com.google.gwt.user.server.rpc

Class AbstractXsrfProtectedServiceServlet

java.lang.Object

javax.servlet.GenericServlet

javax.servlet.http.HttpServlet

com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet

com.google.gwt.user.server.rpc.RemoteServiceServlet

com.google.gwt.user.server.rpc.AbstractXsrfProtectedServiceServlet

All Implemented Interfaces:

SerializationPolicyProvider, Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

Direct Known Subclasses:

XsrfProtectedServiceServlet

public abstract class AbstractXsrfProtectedServiceServlet
extends RemoteServiceServlet

An abstract class for XSRF protected RPC service implementations, which decides if XSRF protection should be enforced on a method invocation based on the following logic:

• RPC interface or method can be annotated with either XsrfProtect or NoXsrfProtect annotation to enable or disable XSRF protection on all methods of an RPC interface or a single method correspondingly.
• RPC interface level annotation can be overridden by a method level annotation.
• If no annotations are present and RPC interface contains method that returns RpcToken or its implementation, then XSRF token validation is performed on all methods of that interface except for the method returning RpcToken.

See Also:

XsrfProtectedServiceServlet, Serialized Form

Field Summary

Fields inherited from class com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet

perThreadRequest, perThreadResponse

Constructor Summary

Constructors

Constructor and Description
AbstractXsrfProtectedServiceServlet() The default constructor used by service implementations that extend this class.
AbstractXsrfProtectedServiceServlet(Object delegate) The wrapping constructor used by service implementations that are separate from this class.

Method Summary

Modifier and Type	Method and Description
protected void	onAfterRequestDeserialized(RPCRequest rpcRequest) Override this method to examine the deserialized version of the request before the call to the servlet method is made.
protected boolean	shouldValidateXsrfToken(Method method) Override this method to change default XSRF enforcement logic.
protected abstract void	validateXsrfToken(RpcToken token, Method method) Override this method to perform XSRF token verification.

Methods inherited from class com.google.gwt.user.server.rpc.RemoteServiceServlet

checkPermutationStrongName, doGetSerializationPolicy, getCodeServerPolicyUrl, getRequestModuleBasePath, getSerializationPolicy, init, loadPolicyFromCodeServer, onAfterResponseSerialized, onBeforeRequestDeserialized, processCall, processCall, processPost, shouldCompressResponse

Methods inherited from class com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet

doPost, doUnexpectedFailure, getPermutationStrongName, getThreadLocalRequest, getThreadLocalResponse, readContent

Methods inherited from class javax.servlet.http.HttpServlet

doDelete, doGet, doHead, doOptions, doPut, doTrace, getLastModified, service, service

Methods inherited from class javax.servlet.GenericServlet

destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, toString

Constructor Detail

AbstractXsrfProtectedServiceServlet

public AbstractXsrfProtectedServiceServlet()

The default constructor used by service implementations that extend this class. The servlet will delegate AJAX requests to the appropriate method in the subclass.

AbstractXsrfProtectedServiceServlet

public AbstractXsrfProtectedServiceServlet(Object delegate)

The wrapping constructor used by service implementations that are separate from this class. The servlet will delegate AJAX requests to the appropriate method in the given object.

Method Detail

onAfterRequestDeserialized

protected void onAfterRequestDeserialized(RPCRequest rpcRequest)

Description copied from class: AbstractRemoteServiceServlet

Override this method to examine the deserialized version of the request before the call to the servlet method is made. The default implementation does nothing and need not be called by subclasses.

Overrides:

onAfterRequestDeserialized in class AbstractRemoteServiceServlet

shouldValidateXsrfToken

protected boolean shouldValidateXsrfToken(Method method)

Override this method to change default XSRF enforcement logic.

Parameters:

method - Method being invoked

Returns:

true if XSRF token should be verified, false otherwise

validateXsrfToken

protected abstract void validateXsrfToken(RpcToken token,
                                          Method method)
                                   throws RpcTokenException

Override this method to perform XSRF token verification.

Parameters:

token - RpcToken included with an RPC request.

method - method being invoked via this RPC call.

Throws:

RpcTokenException - if token verification failed.