diff options
| author | Leif Åstrand <legioth@gmail.com> | 2018-02-13 14:58:33 +0200 |
|---|---|---|
| committer | Ilia Motornyi <elmot@vaadin.com> | 2018-02-28 12:55:15 +0300 |
| commit | e0e6fc4cf41c7a031f140b9a8bfd8c0ba5fec7e6 (patch) | |
| tree | 5006ede27f65143c0d84cd98191c8736bc113030 | |
| parent | 3e8c87939b2ec7fd25f96bfacfbdf915a14b2344 (diff) | |
| download | vaadin-framework-e0e6fc4cf41c7a031f140b9a8bfd8c0ba5fec7e6.tar.gz vaadin-framework-e0e6fc4cf41c7a031f140b9a8bfd8c0ba5fec7e6.zip | |
Set no-store headers for error responses (#10628)
6 files changed, 56 insertions, 21 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinResponse.java b/server/src/main/java/com/vaadin/server/VaadinResponse.java index e3422d1d48..7414b8d97c 100644 --- a/server/src/main/java/com/vaadin/server/VaadinResponse.java +++ b/server/src/main/java/com/vaadin/server/VaadinResponse.java @@ -186,6 +186,23 @@ public interface VaadinResponse extends Serializable { public void setContentLength(int len); /** + * Sets all conceivable headers that might prevent a response from being + * stored in any caches. + * + * @since + */ + public default void setNoCacheHeaders() { + // no-store to disallow storing even if cache would be revalidated + // must-revalidate to not use stored value even if someone asks for it + setHeader("Cache-Control", + "no-cache, no-store, must-revalidate"); + + // Also set legacy values in case of old proxies in between + setHeader("Pragma", "no-cache"); + setHeader("Expires", "0"); + } + + /** * Gets the currently processed Vaadin response. The current response is * automatically defined when the request is started. The current response * can not be used in e.g. background threads because of the way server diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java index 9b9c7fd913..f995de0b5f 100644 --- a/server/src/main/java/com/vaadin/server/VaadinService.java +++ b/server/src/main/java/com/vaadin/server/VaadinService.java @@ -1635,7 +1635,7 @@ public abstract class VaadinService implements Serializable { SystemMessages ci = getSystemMessages(ServletPortletHelper .findLocale(null, vaadinSession, request), request); try { - writeStringResponse(response, + writeUncachedStringResponse(response, JsonConstants.JSON_CONTENT_TYPE, createCriticalNotificationJSON( ci.getInternalErrorCaption(), @@ -1667,24 +1667,47 @@ public abstract class VaadinService implements Serializable { * The response reference * @param contentType * The content type of the response - * @param reponseString + * @param responseString * The actual response * @throws IOException * If an error occurred while writing the response */ public void writeStringResponse(VaadinResponse response, String contentType, - String reponseString) throws IOException { + String responseString) throws IOException { response.setContentType(contentType); final OutputStream out = response.getOutputStream(); try (PrintWriter outWriter = new PrintWriter( new BufferedWriter(new OutputStreamWriter(out, UTF_8)))) { - outWriter.print(reponseString); + outWriter.print(responseString); } } /** + * Writes the given string as a response with headers to prevent caching and + * using the given content type. + * + * @param response + * The response reference + * @param contentType + * The content type of the response + * @param responseString + * The actual response + * @throws IOException + * If an error occurred while writing the response + * @since + */ + public void writeUncachedStringResponse(VaadinResponse response, + String contentType, String responseString) throws IOException { + // Response might contain sensitive information, so prevent all forms of + // caching + response.setNoCacheHeaders(); + + writeStringResponse(response, contentType, responseString); + } + + /** * Called when the session has expired and the request handling is therefore * aborted. * @@ -1802,7 +1825,7 @@ public abstract class VaadinService implements Serializable { public void criticalNotification(VaadinRequest request, VaadinResponse response, String caption, String message, String details, String url) throws IOException { - writeStringResponse(response, JsonConstants.JSON_CONTENT_TYPE, + writeUncachedStringResponse(response, JsonConstants.JSON_CONTENT_TYPE, createCriticalNotificationJSON(caption, message, details, url)); } diff --git a/server/src/main/java/com/vaadin/server/VaadinServlet.java b/server/src/main/java/com/vaadin/server/VaadinServlet.java index 62bfeb0207..e9b30e9e87 100644 --- a/server/src/main/java/com/vaadin/server/VaadinServlet.java +++ b/server/src/main/java/com/vaadin/server/VaadinServlet.java @@ -578,7 +578,7 @@ public class VaadinServlet extends HttpServlet implements Constants { SystemMessages systemMessages = getService().getSystemMessages( ServletPortletHelper.findLocale(null, null, request), request); - getService().writeStringResponse(response, + getService().writeUncachedStringResponse(response, JsonConstants.JSON_CONTENT_TYPE, VaadinService.createCriticalNotificationJSON( systemMessages.getCookiesDisabledCaption(), @@ -625,7 +625,7 @@ public class VaadinServlet extends HttpServlet implements Constants { if (ServletPortletHelper.isUIDLRequest(request)) { String output = VaadinService.createCriticalNotificationJSON( caption, message, details, url); - getService().writeStringResponse(response, + getService().writeUncachedStringResponse(response, JsonConstants.JSON_CONTENT_TYPE, output); } else { // Create an HTML reponse with the error @@ -649,7 +649,7 @@ public class VaadinServlet extends HttpServlet implements Constants { if (url != null) { output += "</a>"; } - getService().writeStringResponse(response, + getService().writeUncachedStringResponse(response, ApplicationConstants.CONTENT_TYPE_TEXT_HTML_UTF_8, output); } } diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java index 12a04c1509..93356a1519 100644 --- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java +++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java @@ -109,15 +109,9 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler { // The response was produced without errors so write it to the client response.setContentType(JsonConstants.JSON_CONTENT_TYPE); - // Response might contain sensitive information, so prevent caching - // no-store to disallow storing even if cache would be revalidated - // must-revalidate to not use stored value even if someone asks for it - response.setHeader("Cache-Control", - "no-cache, no-store, must-revalidate"); - - // Also set legacy values in case of old proxies in between - response.setHeader("Pragma", "no-cache"); - response.setHeader("Expires", "0"); + // Response might contain sensitive information, so prevent all forms of + // caching + response.setNoCacheHeaders(); byte[] b = json.getBytes(UTF_8); response.setContentLength(b.length); @@ -228,7 +222,7 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler { session.addUI(ui); if (initException != null) { ui.getSession().getCommunicationManager() - .handleConnectorRelatedException(ui, initException); + .handleConnectorRelatedException(ui, initException); } // Warn if the window can't be preserved if (embedId == null @@ -316,7 +310,7 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler { String seckey = session.getCsrfToken(); return "\"" + ApplicationConstants.UIDL_SECURITY_TOKEN_ID + "\":\"" - + seckey + "\","; + + seckey + "\","; } /** diff --git a/server/src/main/java/com/vaadin/server/communication/UidlRequestHandler.java b/server/src/main/java/com/vaadin/server/communication/UidlRequestHandler.java index 3aedcd2472..e7fabf752e 100644 --- a/server/src/main/java/com/vaadin/server/communication/UidlRequestHandler.java +++ b/server/src/main/java/com/vaadin/server/communication/UidlRequestHandler.java @@ -164,7 +164,8 @@ public class UidlRequestHandler extends SynchronizedRequestHandler SystemMessages systemMessages = service.getSystemMessages( ServletPortletHelper.findLocale(null, null, request), request); - service.writeStringResponse(response, JsonConstants.JSON_CONTENT_TYPE, + service.writeUncachedStringResponse(response, + JsonConstants.JSON_CONTENT_TYPE, VaadinService.createCriticalNotificationJSON( systemMessages.getSessionExpiredCaption(), systemMessages.getSessionExpiredMessage(), null, diff --git a/uitest/src/main/java/com/vaadin/tests/application/CriticalNotifications.java b/uitest/src/main/java/com/vaadin/tests/application/CriticalNotifications.java index b0e88b102b..792043eae0 100644 --- a/uitest/src/main/java/com/vaadin/tests/application/CriticalNotifications.java +++ b/uitest/src/main/java/com/vaadin/tests/application/CriticalNotifications.java @@ -96,7 +96,7 @@ public class CriticalNotifications extends AbstractReindeerTestUI { VaadinResponse response = VaadinService.getCurrentResponse(); try { - service.writeStringResponse(response, + service.writeUncachedStringResponse(response, JsonConstants.JSON_CONTENT_TYPE, VaadinService.createCriticalNotificationJSON(caption, message, details, url)); |