Merged from 6.2; Implements security key w/o use of headers, fixes #3305

svn changeset:8895/svn branch:6.1
author: Marc Englund <marc.englund@itmill.com> 2009-09-24 06:24:29 +0000
committer: Marc Englund <marc.englund@itmill.com> 2009-09-24 06:24:29 +0000
commit: 1ed019413c5fa59616e01315b7bb1750a3dd930c (patch)
tree: 70c3c537fae105dea3d222d5753f639d8fbd60a5
parent: c9114e8c0bb48fd060e1a03b5c40550e825271ed (diff)
download: vaadin-framework-1ed019413c5fa59616e01315b7bb1750a3dd930c.tar.gz
vaadin-framework-1ed019413c5fa59616e01315b7bb1750a3dd930c.zip
2 files changed, 76 insertions, 65 deletions
diff --git a/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java b/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java
index 0e1270901f..c238d4bc2e 100755
--- a/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java
+++ b/src/com/vaadin/terminal/gwt/client/ApplicationConnection.java
@@ -59,7 +59,11 @@ public class ApplicationConnection {
 
     public static final String VAR_ARRAYITEM_SEPARATOR = "\u001c";
 
-    public static final String UIDL_SECURITY_HEADER = "X-Vaadin-Security-Key";
+    public static final String UIDL_SECURITY_TOKEN_ID = "Vaadin-Security-Key";
+    /**
+     * @deprecated use UIDL_SECURITY_TOKEN_ID instead
+     */
+    public static final String UIDL_SECURITY_HEADER = UIDL_SECURITY_TOKEN_ID;
 
     public static final String PARAM_UNLOADBURST = "onunloadburst";
 
@@ -155,28 +159,28 @@ public class ApplicationConnection {
     private native void initializeTestbenchHooks(
             ComponentLocator componentLocator, String TTAppId)
     /*-{
-         var ap = this;
-         var client = {};
-         client.isActive = function() {
-             return ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::hasActiveRequest()();
-         }
-         var vi = ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::getVersionInfo()();
-         if (vi) {
-             client.getVersionInfo = function() {
-                 return vi;
-             }
-         }
-
-         client.getElementByPath = function(id) {
-            return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getElementByPath(Ljava/lang/String;)(id);
-         }
-         client.getPathForElement = function(element) {
-            return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getPathForElement(Lcom/google/gwt/user/client/Element;)(element);
-         }
-
-         if(!$wnd.vaadin.clients) {
-            $wnd.vaadin.clients = {};
-         }
+        var ap = this;
+        var client = {};
+        client.isActive = function() {
+            return ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::hasActiveRequest()();
+        }
+        var vi = ap.@com.vaadin.terminal.gwt.client.ApplicationConnection::getVersionInfo()();
+        if (vi) {
+            client.getVersionInfo = function() {
+                return vi;
+            }
+        }
+
+        client.getElementByPath = function(id) {
+           return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getElementByPath(Ljava/lang/String;)(id);
+        }
+        client.getPathForElement = function(element) {
+           return componentLocator.@com.vaadin.terminal.gwt.client.ComponentLocator::getPathForElement(Lcom/google/gwt/user/client/Element;)(element);
+        }
+
+        if(!$wnd.vaadin.clients) {
+           $wnd.vaadin.clients = {};
+        }
 
         $wnd.vaadin.clients[TTAppId] = client;
     }-*/;
@@ -275,14 +279,14 @@ public class ApplicationConnection {
         } else {
             return false;
         }
-     }-*/;
+    }-*/;
 
     private native static boolean isQuietDebugMode()
     /*-{
-     var uri = $wnd.location;
-     var re = /debug=q[^\/]*$/;
-     return re.test(uri);
-     }-*/;
+        var uri = $wnd.location;
+        var re = /debug=q[^\/]*$/;
+        return re.test(uri);
+    }-*/;
 
     public String getAppUri() {
         return configuration.getApplicationUri();
@@ -376,14 +380,7 @@ public class ApplicationConnection {
                             return;
 
                         }
-                        if ("init".equals(uidl_security_key)) {
-                            // Read security key
-                            String key = response
-                                    .getHeader(UIDL_SECURITY_HEADER);
-                            if (null != key) {
-                                uidl_security_key = key;
-                            }
-                        }
+
                         if (applicationRunning) {
                             handleReceivedJSONMessage(response);
                         } else {
@@ -469,12 +466,12 @@ public class ApplicationConnection {
     private native void syncSendForce(JavaScriptObject xmlHttpRequest,
             String uri, String requestData)
     /*-{
-         try {
-             xmlHttpRequest.open("POST", uri, false);
-             xmlHttpRequest.setRequestHeader("Content-Type", "text/plain;charset=utf-8");
-             xmlHttpRequest.send(requestData);
+        try {
+            xmlHttpRequest.open("POST", uri, false);
+            xmlHttpRequest.setRequestHeader("Content-Type", "text/plain;charset=utf-8");
+            xmlHttpRequest.send(requestData);
         } catch (e) {
-            // No errors are managed as this is synchronous forceful send that can just fail
+           // No errors are managed as this is synchronous forceful send that can just fail
         }
         this.@com.vaadin.terminal.gwt.client.ApplicationConnection::endRequest()();
     }-*/;
@@ -608,7 +605,7 @@ public class ApplicationConnection {
     private static native ValueMap parseJSONResponse(String jsonText)
     /*-{
         return eval('(' + jsonText + ')');
-     }-*/;
+    }-*/;
 
     private void handleReceivedJSONMessage(Response response) {
         final Date start = new Date();
@@ -632,6 +629,11 @@ public class ApplicationConnection {
             return;
         }
 
+        // Get security key
+        if (json.containsKey(UIDL_SECURITY_TOKEN_ID)) {
+            uidl_security_key = json.getString(UIDL_SECURITY_TOKEN_ID);
+        }
+
         if (json.containsKey("resources")) {
             ValueMap resources = json.getValueMap("resources");
             JsArrayString keyArray = resources.getKeyArray();
@@ -813,12 +815,12 @@ public class ApplicationConnection {
     // Redirect browser, null reloads current page
     private static native void redirect(String url)
     /*-{
-      if (url) {
-         $wnd.location = url;
-      } else {
-          $wnd.location.reload(false);
-      }
-     }-*/;
+        if (url) {
+           $wnd.location = url;
+        } else {
+            $wnd.location.reload(false);
+        }
+    }-*/;
 
     public void registerPaintable(String id, Paintable paintable) {
         ComponentDetail componentDetail = new ComponentDetail();
diff --git a/src/com/vaadin/terminal/gwt/server/CommunicationManager.java b/src/com/vaadin/terminal/gwt/server/CommunicationManager.java
index ee5a22c3f3..737258a68d 100644
--- a/src/com/vaadin/terminal/gwt/server/CommunicationManager.java
+++ b/src/com/vaadin/terminal/gwt/server/CommunicationManager.java
@@ -78,6 +78,10 @@ public class CommunicationManager implements Paintable.RepaintRequestListener,
 
     private static String GET_PARAM_REPAINT_ALL = "repaintAll";
 
+    // flag used in the request to indicate that the security token should be
+    // written to the response
+    private static final String WRITE_SECURITY_TOKEN_FLAG = "writeSecurityToken";
+
     /* Variable records indexes */
     private static final int VAR_PID = 1;
     private static final int VAR_NAME = 2;
@@ -343,6 +347,21 @@ public class CommunicationManager implements Paintable.RepaintRequestListener,
         // some dirt to prevent cross site scripting
         outWriter.print("for(;;);[{");
 
+        // security key
+        if (request.getAttribute(WRITE_SECURITY_TOKEN_FLAG) != null) {
+            String seckey = (String) request.getSession().getAttribute(
+                    ApplicationConnection.UIDL_SECURITY_TOKEN_ID);
+            if (seckey == null) {
+                seckey = "" + (int) (Math.random() * 1000000);
+                request.getSession().setAttribute(
+                        ApplicationConnection.UIDL_SECURITY_TOKEN_ID, seckey);
+            }
+            outWriter.print("\"" + ApplicationConnection.UIDL_SECURITY_TOKEN_ID
+                    + "\":\"");
+            outWriter.print(seckey);
+            outWriter.print("\",");
+        }
+
         outWriter.print("\"changes\":[");
 
         ArrayList<Paintable> paintables = null;
@@ -636,31 +655,21 @@ public class CommunicationManager implements Paintable.RepaintRequestListener,
                     .equals(application2
                             .getProperty(AbstractApplicationServlet.SERVLET_PARAMETER_DISABLE_XSRF_PROTECTION))) {
                 if (bursts.length == 1 && "init".equals(bursts[0])) {
-                    // initial request, no variable changes: send key
-                    String seckey = (String) request.getSession().getAttribute(
-                            ApplicationConnection.UIDL_SECURITY_HEADER);
-                    if (seckey == null) {
-                        seckey = "" + (int) (Math.random() * 1000000);
-                    }
-                    /*
-                     * Cookie c = new Cookie(
-                     * ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, uuid);
-                     * response.addCookie(c);
-                     */
-                    response.setHeader(
-                            ApplicationConnection.UIDL_SECURITY_HEADER, seckey);
-                    request.getSession().setAttribute(
-                            ApplicationConnection.UIDL_SECURITY_HEADER, seckey);
+                    // init request; don't handle any variables, key sent in
+                    // response.
+                    request.setAttribute(WRITE_SECURITY_TOKEN_FLAG, true);
                     return true;
                 } else {
-                    // check the key
+                    // ApplicationServlet has stored the security token in the
+                    // session; check that it matched the one sent in the UIDL
                     String sessId = (String) request.getSession().getAttribute(
-                            ApplicationConnection.UIDL_SECURITY_HEADER);
+                            ApplicationConnection.UIDL_SECURITY_TOKEN_ID);
                     if (sessId == null || !sessId.equals(bursts[0])) {
                         throw new InvalidUIDLSecurityKeyException(
                                 "Security key mismatch");
                     }
                 }
+
             }
 
             for (int bi = 1; bi < bursts.length; bi++) {
author	Marc Englund <marc.englund@itmill.com>	2009-09-24 06:24:29 +0000
committer	Marc Englund <marc.englund@itmill.com>	2009-09-24 06:24:29 +0000
commit	1ed019413c5fa59616e01315b7bb1750a3dd930c (patch)
tree	70c3c537fae105dea3d222d5753f639d8fbd60a5
parent	c9114e8c0bb48fd060e1a03b5c40550e825271ed (diff)
download	vaadin-framework-1ed019413c5fa59616e01315b7bb1750a3dd930c.tar.gz vaadin-framework-1ed019413c5fa59616e01315b7bb1750a3dd930c.zip