Re-add the checkt that was removed in r5731, but allow the behavior to be overridden.
http://gwt-code-reviews.appspot.com/179801/show
Review by: rjrjr@google.com
git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@7703 8db76d5a-ed1c-0410-87a9-c151d255dfc7
diff --git a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
index 86c39b5..9e8036d 100644
--- a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
+++ b/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
@@ -181,6 +181,9 @@
* exception (the exception will be the one thrown by the service)
*/
public String processCall(String payload) throws SerializationException {
+ // First, check for possible XSRF situation
+ checkPermutationStrongName();
+
try {
RPCRequest rpcRequest = RPC.decodeRequest(payload, this.getClass(), this);
onAfterRequestDeserialized(rpcRequest);
@@ -232,6 +235,24 @@
}
/**
+ * This method is called by {@link #processCall(String)} and will throw a
+ * SecurityException if {@link #getPermutationStrongName()} returns
+ * <code>null</code>. This method can be overridden to be a no-op if there are
+ * clients that are not expected to provide the
+ * {@value com.google.gwt.user.client.rpc.RpcRequestBuilder#STRONG_NAME_HEADER}
+ * header.
+ *
+ * @throws SecurityException if {@link #getPermutationStrongName()} returns
+ * <code>null</code>
+ */
+ protected void checkPermutationStrongName() throws SecurityException {
+ if (getPermutationStrongName() == null) {
+ throw new SecurityException(
+ "Blocked request without GWT permutation header (XSRF attack?)");
+ }
+ }
+
+ /**
* Gets the {@link SerializationPolicy} for given module base URL and strong
* name if there is one.
*
