Package com.google.gwt.user.server.rpc
Class XsrfTokenServiceServlet
java.lang.Object
javax.servlet.GenericServlet
javax.servlet.http.HttpServlet
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet
com.google.gwt.user.server.rpc.RemoteServiceServlet
com.google.gwt.user.server.rpc.XsrfTokenServiceServlet
- All Implemented Interfaces:
RemoteService
,XsrfTokenService
,SerializationPolicyProvider
,Serializable
,javax.servlet.Servlet
,javax.servlet.ServletConfig
EXPERIMENTAL and subject to change. Do not use this in production code.
RPC service to generate XSRF tokens.
Sample use of XsrfTokenService
:
- Add
XsrfTokenServiceServlet
toweb.xml
:<servlet> <servlet-name>xsrf</servlet-name> <servlet-class> com.google.gwt.user.server.rpc.XsrfTokenServiceServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name>xsrf</servlet-name> <url-pattern>/gwt/xsrf</url-pattern> </servlet-mapping>
- Specify session cookie name that is used for authentication. MD5 hash of
the session cookie's value will be used as an XSRF token:
<context-param> <param-name>gwt.xsrf.session_cookie_name</param-name> <param-value>JSESSIONID</param-value> </context-param>
- To enforce XSRF token validation on each method call either mark RPC
interface as XSRF protected using
XsrfProtect
annotation or extendXsrfProtectedService
instead of RemoteService. UseNoXsrfProtect
to mark methods as not requiring XSRF protection:public interface MyRpcService extends XsrfProtectedService { public void doStuff(); }
- Ensure that RPC's servlet implementation extends
XsrfProtectedServiceServlet
instead ofRemoteServiceServlet
:public class MyRpcServiceServlet extends XsrfProtectedServiceServlet implements MyRpcService { public void doStuff() { // ... } }
- Obtain
XsrfToken
and set it on the RPC end point:XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class); ((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf"); xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() { public void onSuccess(XsrfToken result) { MyRpcServiceAsync rpc = (MyRpcServiceAsync)GWT.create(MyRpcService.class); ((HasRpcToken) rpc).setRpcToken(result); // make XSRF protected RPC call rpc.doStuff(new AsyncCallback<Void>() { // ... }); } public void onFailure(Throwable caught) { try { throw caught; } catch (RpcTokenException e) { // Can be thrown for several reasons: // - duplicate session cookie, which may be a sign of a cookie // overwrite attack // - XSRF token cannot be generated because session cookie isn't // present } catch (Throwable e) { // unexpected } });
-
Field Summary
Modifier and TypeFieldDescription(package private) static final String
static final String
Session cookie name initialization parameter.Fields inherited from class com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet
perThreadRequest, perThreadResponse
-
Constructor Summary
ConstructorDescriptionDefault constructor.XsrfTokenServiceServlet
(String sessionCookieName) Alternative constructor that accepts session cookie name instead of getting it fromServletConfig
orServletContext
. -
Method Summary
Modifier and TypeMethodDescriptionGenerates and returns new XSRF token.void
init()
Servlet initialization.Methods inherited from class com.google.gwt.user.server.rpc.RemoteServiceServlet
checkPermutationStrongName, doGetSerializationPolicy, getCodeServerPolicyUrl, getRequestModuleBasePath, getSerializationPolicy, init, loadPolicyFromCodeServer, loadSerializationPolicy, onAfterResponseSerialized, onBeforeRequestDeserialized, processCall, processCall, processPost, shouldCompressResponse
Methods inherited from class com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet
doPost, doUnexpectedFailure, getPermutationStrongName, getThreadLocalRequest, getThreadLocalResponse, onAfterRequestDeserialized, readContent
Methods inherited from class javax.servlet.http.HttpServlet
doDelete, doGet, doHead, doOptions, doPut, doTrace, getLastModified, service, service
Methods inherited from class javax.servlet.GenericServlet
destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, log, log
-
Field Details
-
COOKIE_NAME_PARAM
Session cookie name initialization parameter.- See Also:
-
COOKIE_NAME_NOT_SET_ERROR_MSG
- See Also:
-
-
Constructor Details
-
XsrfTokenServiceServlet
public XsrfTokenServiceServlet()Default constructor. -
XsrfTokenServiceServlet
Alternative constructor that accepts session cookie name instead of getting it fromServletConfig
orServletContext
.
-
-
Method Details
-
getNewXsrfToken
Generates and returns new XSRF token.- Specified by:
getNewXsrfToken
in interfaceXsrfTokenService
-
init
public void init()Servlet initialization.- Overrides:
init
in classjavax.servlet.GenericServlet
-