From a4a4d9e064f06ad4cdc2801db75955872a3acf45 Mon Sep 17 00:00:00 2001
From: Aleksi Hietanen <aleksi@vaadin.com>
Date: Thu, 13 Apr 2017 11:48:49 +0300
Subject: Use separate identifier for push connections

Closes #8700
---
 .../main/java/com/vaadin/server/VaadinSession.java | 13 +++++++++++
 .../vaadin/server/communication/PushHandler.java   | 25 +++++++++++++++++++---
 .../vaadin/server/communication/UIInitHandler.java | 15 +++++++++++++
 3 files changed, 50 insertions(+), 3 deletions(-)

(limited to 'server')

diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java
index 36692c00c2..46a11d3826 100644
--- a/server/src/main/java/com/vaadin/server/VaadinSession.java
+++ b/server/src/main/java/com/vaadin/server/VaadinSession.java
@@ -744,6 +744,8 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
      */
     private final String csrfToken = UUID.randomUUID().toString();
 
+    private final String pushId = UUID.randomUUID().toString();
+
     /**
      * Generate an id for the given Connector. Connectors must not call this
      * method more than once, the first time they need an id.
@@ -1417,6 +1419,17 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
         return csrfToken;
     }
 
+    /**
+     * Gets the push connection identifier for this session. Used when
+     * establishing a push connection with the client.
+     *
+     * @return the push connection identifier string
+     */
+    public String getPushId() {
+        assert hasLock();
+        return pushId;
+    }
+
     /**
      * Override default deserialization logic to account for transient
      * {@link #pendingAccessQueue}.
diff --git a/server/src/main/java/com/vaadin/server/communication/PushHandler.java b/server/src/main/java/com/vaadin/server/communication/PushHandler.java
index e65945d15c..6eeaa88520 100644
--- a/server/src/main/java/com/vaadin/server/communication/PushHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/PushHandler.java
@@ -90,10 +90,10 @@ public class PushHandler {
         }
 
         String requestToken = resource.getRequest()
-                .getParameter(ApplicationConstants.CSRF_TOKEN_PARAMETER);
-        if (!VaadinService.isCsrfTokenValid(session, requestToken)) {
+                .getParameter(ApplicationConstants.PUSH_ID_PARAMETER);
+        if (!isPushIdValid(session, requestToken)) {
             getLogger().log(Level.WARNING,
-                    "Invalid CSRF token in new connection received from {0}",
+                    "Invalid identifier in new connection received from {0}",
                     resource.getRequest().getRemoteHost());
             // Refresh on client side, create connection just for
             // sending a message
@@ -479,6 +479,25 @@ public class PushHandler {
         return Logger.getLogger(PushHandler.class.getName());
     }
 
+    /**
+     * Checks whether a given push id matches the session's push id.
+     *
+     * @param session
+     *            the vaadin session for which the check should be done
+     * @param requestPushId
+     *            the push id provided in the request
+     * @return {@code true} if the id is valid, {@code false} otherwise
+     */
+    private static boolean isPushIdValid(VaadinSession session,
+            String requestPushId) {
+
+        String sessionPushId = session.getPushId();
+        if (requestPushId == null || !requestPushId.equals(sessionPushId)) {
+            return false;
+        }
+        return true;
+    }
+
     /**
      * Called when a new push connection is requested to be opened by the client
      *
diff --git a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
index c0c6850d32..f08f5fc45e 100644
--- a/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/UIInitHandler.java
@@ -287,6 +287,9 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
             if (session.getConfiguration().isXsrfProtectionEnabled()) {
                 writer.write(getSecurityKeyUIDL(session));
             }
+            if (uI.getPushConfiguration().getPushMode().isEnabled()) {
+                writer.write(getPushIdUIDL(session));
+            }
             new UidlWriter().write(uI, writer, false);
             writer.write("}");
 
@@ -310,6 +313,18 @@ public abstract class UIInitHandler extends SynchronizedRequestHandler {
                 + seckey + "\",";
     }
 
+    /**
+     * Gets the push connection identifier as UIDL.
+     *
+     * @param session
+     *            the vaadin session to which the security key belongs
+     * @return the push identifier UIDL
+     */
+    private static String getPushIdUIDL(VaadinSession session) {
+        return "\"" + ApplicationConstants.UIDL_PUSH_ID + "\":\""
+                + session.getPushId() + "\",";
+    }
+
     private static final Logger getLogger() {
         return Logger.getLogger(UIInitHandler.class.getName());
     }
-- 
cgit v1.2.3