Rolling back, need to figure out why XsrfToken is excluded by type filter.
This change adds couple of things:
- abstract class which calls abstract XSRF token validation method based on
annotations (@XsrfProtect, @NoXsrfProtect).
- GWT RPC XSRF protection based on the above class, which derives XSRF token
from session cookie by computing MD5 over the cookie's value. Token can be
obtained from XsrfTokenService and must be set on client RPC endpoint via
HasRpcToken interface.
Review at http://gwt-code-reviews.appspot.com/1251801
Review by: jat@google.com
git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@9658 8db76d5a-ed1c-0410-87a9-c151d255dfc7
diff --git a/dev/core/src/com/google/gwt/dev/ExternalPermutationWorkerFactory.java b/dev/core/src/com/google/gwt/dev/ExternalPermutationWorkerFactory.java
index 25a9c73..b7cbd62 100644
--- a/dev/core/src/com/google/gwt/dev/ExternalPermutationWorkerFactory.java
+++ b/dev/core/src/com/google/gwt/dev/ExternalPermutationWorkerFactory.java
@@ -1,12 +1,12 @@
/*
* Copyright 2008 Google Inc.
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -21,7 +21,6 @@
import com.google.gwt.dev.jjs.UnifiedAst;
import com.google.gwt.dev.util.FileBackedObject;
import com.google.gwt.dev.util.Util;
-import com.google.gwt.util.tools.Utility;
import java.io.BufferedReader;
import java.io.EOFException;
@@ -250,7 +249,7 @@
byte[] cookieBytes = new byte[16];
random.nextBytes(cookieBytes);
- String cookie = Utility.toHexString(cookieBytes);
+ String cookie = Util.toHexString(cookieBytes);
// Cook up the classpath, main class, and extra args
args.addAll(Arrays.asList("-classpath",
diff --git a/dev/core/src/com/google/gwt/dev/util/Util.java b/dev/core/src/com/google/gwt/dev/util/Util.java
index 69e4e61..77bbb0d 100644
--- a/dev/core/src/com/google/gwt/dev/util/Util.java
+++ b/dev/core/src/com/google/gwt/dev/util/Util.java
@@ -83,6 +83,10 @@
public static final String[] EMPTY_ARRAY_STRING = new String[0];
+ public static char[] HEX_CHARS = new char[] {
+ '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D',
+ 'E', 'F'};
+
/**
* The size of a {@link #threadLocalBuf}, which should be large enough for
* efficient data transfer but small enough to fit easily into the L2 cache of
@@ -172,7 +176,7 @@
for (int i = 0; i < contents.length; i++) {
md5.update(contents[i]);
}
- return Utility.toHexString(md5.digest());
+ return toHexString(md5.digest());
}
public static void copy(InputStream is, OutputStream os) throws IOException {
@@ -435,6 +439,16 @@
}
/**
+ * A 4-digit hex result.
+ */
+ public static void hex4(char c, StringBuffer sb) {
+ sb.append(HEX_CHARS[(c & 0xF000) >> 12]);
+ sb.append(HEX_CHARS[(c & 0x0F00) >> 8]);
+ sb.append(HEX_CHARS[(c & 0x00F0) >> 4]);
+ sb.append(HEX_CHARS[c & 0x000F]);
+ }
+
+ /**
* This method invokes an inaccessible method in another class.
*
* @param targetClass the class owning the method
@@ -1010,6 +1024,25 @@
}
/**
+ * Returns a string representation of the byte array as a series of
+ * hexadecimal characters.
+ *
+ * @param bytes byte array to convert
+ * @return a string representation of the byte array as a series of
+ * hexadecimal characters
+ */
+ public static String toHexString(byte[] bytes) {
+ char[] hexString = new char[2 * bytes.length];
+ int j = 0;
+ for (int i = 0; i < bytes.length; i++) {
+ hexString[j++] = Util.HEX_CHARS[(bytes[i] & 0xF0) >> 4];
+ hexString[j++] = Util.HEX_CHARS[bytes[i] & 0x0F];
+ }
+
+ return new String(hexString);
+ }
+
+ /**
* Returns a String representing the character content of the bytes; the bytes
* must be encoded using the compiler's default encoding.
*/
diff --git a/dev/core/src/com/google/gwt/util/tools/Utility.java b/dev/core/src/com/google/gwt/util/tools/Utility.java
index f4b0a36..c0fc6e2 100644
--- a/dev/core/src/com/google/gwt/util/tools/Utility.java
+++ b/dev/core/src/com/google/gwt/util/tools/Utility.java
@@ -1,12 +1,12 @@
/*
* Copyright 2006 Google Inc.
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -31,37 +31,16 @@
import java.net.Socket;
import java.net.URI;
import java.net.URL;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.Map.Entry;
/**
- * A smattering of useful functions.
+ * A smattering of useful file functions.
*/
public final class Utility {
- /**
- * Per thread MD5 instance.
- */
- private static final ThreadLocal<MessageDigest> perThreadMd5 =
- new ThreadLocal<MessageDigest>() {
- @Override
- protected MessageDigest initialValue() {
- try {
- return MessageDigest.getInstance("MD5");
- } catch (NoSuchAlgorithmException e) {
- return null;
- }
- };
- };
-
- public static char[] HEX_CHARS = new char[] {
- '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D',
- 'E', 'F'};
-
private static String sInstallPath = null;
/**
@@ -224,7 +203,7 @@
* Gets the contents of a file from the class path as a String. Note: this
* method is only guaranteed to work for resources in the same class loader
* that contains this {@link Utility} class.
- *
+ *
* @param partialPath the partial path to the resource on the class path
* @return the contents of the file
* @throws IOException if the file could not be found or an error occurred
@@ -254,31 +233,8 @@
}
/**
- * Generate MD5 digest.
- *
- * @param input input data to be hashed.
- * @return MD5 digest.
- */
- public static byte[] getMd5Digest(byte[] input) {
- MessageDigest md5 = perThreadMd5.get();
- md5.reset();
- md5.update(input);
- return md5.digest();
- }
-
- /**
- * A 4-digit hex result.
- */
- public static void hex4(char c, StringBuffer sb) {
- sb.append(HEX_CHARS[(c & 0xF000) >> 12]);
- sb.append(HEX_CHARS[(c & 0x0F00) >> 8]);
- sb.append(HEX_CHARS[(c & 0x00F0) >> 4]);
- sb.append(HEX_CHARS[c & 0x000F]);
- }
-
- /**
* Creates a randomly-named temporary directory.
- *
+ *
* @param baseDir base directory to contain the new directory. May be
* {@code null}, in which case the directory given by the
* {@code java.io.tmpdir} system property will be used.
@@ -341,25 +297,6 @@
}
}
- /**
- * Returns a string representation of the byte array as a series of
- * hexadecimal characters.
- *
- * @param bytes byte array to convert
- * @return a string representation of the byte array as a series of
- * hexadecimal characters
- */
- public static String toHexString(byte[] bytes) {
- char[] hexString = new char[2 * bytes.length];
- int j = 0;
- for (int i = 0; i < bytes.length; i++) {
- hexString[j++] = HEX_CHARS[(bytes[i] & 0xF0) >> 4];
- hexString[j++] = HEX_CHARS[bytes[i] & 0x0F];
- }
-
- return new String(hexString);
- }
-
public static void writeTemplateFile(File file, String contents,
Map<String, String> replacements) throws IOException {
diff --git a/user/src/com/google/gwt/i18n/rebind/keygen/MD5KeyGenerator.java b/user/src/com/google/gwt/i18n/rebind/keygen/MD5KeyGenerator.java
index 1e9cb58..155b31f 100644
--- a/user/src/com/google/gwt/i18n/rebind/keygen/MD5KeyGenerator.java
+++ b/user/src/com/google/gwt/i18n/rebind/keygen/MD5KeyGenerator.java
@@ -1,12 +1,12 @@
/*
* Copyright 2008 Google Inc.
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -15,7 +15,7 @@
*/
package com.google.gwt.i18n.rebind.keygen;
-import com.google.gwt.util.tools.Utility;
+import com.google.gwt.dev.util.Util;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
@@ -29,9 +29,9 @@
public String generateKey(String className, String methodName, String text, String meaning) {
/*
* This does not use Util.computeStrongName because we would have
- * to concatenate the text and meaning into a temporary buffer.
+ * to concatenate the text and meaning into a temporary buffer.
*/
-
+
if (text == null) {
// Cannot compute a key if no default text is supplied.
return null;
@@ -51,6 +51,6 @@
} catch (UnsupportedEncodingException e) {
throw new RuntimeException("UTF-8 unsupported", e);
}
- return Utility.toHexString(md5.digest());
+ return Util.toHexString(md5.digest());
}
}
diff --git a/user/src/com/google/gwt/user/client/rpc/XsrfProtectedService.java b/user/src/com/google/gwt/user/client/rpc/XsrfProtectedService.java
deleted file mode 100644
index eab0ca5..0000000
--- a/user/src/com/google/gwt/user/client/rpc/XsrfProtectedService.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.client.rpc;
-
-import com.google.gwt.user.server.rpc.XsrfProtect;
-
-/**
- * XSRF protected equivalent of {@link RemoteService}.
- * All calls on RPC interfaces extending this interface will be XSRF protected.
- */
-@SuppressWarnings("rpc-validation")
-@XsrfProtect
-public interface XsrfProtectedService extends RemoteService {
-}
diff --git a/user/src/com/google/gwt/user/client/rpc/XsrfToken.java b/user/src/com/google/gwt/user/client/rpc/XsrfToken.java
deleted file mode 100644
index 467b547..0000000
--- a/user/src/com/google/gwt/user/client/rpc/XsrfToken.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.client.rpc;
-
-/**
- * XSRF token.
- */
-public class XsrfToken implements RpcToken {
- private String token;
-
- public XsrfToken() {
- token = null;
- }
-
- public XsrfToken(String token) {
- this.token = token;
- }
-
- public String getToken() {
- return token;
- }
-
- public void setToken(String token) {
- this.token = token;
- }
-}
diff --git a/user/src/com/google/gwt/user/client/rpc/XsrfTokenService.java b/user/src/com/google/gwt/user/client/rpc/XsrfTokenService.java
deleted file mode 100644
index 524b5d8..0000000
--- a/user/src/com/google/gwt/user/client/rpc/XsrfTokenService.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.client.rpc;
-
-/**
- * XSRF token generation RPC service.
- *
- * @see com.google.gwt.user.server.rpc.XsrfTokenServiceServlet
- * @see com.google.gwt.user.server.rpc.XsrfProtectedServiceServlet
- */
-public interface XsrfTokenService extends RemoteService {
-
- XsrfToken getNewXsrfToken();
-}
diff --git a/user/src/com/google/gwt/user/client/rpc/XsrfTokenServiceAsync.java b/user/src/com/google/gwt/user/client/rpc/XsrfTokenServiceAsync.java
deleted file mode 100644
index 440c643..0000000
--- a/user/src/com/google/gwt/user/client/rpc/XsrfTokenServiceAsync.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.client.rpc;
-
-/**
- * Async peer of {@link XsrfTokenService}.
- */
-public interface XsrfTokenServiceAsync {
- void getNewXsrfToken(AsyncCallback<XsrfToken> asyncCallback);
-}
diff --git a/user/src/com/google/gwt/user/client/rpc/impl/RemoteServiceProxy.java b/user/src/com/google/gwt/user/client/rpc/impl/RemoteServiceProxy.java
index f80a136..f7df811 100644
--- a/user/src/com/google/gwt/user/client/rpc/impl/RemoteServiceProxy.java
+++ b/user/src/com/google/gwt/user/client/rpc/impl/RemoteServiceProxy.java
@@ -1,12 +1,12 @@
/*
* Copyright 2008 Google Inc.
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -36,7 +36,7 @@
/**
* Superclass for client-side
* {@link com.google.gwt.user.client.rpc.RemoteService RemoteService} proxies.
- *
+ *
* For internal use only.
*/
public abstract class RemoteServiceProxy implements SerializationStreamFactory,
@@ -105,7 +105,7 @@
/**
* Return <code>true</code> if the encoded response contains a value returned
* by the method invocation.
- *
+ *
* @param encodedResponse
* @return <code>true</code> if the encoded response contains a value returned
* by the method invocation
@@ -117,7 +117,7 @@
/**
* Return <code>true</code> if the encoded response contains a checked
* exception that was thrown by the method invocation.
- *
+ *
* @param encodedResponse
* @return <code>true</code> if the encoded response contains a checked
* exception that was thrown by the method invocation
@@ -129,7 +129,7 @@
/**
* Returns a string that encodes the result of a method invocation.
* Effectively, this just removes any headers from the encoded response.
- *
+ *
* @param encodedResponse
* @return string that encodes the result of a method invocation
*/
@@ -157,7 +157,7 @@
private RpcToken rpcToken;
private RpcTokenExceptionHandler rpcTokenExceptionHandler;
-
+
/**
* The name of the serialization policy file specified during construction.
*/
@@ -189,7 +189,7 @@
/**
* Returns a {@link com.google.gwt.user.client.rpc.SerializationStreamReader
* SerializationStreamReader} that is ready for reading.
- *
+ *
* @param encoded string that encodes the response of an RPC request
* @return {@link com.google.gwt.user.client.rpc.SerializationStreamReader
* SerializationStreamReader} that is ready for reading
@@ -209,7 +209,7 @@
* {@link ClientSerializationStreamWriter#prepareToWrite()} called on it and
* it has already had had the name of the remote service interface written as
* well.
- *
+ *
* @return {@link com.google.gwt.user.client.rpc.SerializationStreamWriter
* SerializationStreamWriter} that has had
* {@link ClientSerializationStreamWriter#prepareToWrite()} called on
@@ -222,21 +222,21 @@
clientSerializationStreamWriter.prepareToWrite();
return clientSerializationStreamWriter;
}
-
+
/**
- * @see HasRpcToken#getRpcToken()
+ * @see ServiceDefTarget#getRpcToken()
*/
public RpcToken getRpcToken() {
return rpcToken;
}
-
+
/**
- * @see HasRpcToken#getRpcTokenExceptionHandler()
+ * @see ServiceDefTarget#getRpcTokenExceptionHandler()
*/
public RpcTokenExceptionHandler getRpcTokenExceptionHandler() {
return rpcTokenExceptionHandler;
- }
-
+ }
+
public String getSerializationPolicyName() {
return serializationPolicyName;
}
@@ -254,26 +254,26 @@
/**
* @see HasRpcToken#setRpcToken(RpcToken)
- */
+ */
public void setRpcToken(RpcToken token) {
- checkRpcTokenType(token);
+ checkRpcTokenType(token);
this.rpcToken = token;
}
-
+
/**
* @see HasRpcToken#setRpcTokenExceptionHandler(RpcTokenExceptionHandler)
*/
public void setRpcTokenExceptionHandler(RpcTokenExceptionHandler handler) {
this.rpcTokenExceptionHandler = handler;
}
-
+
/**
* @see ServiceDefTarget#setServiceEntryPoint(String)
*/
public void setServiceEntryPoint(String url) {
this.remoteServiceURL = url;
}
-
+
/**
* This method is overridden by generated proxy classes to ensure that
* current service's {@link RpcToken} is of the type specified in {@link
@@ -295,14 +295,14 @@
/**
* Performs a remote service method invocation. This method is called by
* generated proxy classes.
- *
+ *
* @param <T> return type for the AsyncCallback
* @param responseReader instance used to read the return value of the
* invocation
* @param requestData payload that encodes the addressing and arguments of the
* RPC call
* @param callback callback handler
- *
+ *
* @return a {@link Request} object that can be used to track the request
*/
protected <T> Request doInvoke(ResponseReader responseReader,
@@ -331,14 +331,14 @@
/**
* Configures a RequestBuilder to send an RPC request when the RequestBuilder
* is intended to be returned through the asynchronous proxy interface.
- *
+ *
* @param <T> return type for the AsyncCallback
* @param responseReader instance used to read the return value of the
* invocation
* @param requestData payload that encodes the addressing and arguments of the
* RPC call
* @param callback callback handler
- *
+ *
* @return a RequestBuilder object that is ready to have its
* {@link RequestBuilder#send()} method invoked.
*/
@@ -354,14 +354,14 @@
/**
* Configures a RequestBuilder to send an RPC request.
- *
+ *
* @param <T> return type for the AsyncCallback
* @param responseReader instance used to read the return value of the
* invocation
* @param requestData payload that encodes the addressing and arguments of the
* RPC call
* @param callback callback handler
- *
+ *
* @return a RequestBuilder object that is ready to have its
* {@link RequestBuilder#send()} method invoked.
*/
diff --git a/user/src/com/google/gwt/user/server/Util.java b/user/src/com/google/gwt/user/server/Util.java
deleted file mode 100644
index 6c1f3b6..0000000
--- a/user/src/com/google/gwt/user/server/Util.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server;
-
-import java.lang.annotation.Annotation;
-
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * A bunch of useful methods.
- */
-public class Util {
-
- /**
- * Find an instance of the specified annotation, walking up the inheritance
- * tree if necessary. Copied from {@link
- * com.google.gwt.i18n.rebind.AnnotationUtil}.
- *
- * <p>The super chain is walked first, so if an ancestor superclass has the
- * requested annotation, it will be preferred over a directly implemented
- * interface.
- *
- * @param <T> Annotation type to search for
- * @param clazz root class to search, may be null
- * @param annotationClass class object of Annotation subclass to search for
- * @return the requested annotation or null if none
- */
- public static <T extends Annotation> T getClassAnnotation(Class<?> clazz,
- Class<T> annotationClass) {
- if (clazz == null) {
- return null;
- }
- T annot = clazz.getAnnotation(annotationClass);
- if (annot == null) {
- annot = getClassAnnotation(clazz.getSuperclass(), annotationClass);
- if (annot != null) {
- return annot;
- }
- for (Class<?> intf : clazz.getInterfaces()) {
- annot = getClassAnnotation(intf, annotationClass);
- if (annot != null) {
- return annot;
- }
- }
- }
- return annot;
- }
-
- /**
- * Retrieves named cookie from supplied request. If {@code allowDuplicates} is
- * set to {@code true}, method will throw {@link IllegalStateException} if
- * duplicate cookies are found, which can be a sign of a cookie overwrite
- * attack.
- *
- * @param request HTTP request to retrieve cookie from.
- * @param cookieName Cookie name.
- * @param allowDuplicates if {@code true} duplicate cookies are allowed,
- * otherwise {@link IllegalStateException} is thrown if duplicate
- * cookies are detected.
- * @return {@link Cookie} if specified cookie is present, {@code null}
- * otherwise.
- * @throws IllegalArgumentException if duplicate cookies are detected.
- */
- public static Cookie getCookie(HttpServletRequest request,
- String cookieName, boolean allowDuplicates) {
- Cookie cookieToReturn = null;
- Cookie[] cookies = request.getCookies();
- if (cookies != null) {
- for (Cookie cookie : cookies) {
- if (cookieName.equals(cookie.getName())) {
- // ensure that it's the only one cookie, since duplicate cookies
- // can be a sign of a cookie overriding attempt.
- if (cookieToReturn == null) {
- if (allowDuplicates) {
- // do not attempt to detect duplicate cookies
- return cookie;
- } else {
- cookieToReturn = cookie;
- }
- } else {
- throw new IllegalArgumentException("Duplicate cookie! " +
- "Cookie override attack?");
- }
- }
- }
- }
- return cookieToReturn;
- }
-
- private Util() {
- }
-}
diff --git a/user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java
deleted file mode 100644
index ae6f842..0000000
--- a/user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import com.google.gwt.user.client.rpc.RpcToken;
-import com.google.gwt.user.client.rpc.RpcTokenException;
-import com.google.gwt.user.server.Util;
-
-import java.lang.reflect.Method;
-
-/**
- * An abstract class for XSRF protected RPC service implementations, which
- * decides if XSRF protection should be enforced on a method invocation based
- * on the following logic:
- * <ul>
- * <li>RPC interface or method can be annotated with either {@link XsrfProtect}
- * or {@link NoXsrfProtect} annotation to enable or disable XSRF protection
- * on all methods of an RPC interface or a single method correspondingly.
- * <li>RPC interface level annotation can be overridden by a method level
- * annotation.
- * <li>If no annotations are present and RPC interface contains method that
- * returns {@link RpcToken} or its implementation, then XSRF token
- * validation is performed on all methods of that interface except for the
- * method returning {@link RpcToken}.
- * </ul>
- *
- * @see XsrfProtectedServiceServlet
- */
-public abstract class AbstractXsrfProtectedServiceServlet extends
- RemoteServiceServlet {
-
- @Override
- protected void onAfterRequestDeserialized(RPCRequest rpcRequest) {
- if (shouldValidateXsrfToken(rpcRequest.getMethod())) {
- validateXsrfToken(rpcRequest.getRpcToken(), rpcRequest.getMethod());
- }
- }
-
- /**
- * Override this method to change default XSRF enforcement logic.
- *
- * @param method Method being invoked
- * @return {@code true} if XSRF token should be verified, {@code false}
- * otherwise
- */
- protected boolean shouldValidateXsrfToken(Method method) {
- Class<?> servletClass = method.getDeclaringClass();
-
- if (method.getAnnotation(NoXsrfProtect.class) != null ||
- (Util.getClassAnnotation(
- servletClass, NoXsrfProtect.class) != null &&
- method.getAnnotation(XsrfProtect.class) == null)) {
- // XSRF protection is disabled
- return false;
- }
-
- if (Util.getClassAnnotation(servletClass, XsrfProtect.class) != null ||
- method.getAnnotation(XsrfProtect.class) != null) {
- return true;
- }
-
- // if no explicit annotation is given no XSRF token verification is done,
- // unless there's a method returning RpcToken in which case XSRF token
- // verification is performed for all methods
- Method[] classMethods = servletClass.getMethods();
- for (Method classMethod : classMethods) {
- if (RpcToken.class.isAssignableFrom(classMethod.getReturnType()) &&
- !method.equals(classMethod)) {
- return true;
- }
- }
- return false;
- }
-
- /**
- * Override this method to perform XSRF token verification.
- *
- * @param token {@link RpcToken} included with an RPC request.
- * @param method method being invoked via this RPC call.
- * @throws RpcTokenException if token verification failed.
- */
- protected abstract void validateXsrfToken(RpcToken token, Method method)
- throws RpcTokenException;
-}
diff --git a/user/src/com/google/gwt/user/server/rpc/NoXsrfProtect.java b/user/src/com/google/gwt/user/server/rpc/NoXsrfProtect.java
deleted file mode 100644
index 36b9501..0000000
--- a/user/src/com/google/gwt/user/server/rpc/NoXsrfProtect.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Inherited;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-/**
- * Annotation on RPC interfaces and methods indicating that they do not need to
- * be XSRF protected.
- */
-@Inherited
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.TYPE, ElementType.METHOD})
-public @interface NoXsrfProtect {
-}
diff --git a/user/src/com/google/gwt/user/server/rpc/XsrfProtect.java b/user/src/com/google/gwt/user/server/rpc/XsrfProtect.java
deleted file mode 100644
index 6676676..0000000
--- a/user/src/com/google/gwt/user/server/rpc/XsrfProtect.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Inherited;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-/**
- * Annotation for RPC interfaces and methods indicating that they should be
- * XSRF protected.
- */
-@Inherited
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.TYPE, ElementType.METHOD})
-public @interface XsrfProtect {
-}
diff --git a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
deleted file mode 100644
index 6aa33a4..0000000
--- a/user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import com.google.gwt.user.client.rpc.RpcToken;
-import com.google.gwt.user.client.rpc.RpcTokenException;
-import com.google.gwt.user.client.rpc.XsrfToken;
-import com.google.gwt.user.server.Util;
-import com.google.gwt.util.tools.Utility;
-
-import java.lang.reflect.Method;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.Cookie;
-
-/**
- * EXPERIMENTAL and subject to change. Do not use this in production code.
- * <p>
- * The servlet base class for RPC service implementations using default XSRF
- * protection tied to authentication session cookie.
- * </p>
- *
- * <p>
- * XSRF token validation is performed by generating MD5 hash of the session
- * cookie and comparing supplied {@link XsrfToken} with the generated hash.
- * Session cookie name is specified by the {@value
- * com.google.gwt.user.server.rpc.XsrfTokenServiceServlet#COOKIE_NAME_PARAM}
- * context parameter in {@code web.xml}.
- * </p>
- *
- * <p>
- * {@link com.google.gwt.user.client.rpc.XsrfTokenService} can be used by
- * clients to obtain {@link XsrfToken}s that will pass validation performed by
- * this class.
- * </p>
- *
- * @see XsrfTokenServiceServlet
- * @see AbstractXsrfProtectedServiceServlet
- */
-public class XsrfProtectedServiceServlet
- extends AbstractXsrfProtectedServiceServlet {
-
- // @VisibleForTesting
- String sessionCookieName = null;
-
- public XsrfProtectedServiceServlet() {
- this(null);
- }
-
- public XsrfProtectedServiceServlet(String sessionCookieName) {
- this.sessionCookieName = sessionCookieName;
- }
-
- @Override
- public void init() throws ServletException {
- super.init();
- // do not overwrite if value is supplied in constructor
- if (sessionCookieName == null) {
- // servlet configuration precedes context configuration
- sessionCookieName = getServletConfig().getInitParameter(
- XsrfTokenServiceServlet.COOKIE_NAME_PARAM);
- if (sessionCookieName == null) {
- sessionCookieName = getServletContext().getInitParameter(
- XsrfTokenServiceServlet.COOKIE_NAME_PARAM);
- }
- if (sessionCookieName == null) {
- throw new IllegalStateException(
- XsrfTokenServiceServlet.COOKIE_NAME_NOT_SET_ERROR_MSG);
- }
- }
- }
-
- /**
- * Validates {@link XsrfToken} included with {@link RPCRequest} against XSRF
- * cookie.
- */
- @Override
- protected void validateXsrfToken(RpcToken token, Method method)
- throws RpcTokenException {
- if (token == null) {
- throw new RpcTokenException("XSRF token missing");
- }
- Cookie sessionCookie = Util.getCookie(getThreadLocalRequest(),
- sessionCookieName, false);
- if (sessionCookie == null || sessionCookie.getValue() == null ||
- sessionCookie.getValue().isEmpty()) {
- throw new RpcTokenException("Session cookie is missing or empty! " +
- "Unable to verify XSRF cookie");
- }
-
- String expectedToken = Utility.toHexString(
- Utility.getMd5Digest(sessionCookie.getValue().getBytes()));
- XsrfToken xsrfToken = (XsrfToken) token;
-
- if (!expectedToken.equals(xsrfToken.getToken())) {
- throw new RpcTokenException("Invalid XSRF token");
- }
- }
-}
diff --git a/user/src/com/google/gwt/user/server/rpc/XsrfTokenServiceServlet.java b/user/src/com/google/gwt/user/server/rpc/XsrfTokenServiceServlet.java
deleted file mode 100644
index 48a4c86..0000000
--- a/user/src/com/google/gwt/user/server/rpc/XsrfTokenServiceServlet.java
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import com.google.gwt.user.client.rpc.RpcTokenException;
-import com.google.gwt.user.client.rpc.XsrfToken;
-import com.google.gwt.user.client.rpc.XsrfTokenService;
-import com.google.gwt.user.server.Util;
-import com.google.gwt.util.tools.Utility;
-
-import javax.servlet.http.Cookie;
-
-/**
- * EXPERIMENTAL and subject to change. Do not use this in production code.
- * <p>
- *
- * </p>
- * RPC service to generate XSRF tokens.
- * <p>
- * Sample use of {@link XsrfTokenService}:
- *
- * <ol>
- * <li> Add {@link XsrfTokenServiceServlet} to {@code web.xml}:
- *
- * <pre>
- * <servlet>
- * <servlet-name>xsrf</servlet-name>
- * <servlet-class>
- * com.google.gwt.user.server.rpc.XsrfTokenServiceServlet
- * </servlet-class>
- * </servlet>
- * <servlet-mapping>
- * <servlet-name>xsrf</servlet-name>
- * <url-pattern>/gwt/xsrf</url-pattern>
- * </servlet-mapping>
- * </pre>
- *
- * <li> Specify session cookie name that is used for authentication. MD5 hash of
- * the session cookie's value will be used as an XSRF token:
- *
- * <pre>
- * <context-param>
- * <param-name>gwt.xsrf.session_cookie_name</param-name>
- * <param-value>JSESSIONID</param-value>
- * </context-param>
- * </pre>
- *
- * <li> To enforce XSRF token validation on each method call either mark RPC
- * interface as XSRF protected using {@link XsrfProtect} annotation or extend
- * {@link com.google.gwt.user.client.rpc.XsrfProtectedService} instead of
- * RemoteService. Use {@link NoXsrfProtect} to mark methods as not requiring
- * XSRF protection:
- *
- * <pre class="code">
- * public interface MyRpcService extends XsrfProtectedService {
- * public void doStuff();
- * }
- * </pre>
- *
- * <li> Ensure that RPC's servlet implementation extends {@link
- * XsrfProtectedServiceServlet} instead of {@link RemoteServiceServlet}:
- *
- * <pre class="code">
- * public class MyRpcServiceServlet extends XsrfProtectedServiceServlet
- * implements MyRpcService {
- *
- * public void doStuff() {
- * // ...
- * }
- * }
- * </pre>
- *
- * <li> Obtain {@link XsrfToken} and set it on the RPC end point:
- *
- * <pre class="code">
- * XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class);
- *
- * ((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");
- *
- * xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() {
- * public void onSuccess(XsrfToken result) {
- * MyRpcServiceAsync rpc = (MyRpcServiceAsync)GWT.create(MyRpcService.class);
- * ((HasRpcToken) rpc).setRpcToken(result);
- * // make XSRF protection RPC calls using
- * rpc.doStuff(new AsyncCallback<Void>() {
- * // ...
- * });
- *
- * }
- *
- * public void onFailure(Throwable caught) {
- * try {
- * throw caught;
- * } catch (RpcTokenException e) {
- * // Can be thrown for several reasons:
- * // - duplicate session cookie, which may be a sign of a cookie
- * // overwrite attack
- * // - XSRF token cannot be generated because session cookie isn't
- * // present
- * } catch (Throwable e) {
- * // unexpected
- * }
- * });
- * </pre>
- * </ol>
- * </p>
- *
- * @see XsrfProtectedServiceServlet
- * @see XsrfProtect
- * @see NoXsrfProtect
- */
-public class XsrfTokenServiceServlet extends RemoteServiceServlet
- implements XsrfTokenService {
-
- /**
- * Session cookie name initialization parameter.
- */
- public static final String COOKIE_NAME_PARAM =
- "gwt.xsrf.session_cookie_name";
-
- static final String COOKIE_NAME_NOT_SET_ERROR_MSG =
- "Session cookie name not set! Use '" + COOKIE_NAME_PARAM +
- "' context-param to specify session cookie name";
-
- /**
- * Session cookie name. Cookie's value is used to generate XSRF cookie.
- */
- private String sessionCookieName = null;
-
- /**
- * Default constructor.
- */
- public XsrfTokenServiceServlet() {
- this(null);
- }
-
- /**
- * Alternative constructor that accepts session cookie name instead of getting
- * it from {@link javax.servlet.ServletConfig} or {@link
- * javax.servlet.ServletContext}.
- */
- public XsrfTokenServiceServlet(String sessionCookieName) {
- this.sessionCookieName = sessionCookieName;
- }
-
- /**
- * Generates and returns new XSRF token.
- */
- public XsrfToken getNewXsrfToken() {
- return new XsrfToken(generateTokenValue());
- }
-
- /**
- * Servlet initialization.
- */
- @Override
- public void init() {
- // do not overwrite values set via constructor
- if (sessionCookieName == null) {
- sessionCookieName = getInitParameterValue(COOKIE_NAME_PARAM);
- }
- if (sessionCookieName == null) {
- throw new IllegalStateException(COOKIE_NAME_NOT_SET_ERROR_MSG);
- }
- }
-
- /**
- * Generates new XSRF token.
- *
- * @return session cookie MD5 hash.
- */
- private String generateTokenValue() {
- if (sessionCookieName == null) {
- throw new IllegalStateException(COOKIE_NAME_NOT_SET_ERROR_MSG);
- }
- // generate XSRF cookie using session cookie
- Cookie sessionCookie = Util.getCookie(getThreadLocalRequest(),
- sessionCookieName, false);
- if (sessionCookie == null || sessionCookie.getValue() == null ||
- sessionCookie.getValue().isEmpty()) {
- throw new RpcTokenException("Session cookie is not set or empty! " +
- "Unable to generate XSRF cookie");
- }
- byte[] cookieBytes = sessionCookie.getValue().getBytes();
- return Utility.toHexString(Utility.getMd5Digest(cookieBytes));
- }
-
- /**
- * Retrieves and returns specified initialization parameter first from
- * {@link ServletConfig} followed by {@link ServletContext}, if former returns
- * {@code null}.
- */
- private String getInitParameterValue(String name) {
- String paramValue = null;
- paramValue = getServletConfig().getInitParameter(name);
- if (paramValue == null) {
- paramValue = getServletContext().getInitParameter(name);
- }
- return paramValue;
- }
-}
diff --git a/user/test/com/google/gwt/user/RPCSuite.gwt.xml b/user/test/com/google/gwt/user/RPCSuite.gwt.xml
index 7dd3872..fba0744 100644
--- a/user/test/com/google/gwt/user/RPCSuite.gwt.xml
+++ b/user/test/com/google/gwt/user/RPCSuite.gwt.xml
@@ -37,10 +37,6 @@
class='com.google.gwt.user.server.rpc.RpcTokenServiceImpl' />
<servlet path='/rpctokentest-annotation'
class='com.google.gwt.user.server.rpc.AnnotatedRpcTokenTestServiceImpl' />
- <servlet path='/xsrftestservice'
- class='com.google.gwt.user.server.rpc.XsrfTestServiceImpl' />
- <servlet path='/xsrfmock'
- class='com.google.gwt.user.server.rpc.MockXsrfTokenServiceImpl' />
<servlet path='/unicodeEscape'
class='com.google.gwt.user.server.rpc.UnicodeEscapingServiceImpl' />
<servlet path='/recursiveclass'
diff --git a/user/test/com/google/gwt/user/RPCSuite.java b/user/test/com/google/gwt/user/RPCSuite.java
index c11481c..44a5478 100644
--- a/user/test/com/google/gwt/user/RPCSuite.java
+++ b/user/test/com/google/gwt/user/RPCSuite.java
@@ -1,12 +1,12 @@
/*
* Copyright 2008 Google Inc.
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -45,13 +45,10 @@
import com.google.gwt.user.client.rpc.UnicodeEscapingTestWithTypeObfuscation;
import com.google.gwt.user.client.rpc.ValueTypesTest;
import com.google.gwt.user.client.rpc.ValueTypesTestWithTypeObfuscation;
-import com.google.gwt.user.client.rpc.XsrfProtectionTest;
import com.google.gwt.user.rebind.rpc.BlacklistTypeFilterTest;
import com.google.gwt.user.rebind.rpc.SerializableTypeOracleBuilderTest;
import com.google.gwt.user.rebind.rpc.TypeHierarchyUtilsTest;
import com.google.gwt.user.server.Base64Test;
-import com.google.gwt.user.server.UtilTest;
-import com.google.gwt.user.server.rpc.AbstractXsrfProtectedServiceServletTest;
import com.google.gwt.user.server.rpc.RPCRequestTest;
import com.google.gwt.user.server.rpc.RPCServletUtilsTest;
import com.google.gwt.user.server.rpc.RPCTest;
@@ -93,8 +90,6 @@
suite.addTestSuite(FailedRequestTest.class);
suite.addTestSuite(FailingRequestBuilderTest.class);
suite.addTestSuite(Base64Test.class);
- suite.addTestSuite(UtilTest.class);
- suite.addTestSuite(AbstractXsrfProtectedServiceServletTest.class);
// GWTTestCases
suite.addTestSuite(ValueTypesTest.class);
@@ -108,7 +103,6 @@
suite.addTestSuite(UnicodeEscapingTest.class);
suite.addTestSuite(RunTimeSerializationErrorsTest.class);
suite.addTestSuite(RecursiveClassTest.class);
- suite.addTestSuite(XsrfProtectionTest.class);
// This test turns on the type-elision feature of RPC
suite.addTestSuite(ValueTypesTestWithTypeObfuscation.class);
diff --git a/user/test/com/google/gwt/user/client/rpc/XsrfProtectionTest.java b/user/test/com/google/gwt/user/client/rpc/XsrfProtectionTest.java
deleted file mode 100644
index 6dcf6fd..0000000
--- a/user/test/com/google/gwt/user/client/rpc/XsrfProtectionTest.java
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.client.rpc;
-
-import com.google.gwt.core.client.GWT;
-import com.google.gwt.user.client.Cookies;
-
-/**
- * Tests XSRF protection provided by {@link XsrfProtectedServiceServlet} and
- * {@link XsrfTokenService}.
- */
-public class XsrfProtectionTest extends RpcTestBase {
-
- public static final String SESSION_COOKIE_NAME = "MYSESSIONCOOKIE";
-
- @Override
- protected void gwtSetUp() {
- // MD5 test vector
- Cookies.setCookie(SESSION_COOKIE_NAME, "abc");
- }
-
- @Override
- protected void gwtTearDown() {
- Cookies.removeCookie(SESSION_COOKIE_NAME);
- }
-
- protected static XsrfTestServiceAsync getAsyncService() {
- XsrfTestServiceAsync service =
- (XsrfTestServiceAsync) GWT.create(XsrfTestService.class);
-
- ((ServiceDefTarget) service).setServiceEntryPoint(GWT.getModuleBaseURL()
- + "xsrftestservice");
-
- return service;
- }
-
- protected static XsrfTokenServiceAsync getAsyncXsrfService() {
- XsrfTokenServiceAsync service =
- (XsrfTokenServiceAsync) GWT.create(XsrfTokenService.class);
-
- ((ServiceDefTarget) service).setServiceEntryPoint(GWT.getModuleBaseURL()
- + "xsrfmock");
-
- return service;
- }
-
- public void testRpcWithoutXsrfTokenFails() throws Exception {
- XsrfTestServiceAsync service = getAsyncService();
-
- delayTestFinishForRpc();
-
- service.drink("kumys", new AsyncCallback<Void>() {
- public void onFailure(Throwable caught) {
- RpcTokenException e = (RpcTokenException) caught;
- assertTrue(e.getMessage().contains("XSRF token missing"));
- checkServerState("kumys", false);
- }
-
- public void onSuccess(Void result) {
- fail("Should've failed without XSRF token");
- }
- });
- }
-
- public void testRpcWithBadXsrfTokenFails() throws Exception {
- XsrfToken badToken = new XsrfToken("Invalid Token");
- XsrfTestServiceAsync service = getAsyncService();
- ((HasRpcToken) service).setRpcToken(badToken);
- delayTestFinishForRpc();
-
- service.drink("maksym", new AsyncCallback<Void>() {
-
- public void onSuccess(Void result) {
- fail("Should've failed with bad XSRF token");
- }
-
- public void onFailure(Throwable caught) {
- checkServerState("maksym", false);
- }
- });
- }
-
- public void testXsrfTokenService() throws Exception {
- XsrfTokenServiceAsync xsrfService = getAsyncXsrfService();
-
- delayTestFinishForRpc();
-
- xsrfService.getNewXsrfToken(new AsyncCallback<XsrfToken>() {
- public void onSuccess(XsrfToken result) {
- assertNotNull(result);
- assertNotNull(result.getToken());
- // MD5("abc")
- assertEquals("900150983CD24FB0D6963F7D28E17F72", result.getToken());
- finishTest();
- }
-
- public void onFailure(Throwable caught) {
- TestSetValidator.rethrowException(caught);
- }
- });
- }
-
- public void testRpcWithXsrfToken() throws Exception {
- XsrfTokenServiceAsync xsrfService = getAsyncXsrfService();
-
- delayTestFinishForRpc();
-
- xsrfService.getNewXsrfToken(new AsyncCallback<XsrfToken>() {
-
- public void onFailure(Throwable caught) {
- TestSetValidator.rethrowException(caught);
- }
-
- public void onSuccess(XsrfToken result) {
- XsrfTestServiceAsync service = getAsyncService();
-
- ((HasRpcToken) service).setRpcToken(result);
- service.drink("airan", new AsyncCallback<Void>() {
-
- public void onFailure(Throwable caught) {
- TestSetValidator.rethrowException(caught);
- }
-
- public void onSuccess(Void result) {
- checkServerState("airan", true);
- }
- });
- }
- });
- }
-
- public void testXsrfTokenWithDifferentSessionCookieFails() throws Exception {
- XsrfTokenServiceAsync xsrfService = getAsyncXsrfService();
-
- final XsrfTestServiceAsync service = getAsyncService();
-
- delayTestFinishForRpc();
-
- xsrfService.getNewXsrfToken(new AsyncCallback<XsrfToken>() {
-
- public void onFailure(Throwable caught) {
- TestSetValidator.rethrowException(caught);
- }
-
- public void onSuccess(XsrfToken result) {
- // Ensure it's MD5
- assertEquals(32, result.getToken().length());
-
- ((HasRpcToken) service).setRpcToken(result);
-
- // change cookie to ensure verification fails since
- // XSRF token was derived from previous cookie value
- Cookies.setCookie(SESSION_COOKIE_NAME, "sometingrandom");
-
- service.drink("bozo", new AsyncCallback<Void>() {
-
- public void onFailure(Throwable caught) {
- RpcTokenException e = (RpcTokenException) caught;
- assertTrue(e.getMessage().contains(
- "Invalid XSRF token"));
- checkServerState("bozo", false);
- }
-
- public void onSuccess(Void result) {
- fail("Should've failed since session cookie has changed");
- }
- });
- }
- });
- }
-
- private void checkServerState(String drink, final boolean stateShouldChange) {
- XsrfTestServiceAsync service = getAsyncService();
-
- service.checkIfDrankDrink(drink, new AsyncCallback<Boolean>() {
-
- public void onSuccess(Boolean result) {
- assertTrue(stateShouldChange == result);
- finishTest();
- }
-
- public void onFailure(Throwable caught) {
- TestSetValidator.rethrowException(caught);
- }
- });
- }
-}
diff --git a/user/test/com/google/gwt/user/client/rpc/XsrfTestService.java b/user/test/com/google/gwt/user/client/rpc/XsrfTestService.java
deleted file mode 100644
index 675b66a..0000000
--- a/user/test/com/google/gwt/user/client/rpc/XsrfTestService.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.client.rpc;
-
-import com.google.gwt.user.server.rpc.NoXsrfProtect;
-
-/**
- * RPC service for XSRF testing.
- */
-public interface XsrfTestService extends XsrfProtectedService {
-
- void drink(String drink);
- @NoXsrfProtect
- boolean checkIfDrankDrink(String drink);
-}
diff --git a/user/test/com/google/gwt/user/client/rpc/XsrfTestServiceAsync.java b/user/test/com/google/gwt/user/client/rpc/XsrfTestServiceAsync.java
deleted file mode 100644
index 09b9797..0000000
--- a/user/test/com/google/gwt/user/client/rpc/XsrfTestServiceAsync.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.client.rpc;
-
-/**
- * Async peer of {@link XsrfTestService}.
- */
-public interface XsrfTestServiceAsync {
-
- void drink(String drink, AsyncCallback<Void> callback);
- void checkIfDrankDrink(String drink, AsyncCallback<Boolean> callback);
-}
diff --git a/user/test/com/google/gwt/user/server/UtilTest.java b/user/test/com/google/gwt/user/server/UtilTest.java
deleted file mode 100644
index 38eead3..0000000
--- a/user/test/com/google/gwt/user/server/UtilTest.java
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server;
-
-import com.google.gwt.user.server.rpc.MockHttpServletRequest;
-import com.google.gwt.user.server.rpc.NoXsrfProtect;
-import com.google.gwt.user.server.rpc.XsrfProtect;
-
-import junit.framework.TestCase;
-
-import javax.servlet.http.Cookie;
-
-/**
- * Utility methods tests.
- */
-public class UtilTest extends TestCase {
-
- @NoXsrfProtect
- private class parent {
- }
-
- private class child extends parent {
- }
-
- @NoXsrfProtect
- private interface parentIntf {
- }
-
- private interface childIntf extends parentIntf {
- }
-
- public void testGetClassAnnotation() throws Exception {
- assertNotNull(Util.getClassAnnotation(parent.class, NoXsrfProtect.class));
- assertNotNull(Util.getClassAnnotation(child.class, NoXsrfProtect.class));
- assertNotNull(Util.getClassAnnotation(parentIntf.class,
- NoXsrfProtect.class));
- assertNotNull(Util.getClassAnnotation(childIntf.class,
- NoXsrfProtect.class));
-
- assertNull(Util.getClassAnnotation(child.class, XsrfProtect.class));
- }
-
- private class MockHttpServletRequestWithCookies extends
- MockHttpServletRequest {
- private Cookie[] cookies;
-
- public MockHttpServletRequestWithCookies(Cookie[] cookies) {
- this.cookies = cookies;
- }
-
- public Cookie[] getCookies() {
- return cookies;
- }
- }
-
- public void testGetCookie() throws Exception {
- Cookie[] cookies = new Cookie[2];
- MockHttpServletRequestWithCookies req =
- new MockHttpServletRequestWithCookies(cookies);
-
- cookies[0] = new Cookie("chocolate", "chip");
- assertEquals("chip", Util.getCookie(req, "chocolate", true).getValue());
-
- cookies[1] = new Cookie("chocolate", "oatmeal");
- assertEquals("chip", Util.getCookie(req, "chocolate", true).getValue());
- try {
- Util.getCookie(req, "chocolate", false);
- fail("Should've thrown IllegalStateException");
- } catch (IllegalArgumentException e) {
- // expected
- }
- }
-}
diff --git a/user/test/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServletTest.java b/user/test/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServletTest.java
deleted file mode 100644
index 4982668..0000000
--- a/user/test/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServletTest.java
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import com.google.gwt.user.client.rpc.RpcToken;
-import com.google.gwt.user.client.rpc.RpcTokenException;
-import com.google.gwt.user.client.rpc.XsrfProtectedService;
-
-import junit.framework.TestCase;
-
-import java.lang.reflect.Method;
-
-/**
- * Tests {@link AbstractXsrfProtectedServiceServlet}'s XSRF enforcement logic.
- */
-public class AbstractXsrfProtectedServiceServletTest extends TestCase {
-
- private boolean isValidateCalled;
-
- @Override
- public void setUp() {
- isValidateCalled = false;
- }
-
- private MockXsrfProtectedServiceServlet mockServlet =
- new MockXsrfProtectedServiceServlet();
-
- private class MockXsrfProtectedServiceServlet extends
- AbstractXsrfProtectedServiceServlet {
-
- @Override
- protected void validateXsrfToken(RpcToken token, Method method)
- throws RpcTokenException {
- isValidateCalled = true;
- }
- }
-
- @XsrfProtect
- private interface RpcWithXsrfProtect {
- void foo();
- }
-
- @XsrfProtect
- private interface RpcWithXsrfProtectAndMethodOverride {
- @NoXsrfProtect
- void foo();
- }
-
- @NoXsrfProtect
- private interface RpcWithNoXsrfProtect {
- void foo();
- }
-
- @NoXsrfProtect
- private interface RpcWithNoXsrfProtectAndMethodOverride {
- @XsrfProtect
- void foo();
- }
-
- private interface RpcWithoutAnnotationAndMethodXsrfProtect {
- @XsrfProtect
- void foo();
- }
-
- private interface RpcWithoutAnnotationAndMethodNoXsrfProtect {
- @NoXsrfProtect
- void foo();
- }
-
- private interface RpcWithoutAnnotationsAndWithRpcTokenMethod {
- void foo();
- RpcToken getToken();
- }
-
- @NoXsrfProtect
- private interface
- RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride {
- void foo();
- RpcToken getToken();
- }
-
- @XsrfProtect
- private interface
- RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride {
- void foo();
- RpcToken getToken();
- }
-
- @SuppressWarnings("rpc-validation")
- private interface XsrfProtectedRpc extends XsrfProtectedService {
- void foo();
- }
-
- @SuppressWarnings("rpc-validation")
- private interface XsrfProtectedRpcWithOverride extends XsrfProtectedRpc {
- void fooBar();
- @NoXsrfProtect
- void insecure();
- }
-
- private interface RpcWithoutAnyAnnotations {
- void foo();
- }
-
- public void testShouldValidatedXsrfToken() throws Exception {
- checkXsrfValidationLogic(RpcWithXsrfProtect.class, "foo", true);
- checkXsrfValidationLogic(RpcWithXsrfProtectAndMethodOverride.class, "foo",
- false);
- checkXsrfValidationLogic(RpcWithNoXsrfProtect.class, "foo", false);
- checkXsrfValidationLogic(RpcWithNoXsrfProtectAndMethodOverride.class, "foo",
- true);
- checkXsrfValidationLogic(RpcWithoutAnnotationAndMethodXsrfProtect.class,
- "foo", true);
- checkXsrfValidationLogic(RpcWithoutAnnotationAndMethodNoXsrfProtect.class,
- "foo", false);
- checkXsrfValidationLogic(RpcWithoutAnnotationsAndWithRpcTokenMethod.class,
- "foo", true);
- checkXsrfValidationLogic(
- RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride.class,
- "foo", false);
- checkXsrfValidationLogic(
- RpcWithoutAnnotationsAndWithRpcTokenMethodAndNoProtectOverride.class,
- "getToken", false);
- checkXsrfValidationLogic(
- RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride.class,
- "foo", true);
- checkXsrfValidationLogic(
- RpcWithoutAnnotationsAndWithRpcTokenMethodAndProtectOverride.class,
- "getToken", true);
- checkXsrfValidationLogic(RpcWithoutAnyAnnotations.class, "foo", false);
- checkXsrfValidationLogic(RpcWithoutAnnotationsAndWithRpcTokenMethod.class,
- "getToken", false);
- checkXsrfValidationLogic(XsrfProtectedRpc.class, "foo", true);
- checkXsrfValidationLogic(XsrfProtectedRpcWithOverride.class, "foo", true);
- checkXsrfValidationLogic(XsrfProtectedRpcWithOverride.class, "insecure",
- false);
- }
-
- private void checkXsrfValidationLogic(Class<?> rpcClass, String methodName,
- boolean mustCallValidate) throws Exception {
- isValidateCalled = false;
- Method method = rpcClass.getMethod(methodName, new Class[] {});
- RPCRequest request = new RPCRequest(method, new Object[] {}, null, 0);
- mockServlet.onAfterRequestDeserialized(request);
- assertEquals(mustCallValidate, isValidateCalled);
- }
-}
diff --git a/user/test/com/google/gwt/user/server/rpc/MockHttpServletRequest.java b/user/test/com/google/gwt/user/server/rpc/MockHttpServletRequest.java
index 865c48c..8cd0375 100644
--- a/user/test/com/google/gwt/user/server/rpc/MockHttpServletRequest.java
+++ b/user/test/com/google/gwt/user/server/rpc/MockHttpServletRequest.java
@@ -1,12 +1,12 @@
/*
* Copyright 2008 Google Inc.
- *
+ *
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -31,7 +31,7 @@
/**
* A dummy class for testing methods that require an HttpServletRequest.
*/
-public class MockHttpServletRequest implements HttpServletRequest {
+class MockHttpServletRequest implements HttpServletRequest {
public Object getAttribute(String arg0) {
throw new UnsupportedOperationException();
diff --git a/user/test/com/google/gwt/user/server/rpc/MockXsrfTokenServiceImpl.java b/user/test/com/google/gwt/user/server/rpc/MockXsrfTokenServiceImpl.java
deleted file mode 100644
index cbfe938..0000000
--- a/user/test/com/google/gwt/user/server/rpc/MockXsrfTokenServiceImpl.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import com.google.gwt.user.client.rpc.XsrfProtectionTest;
-
-/**
- * {@link XsrfTokenServiceServlet} subclass, which passes session cookie
- * name in constructor.
- */
-public class MockXsrfTokenServiceImpl extends XsrfTokenServiceServlet {
-
- public MockXsrfTokenServiceImpl() {
- super(XsrfProtectionTest.SESSION_COOKIE_NAME);
- }
-}
diff --git a/user/test/com/google/gwt/user/server/rpc/XsrfTestServiceImpl.java b/user/test/com/google/gwt/user/server/rpc/XsrfTestServiceImpl.java
deleted file mode 100644
index 13c7a9b..0000000
--- a/user/test/com/google/gwt/user/server/rpc/XsrfTestServiceImpl.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy of
- * the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations under
- * the License.
- */
-package com.google.gwt.user.server.rpc;
-
-import com.google.gwt.user.client.rpc.XsrfProtectionTest;
-import com.google.gwt.user.client.rpc.XsrfTestService;
-
-import java.util.HashSet;
-import java.util.Set;
-
-/**
- * Remote service for XSRF protection tests.
- */
-public class XsrfTestServiceImpl extends XsrfProtectedServiceServlet
- implements XsrfTestService {
-
- private Set<String> drinks = new HashSet<String>();
-
- public XsrfTestServiceImpl() {
- sessionCookieName = XsrfProtectionTest.SESSION_COOKIE_NAME;
- }
-
- public void drink(String drink) {
- drinks.add(drink);
- }
-
- public boolean checkIfDrankDrink(String drink) {
- return drinks.contains(drink);
- }
-}
