public class XsrfTokenServiceServlet extends RemoteServiceServlet implements XsrfTokenService
RPC service to generate XSRF tokens.
Sample use of XsrfTokenService
:
XsrfTokenServiceServlet
to web.xml
:
<servlet> <servlet-name>xsrf</servlet-name> <servlet-class> com.google.gwt.user.server.rpc.XsrfTokenServiceServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name>xsrf</servlet-name> <url-pattern>/gwt/xsrf</url-pattern> </servlet-mapping>
<context-param> <param-name>gwt.xsrf.session_cookie_name</param-name> <param-value>JSESSIONID</param-value> </context-param>
XsrfProtect
annotation or extend
XsrfProtectedService
instead of
RemoteService. Use NoXsrfProtect
to mark methods as not requiring
XSRF protection:
public interface MyRpcService extends XsrfProtectedService { public void doStuff(); }
XsrfProtectedServiceServlet
instead of RemoteServiceServlet
:
public class MyRpcServiceServlet extends XsrfProtectedServiceServlet implements MyRpcService { public void doStuff() { // ... } }
XsrfToken
and set it on the RPC end point:
XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class); ((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf"); xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() { public void onSuccess(XsrfToken result) { MyRpcServiceAsync rpc = (MyRpcServiceAsync)GWT.create(MyRpcService.class); ((HasRpcToken) rpc).setRpcToken(result); // make XSRF protected RPC call rpc.doStuff(new AsyncCallback<Void>() { // ... }); } public void onFailure(Throwable caught) { try { throw caught; } catch (RpcTokenException e) { // Can be thrown for several reasons: // - duplicate session cookie, which may be a sign of a cookie // overwrite attack // - XSRF token cannot be generated because session cookie isn't // present } catch (Throwable e) { // unexpected } });
Modifier and Type | Field and Description |
---|---|
static String |
COOKIE_NAME_PARAM
Session cookie name initialization parameter.
|
perThreadRequest, perThreadResponse
Constructor and Description |
---|
XsrfTokenServiceServlet()
Default constructor.
|
XsrfTokenServiceServlet(String sessionCookieName)
Alternative constructor that accepts session cookie name instead of getting
it from
ServletConfig or ServletContext . |
Modifier and Type | Method and Description |
---|---|
XsrfToken |
getNewXsrfToken()
Generates and returns new XSRF token.
|
void |
init()
Servlet initialization.
|
checkPermutationStrongName, doGetSerializationPolicy, getCodeServerPolicyUrl, getSerializationPolicy, init, loadPolicyFromCodeServer, onAfterResponseSerialized, onBeforeRequestDeserialized, processCall, processPost, shouldCompressResponse
doPost, doUnexpectedFailure, getPermutationStrongName, getThreadLocalRequest, getThreadLocalResponse, onAfterRequestDeserialized, readContent
doDelete, doGet, doHead, doOptions, doPut, doTrace, getLastModified, service, service
public static final String COOKIE_NAME_PARAM
public XsrfTokenServiceServlet()
public XsrfTokenServiceServlet(String sessionCookieName)
ServletConfig
or ServletContext
.public XsrfToken getNewXsrfToken()
getNewXsrfToken
in interface XsrfTokenService
public void init()
init
in class javax.servlet.GenericServlet
Copyright © 2018. All rights reserved.