Use separate identifier for push connections8.1.0.alpha5

Closes #8700
author: Aleksi Hietanen <aleksi@vaadin.com> 2017-04-13 11:48:49 +0300
committer: Ilia Motornyi <elmot@vaadin.com> 2017-04-13 10:48:49 +0200
commit: a4a4d9e064f06ad4cdc2801db75955872a3acf45 (patch)
tree: 016e116ea0a25226617a707112c446d7881094e0 /server
parent: dd1d288d5fe7b3a1ee3db93afccacae72bc7408c (diff)
download: vaadin-framework-a4a4d9e064f06ad4cdc2801db75955872a3acf45.tar.gz
vaadin-framework-a4a4d9e064f06ad4cdc2801db75955872a3acf45.zip
3 files changed, 50 insertions, 3 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java
index 36692c00c2..46a11d3826 100644
--- a/server/src/main/java/com/vaadin/server/VaadinSession.java
+++ b/server/src/main/java/com/vaadin/server/VaadinSession.java
@@ -744,6 +744,8 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
      */
     private final String csrfToken = UUID.randomUUID().toString();
 
+    private final String pushId = UUID.randomUUID().toString();
+
     /**
      * Generate an id for the given Connector. Connectors must not call this
      * method more than once, the first time they need an id.
@@ -1418,6 +1420,17 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
     }
 
     /**
+     * Gets the push connection identifier for this session. Used when
+     * establishing a push connection with the client.
+     *
+     * @return the push connection identifier string
+     */
+    public String getPushId() {
+        assert hasLock();
+        return pushId;
+    }
+
+    /**
      * Override default deserialization logic to account for transient
      * {@link #pendingAccessQueue}.
      */
diff --git a/server/src/main/java/com/vaadin/server/communication/PushHandler.java b/server/src/main/java/com/vaadin/server/communication/PushHandler.java
index e65945d15c..6eeaa88520 100644
--- a/server/src/main/java/com/vaadin/server/communication/PushHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/PushHandler.java
@@ -90,10 +90,10 @@ public class PushHandler {
         }
 
         String requestToken = resource.getRequest()
-                .getParameter(ApplicationConstants.CSRF_TOKEN_PARAMETER);
-        if (!VaadinService.isCsrfTokenValid(session, requestToken)) {
+                .getParameter(ApplicationConstants.PUSH_ID_PARAMETER);
+        if (!isPushIdValid(session, requestToken)) {
             getLogger().log(Level.WARNING,
-                    "Invalid CSRF token in new connection received from {0}",
+                    "Invalid identifier in new connection received from {0}",
                     resource.getRequest().getRemoteHost());
             // Refresh on client side, create connection just for
             // sending a message
@@ -480,6 +480,25 @@ public class PushHandler {
     }
 
     /**
+     * Checks whether a given push id matches the session's push id.
+     *
+     * @param session
+     *            the vaadin session for which the check should be done
+     * @param requestPushId
+     *            the push id provided in the request
+     * @return {@code true} if the id is valid, {@code false} otherwise
+     */
+    private static boolean isPushIdValid(VaadinSession session,
+            String requestPushId) {
+
+        String sessionPushId = session.getPushId();
+        if (requestPushId == null || !requestPushId.equals(sessionPushId)) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
      * Called when a new push connection is requested to be opened by the client
      *
      * @since 7.5.0
diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
index c0c6850d32..f08f5fc45e 100644
--- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
@@ -287,6 +287,9 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
             if (session.getConfiguration().isXsrfProtectionEnabled()) {
                 writer.write(getSecurityKeyUIDL(session));
             }
+            if (uI.getPushConfiguration().getPushMode().isEnabled()) {
+                writer.write(getPushIdUIDL(session));
+            }
             new UidlWriter().write(uI, writer, false);
             writer.write("}");
 
@@ -310,6 +313,18 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
                 + seckey + "\",";
     }
 
+    /**
+     * Gets the push connection identifier as UIDL.
+     *
+     * @param session
+     *            the vaadin session to which the security key belongs
+     * @return the push identifier UIDL
+     */
+    private static String getPushIdUIDL(VaadinSession session) {
+        return "\"" + ApplicationConstants.UIDL_PUSH_ID + "\":\""
+                + session.getPushId() + "\",";
+    }
+
     private static final Logger getLogger() {
         return Logger.getLogger(UIInitHandler.class.getName());
     }
author	Aleksi Hietanen <aleksi@vaadin.com>	2017-04-13 11:48:49 +0300
committer	Ilia Motornyi <elmot@vaadin.com>	2017-04-13 10:48:49 +0200
commit	a4a4d9e064f06ad4cdc2801db75955872a3acf45 (patch)
tree	016e116ea0a25226617a707112c446d7881094e0 /server
parent	dd1d288d5fe7b3a1ee3db93afccacae72bc7408c (diff)
download	vaadin-framework-a4a4d9e064f06ad4cdc2801db75955872a3acf45.tar.gz vaadin-framework-a4a4d9e064f06ad4cdc2801db75955872a3acf45.zip