com.google.gwt.user.server.rpc
Class XsrfTokenServiceServlet
public static class XsrfTokenServiceServlet extends Object
RPC service to generate XSRF tokens.
Sample use of XsrfTokenService:
XsrfTokenServiceServlet to web.xml:
<servlet>
<servlet-name>xsrf</servlet-name>
<servlet-class>
com.google.gwt.user.server.rpc.XsrfTokenServiceServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>xsrf</servlet-name>
<url-pattern>/gwt/xsrf</url-pattern>
</servlet-mapping>
<context-param> <param-name>gwt.xsrf.session_cookie_name</param-name> <param-value>JSESSIONID</param-value> </context-param>
XsrfProtect annotation or extend
XsrfProtectedService instead of
RemoteService. Use NoXsrfProtect to mark methods as not requiring
XSRF protection:
public interface MyRpcService extends XsrfProtectedService {
public void doStuff();
}
XsrfProtectedServiceServlet instead of RemoteServiceServlet:
public class MyRpcServiceServlet extends XsrfProtectedServiceServlet
implements MyRpcService {
public void doStuff() {
// ...
}
}
XsrfToken and set it on the RPC end point:
XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class);
((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");
xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() {
public void onSuccess(XsrfToken result) {
MyRpcServiceAsync rpc = (MyRpcServiceAsync)GWT.create(MyRpcService.class);
((HasRpcToken) rpc).setRpcToken(result);
// make XSRF protected RPC call
rpc.doStuff(new AsyncCallback<Void>() {
// ...
});
}
public void onFailure(Throwable caught) {
try {
throw caught;
} catch (RpcTokenException e) {
// Can be thrown for several reasons:
// - duplicate session cookie, which may be a sign of a cookie
// overwrite attack
// - XSRF token cannot be generated because session cookie isn't
// present
} catch (Throwable e) {
// unexpected
}
});
Copyright © 2018. All rights reserved.