("serial")
 public class LegacyCommunicationManager implements Serializable {
 
-    // TODO PUSH move
-    public static final String WRITE_SECURITY_TOKEN_FLAG = "writeSecurityToken";
-
     // TODO Refactor (#11410)
     private final HashMap<Integer, ClientCache> uiToClientCache = new HashMap<Integer, ClientCache>();
 
@@ -100,42 +96,6 @@ public class LegacyCommunicationManager implements Serializable {
     }
 
     /**
-     * Gets the security key (and generates one if needed) as UIDL.
-     * 
-     * @param request
-     * @return the security key UIDL or "" if the feature is turned off
-     */
-    public String getSecurityKeyUIDL(VaadinRequest request) {
-        final String seckey = getSecurityKey(request);
-        if (seckey != null) {
-            return "\"" + ApplicationConstants.UIDL_SECURITY_TOKEN_ID + "\":\""
-                    + seckey + "\",";
-        } else {
-            return "";
-        }
-    }
-
-    /**
-     * Gets the security key (and generates one if needed).
-     * 
-     * @param request
-     * @return the security key
-     */
-    protected String getSecurityKey(VaadinRequest request) {
-        String seckey = null;
-        WrappedSession session = request.getWrappedSession();
-        seckey = (String) session
-                .getAttribute(ApplicationConstants.UIDL_SECURITY_TOKEN_ID);
-        if (seckey == null) {
-            seckey = UUID.randomUUID().toString();
-            session.setAttribute(ApplicationConstants.UIDL_SECURITY_TOKEN_ID,
-                    seckey);
-        }
-
-        return seckey;
-    }
-
-    /**
      * @deprecated As of 7.1. See #11411.
      */
     @Deprecated
diff --git a/server/src/com/vaadin/server/VaadinService.java b/server/src/com/vaadin/server/VaadinService.java
index 6c540aec42..c6fdca35f0 100644
--- a/server/src/com/vaadin/server/VaadinService.java
+++ b/server/src/com/vaadin/server/VaadinService.java
@@ -52,7 +52,6 @@ import com.vaadin.server.communication.HeartbeatHandler;
 import com.vaadin.server.communication.PublishedFileHandler;
 import com.vaadin.server.communication.SessionRequestHandler;
 import com.vaadin.server.communication.UidlRequestHandler;
-import com.vaadin.shared.ApplicationConstants;
 import com.vaadin.shared.JsonConstants;
 import com.vaadin.shared.ui.ui.UIConstants;
 import com.vaadin.ui.UI;
@@ -1569,10 +1568,9 @@ public abstract class VaadinService implements Serializable {
 
         if (session.getService().getDeploymentConfiguration()
                 .isXsrfProtectionEnabled()) {
-            String keyInSession = (String) session.getSession().getAttribute(
-                    ApplicationConstants.UIDL_SECURITY_TOKEN_ID);
+            String sessionToken = session.getCsrfToken();
 
-            if (keyInSession == null || !keyInSession.equals(requestToken)) {
+            if (sessionToken == null || !sessionToken.equals(requestToken)) {
                 return false;
             }
         }
diff --git a/server/src/com/vaadin/server/VaadinSession.java b/server/src/com/vaadin/server/VaadinSession.java
index 9c803924e0..57e9076342 100644
--- a/server/src/com/vaadin/server/VaadinSession.java
+++ b/server/src/com/vaadin/server/VaadinSession.java
@@ -25,6 +25,7 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.UUID;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.logging.Logger;
@@ -590,6 +591,8 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
 
     private int connectorIdSequence = 0;
 
+    private final String csrfToken = UUID.randomUUID().toString();
+
     /**
      * Generate an id for the given Connector. Connectors must not call this
      * method more than once, the first time they need an id.
@@ -1092,4 +1095,16 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
 
     }
 
+    /**
+     * Gets the CSRF token (aka double submit cookie) that is used to protect
+     * against Cross Site Request Forgery attacks.
+     * 
+     * @since 7.1
+     * @return the csrf token string
+     */
+    public String getCsrfToken() {
+        assert hasLock();
+        return csrfToken;
+    }
+
 }
diff --git a/server/src/com/vaadin/server/communication/ServerRpcHandler.java b/server/src/com/vaadin/server/communication/ServerRpcHandler.java
index 62949615fb..e0e7494ca8 100644
--- a/server/src/com/vaadin/server/communication/ServerRpcHandler.java
+++ b/server/src/com/vaadin/server/communication/ServerRpcHandler.java
@@ -69,10 +69,6 @@ public class ServerRpcHandler implements Serializable {
 
     private static final int MAX_BUFFER_SIZE = 64 * 1024;
 
-    // flag used in the request to indicate that the security token should be
-    // written to the response
-    private static final String WRITE_SECURITY_TOKEN_FLAG = "writeSecurityToken";
-
     /**
      * Reads JSON containing zero or more serialized RPC calls (including legacy
      * variable changes) and executes the calls.
diff --git a/server/src/com/vaadin/server/communication/UIInitHandler.java b/server/src/com/vaadin/server/communication/UIInitHandler.java
index 7c8fc3a0d8..97aaa6bd74 100644
--- a/server/src/com/vaadin/server/communication/UIInitHandler.java
+++ b/server/src/com/vaadin/server/communication/UIInitHandler.java
@@ -37,6 +37,7 @@ import com.vaadin.server.VaadinRequest;
 import com.vaadin.server.VaadinResponse;
 import com.vaadin.server.VaadinService;
 import com.vaadin.server.VaadinSession;
+import com.vaadin.shared.ApplicationConstants;
 import com.vaadin.shared.communication.PushMode;
 import com.vaadin.shared.ui.ui.UIConstants;
 import com.vaadin.ui.UI;
@@ -267,9 +268,10 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
         StringWriter writer = new StringWriter();
         try {
             writer.write("{");
-            if (uI.getSession().getConfiguration().isXsrfProtectionEnabled()) {
-                writer.write(uI.getSession().getCommunicationManager()
-                        .getSecurityKeyUIDL(request));
+
+            VaadinSession session = uI.getSession();
+            if (session.getConfiguration().isXsrfProtectionEnabled()) {
+                writer.write(getSecurityKeyUIDL(session));
             }
             new UidlWriter().write(uI, writer, true, false, false);
             writer.write("}");
@@ -282,6 +284,20 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
         }
     }
 
+    /**
+     * Gets the security key (and generates one if needed) as UIDL.
+     * 
+     * @param session
+     *            the vaadin session to which the security key belongs
+     * @return the security key UIDL or "" if the feature is turned off
+     */
+    private static String getSecurityKeyUIDL(VaadinSession session) {
+        String seckey = session.getCsrfToken();
+
+        return "\"" + ApplicationConstants.UIDL_SECURITY_TOKEN_ID + "\":\""
+                + seckey + "\",";
+    }
+
     private static final Logger getLogger() {
         return Logger.getLogger(UIInitHandler.class.getName());
     }
diff --git a/server/src/com/vaadin/server/communication/UidlRequestHandler.java b/server/src/com/vaadin/server/communication/UidlRequestHandler.java
index 04ff5f9e87..73ff92f8bd 100644
--- a/server/src/com/vaadin/server/communication/UidlRequestHandler.java
+++ b/server/src/com/vaadin/server/communication/UidlRequestHandler.java
@@ -27,7 +27,6 @@ import org.json.JSONException;
 
 import com.vaadin.server.ClientConnector;
 import com.vaadin.server.Constants;
-import com.vaadin.server.LegacyCommunicationManager;
 import com.vaadin.server.LegacyCommunicationManager.InvalidUIDLSecurityKeyException;
 import com.vaadin.server.ServletPortletHelper;
 import com.vaadin.server.SessionExpiredHandler;
@@ -169,15 +168,6 @@ public class UidlRequestHandler extends SynchronizedRequestHandler implements
             throws IOException, JSONException {
         openJsonMessage(writer, response);
 
-        // security key
-        Object writeSecurityTokenFlag = request
-                .getAttribute(LegacyCommunicationManager.WRITE_SECURITY_TOKEN_FLAG);
-
-        if (writeSecurityTokenFlag != null) {
-            writer.write(ui.getSession().getCommunicationManager()
-                    .getSecurityKeyUIDL(request));
-        }
-
         new UidlWriter().write(ui, writer, repaintAll, analyzeLayouts, false);
 
         closeJsonMessage(writer);