2.4/user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java - gwt - Git at Google

 /*
  * Copyright 2011 Google Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  * License for the specific language governing permissions and limitations under
  * the License.
  */
 package com.google.gwt.user.server.rpc;

 import com.google.gwt.user.client.rpc.RpcToken;
 import com.google.gwt.user.client.rpc.RpcTokenException;
 import com.google.gwt.user.server.Util;

 import java.lang.reflect.Method;

 /**
  * An abstract class for XSRF protected RPC service implementations, which
  * decides if XSRF protection should be enforced on a method invocation based
  * on the following logic:
  * <ul>
  *  <li>RPC interface or method can be annotated with either {@link XsrfProtect}
  *      or {@link NoXsrfProtect} annotation to enable or disable XSRF protection
  *      on all methods of an RPC interface or a single method correspondingly.
  *  <li>RPC interface level annotation can be overridden by a method level
  *      annotation.
  *  <li>If no annotations are present and RPC interface contains method that
  *      returns {@link RpcToken} or its implementation, then XSRF token
  *      validation is performed on all methods of that interface except for the
  *      method returning {@link RpcToken}.
  * </ul>
  *
  * @see XsrfProtectedServiceServlet
  */
 public abstract class AbstractXsrfProtectedServiceServlet extends
     RemoteServiceServlet {

   /**
    * The default constructor used by service implementations that
    * extend this class.  The servlet will delegate AJAX requests to
    * the appropriate method in the subclass.
    */
   public AbstractXsrfProtectedServiceServlet() {
     super();
   }

   /**
    * The wrapping constructor used by service implementations that are
    * separate from this class.  The servlet will delegate AJAX
    * requests to the appropriate method in the given object.
    */
   public AbstractXsrfProtectedServiceServlet(Object delegate) {
     super(delegate);
   }

   @Override
   protected void onAfterRequestDeserialized(RPCRequest rpcRequest) {
     if (shouldValidateXsrfToken(rpcRequest.getMethod())) {
       validateXsrfToken(rpcRequest.getRpcToken(), rpcRequest.getMethod());
     }
   }

   /**
    * Override this method to change default XSRF enforcement logic.
    *
    * @param method Method being invoked
    * @return {@code true} if XSRF token should be verified, {@code false}
    *         otherwise
    */
   protected boolean shouldValidateXsrfToken(Method method) {
     return Util.isMethodXsrfProtected(method, XsrfProtect.class,
         NoXsrfProtect.class, RpcToken.class);
   }

   /**
    * Override this method to perform XSRF token verification.
    *
    * @param token {@link RpcToken} included with an RPC request.
    * @param method method being invoked via this RPC call.
    * @throws RpcTokenException if token verification failed.
    */
   protected abstract void validateXsrfToken(RpcToken token, Method method)
       throws RpcTokenException;
 }
	/*
	* Copyright 2011 Google Inc.
	*
	* Licensed under the Apache License, Version 2.0 (the "License"); you may not
	* use this file except in compliance with the License. You may obtain a copy of
	* the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	* License for the specific language governing permissions and limitations under
	* the License.
	*/
	package com.google.gwt.user.server.rpc;

	import com.google.gwt.user.client.rpc.RpcToken;
	import com.google.gwt.user.client.rpc.RpcTokenException;
	import com.google.gwt.user.server.Util;

	import java.lang.reflect.Method;

	/**
	* An abstract class for XSRF protected RPC service implementations, which
	* decides if XSRF protection should be enforced on a method invocation based
	* on the following logic:
	* <ul>
	* <li>RPC interface or method can be annotated with either {@link XsrfProtect}
	* or {@link NoXsrfProtect} annotation to enable or disable XSRF protection
	* on all methods of an RPC interface or a single method correspondingly.
	* <li>RPC interface level annotation can be overridden by a method level
	* annotation.
	* <li>If no annotations are present and RPC interface contains method that
	* returns {@link RpcToken} or its implementation, then XSRF token
	* validation is performed on all methods of that interface except for the
	* method returning {@link RpcToken}.
	* </ul>
	*
	* @see XsrfProtectedServiceServlet
	*/
	public abstract class AbstractXsrfProtectedServiceServlet extends
	RemoteServiceServlet {

	/**
	* The default constructor used by service implementations that
	* extend this class. The servlet will delegate AJAX requests to
	* the appropriate method in the subclass.
	*/
	public AbstractXsrfProtectedServiceServlet() {
	super();
	}

	/**
	* The wrapping constructor used by service implementations that are
	* separate from this class. The servlet will delegate AJAX
	* requests to the appropriate method in the given object.
	*/
	public AbstractXsrfProtectedServiceServlet(Object delegate) {
	super(delegate);
	}

	@Override
	protected void onAfterRequestDeserialized(RPCRequest rpcRequest) {
	if (shouldValidateXsrfToken(rpcRequest.getMethod())) {
	validateXsrfToken(rpcRequest.getRpcToken(), rpcRequest.getMethod());
	}
	}

	/**
	* Override this method to change default XSRF enforcement logic.
	*
	* @param method Method being invoked
	* @return {@code true} if XSRF token should be verified, {@code false}
	* otherwise
	*/
	protected boolean shouldValidateXsrfToken(Method method) {
	return Util.isMethodXsrfProtected(method, XsrfProtect.class,
	NoXsrfProtect.class, RpcToken.class);
	}

	/**
	* Override this method to perform XSRF token verification.
	*
	* @param token {@link RpcToken} included with an RPC request.
	* @param method method being invoked via this RPC call.
	* @throws RpcTokenException if token verification failed.
	*/
	protected abstract void validateXsrfToken(RpcToken token, Method method)
	throws RpcTokenException;
	}