Package com.google.gwt.user.server.rpc

Class AbstractXsrfProtectedServiceServlet

java.lang.Object
javax.servlet.GenericServlet
javax.servlet.http.HttpServlet
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet
com.google.gwt.user.server.rpc.RemoteServiceServlet
com.google.gwt.user.server.rpc.AbstractXsrfProtectedServiceServlet
All Implemented Interfaces:
SerializationPolicyProvider, Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig
Direct Known Subclasses:
XsrfProtectedServiceServlet
public abstract class AbstractXsrfProtectedServiceServlet extends RemoteServiceServlet
An abstract class for XSRF protected RPC service implementations, which decides if XSRF protection should be enforced on a method invocation based on the following logic:
  • RPC interface or method can be annotated with either XsrfProtect or NoXsrfProtect annotation to enable or disable XSRF protection on all methods of an RPC interface or a single method correspondingly.
  • RPC interface level annotation can be overridden by a method level annotation.
  • If no annotations are present and RPC interface contains method that returns RpcToken or its implementation, then XSRF token validation is performed on all methods of that interface except for the method returning RpcToken.
See Also:

  • Constructor Details

    • AbstractXsrfProtectedServiceServlet

      public AbstractXsrfProtectedServiceServlet()
      The default constructor used by service implementations that extend this class. The servlet will delegate AJAX requests to the appropriate method in the subclass.

    • AbstractXsrfProtectedServiceServlet

      public AbstractXsrfProtectedServiceServlet(Object delegate)
      The wrapping constructor used by service implementations that are separate from this class. The servlet will delegate AJAX requests to the appropriate method in the given object.

  • Method Details

    • onAfterRequestDeserialized

      protected void onAfterRequestDeserialized(RPCRequest rpcRequest)
      Description copied from class: AbstractRemoteServiceServlet
      Override this method to examine the deserialized version of the request before the call to the servlet method is made. The default implementation does nothing and need not be called by subclasses.
      Overrides:
      onAfterRequestDeserialized in class AbstractRemoteServiceServlet

    • shouldValidateXsrfToken

      protected boolean shouldValidateXsrfToken(Method method)
      Override this method to change default XSRF enforcement logic.
      Parameters:
      method - Method being invoked
      Returns:
      true if XSRF token should be verified, false otherwise

    • validateXsrfToken

      protected abstract void validateXsrfToken(RpcToken token, Method method) throws RpcTokenException
      Override this method to perform XSRF token verification.
      Parameters:
      token - RpcToken included with an RPC request.
      method - method being invoked via this RPC call.
      Throws:
      RpcTokenException - if token verification failed.