Package com.google.gwt.user.server.rpc
Class AbstractXsrfProtectedServiceServlet
java.lang.Object
javax.servlet.GenericServlet
javax.servlet.http.HttpServlet
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet
com.google.gwt.user.server.rpc.RemoteServiceServlet
com.google.gwt.user.server.rpc.AbstractXsrfProtectedServiceServlet
- All Implemented Interfaces:
SerializationPolicyProvider
,Serializable
,javax.servlet.Servlet
,javax.servlet.ServletConfig
- Direct Known Subclasses:
XsrfProtectedServiceServlet
An abstract class for XSRF protected RPC service implementations, which
decides if XSRF protection should be enforced on a method invocation based
on the following logic:
- RPC interface or method can be annotated with either
XsrfProtect
orNoXsrfProtect
annotation to enable or disable XSRF protection on all methods of an RPC interface or a single method correspondingly. - RPC interface level annotation can be overridden by a method level annotation.
- If no annotations are present and RPC interface contains method that
returns
RpcToken
or its implementation, then XSRF token validation is performed on all methods of that interface except for the method returningRpcToken
.
- See Also:
-
Field Summary
Fields inherited from class com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet
perThreadRequest, perThreadResponse
-
Constructor Summary
ConstructorDescriptionThe default constructor used by service implementations that extend this class.AbstractXsrfProtectedServiceServlet
(Object delegate) The wrapping constructor used by service implementations that are separate from this class. -
Method Summary
Modifier and TypeMethodDescriptionprotected void
onAfterRequestDeserialized
(RPCRequest rpcRequest) Override this method to examine the deserialized version of the request before the call to the servlet method is made.protected boolean
shouldValidateXsrfToken
(Method method) Override this method to change default XSRF enforcement logic.protected abstract void
validateXsrfToken
(RpcToken token, Method method) Override this method to perform XSRF token verification.Methods inherited from class com.google.gwt.user.server.rpc.RemoteServiceServlet
checkPermutationStrongName, doGetSerializationPolicy, getCodeServerPolicyUrl, getRequestModuleBasePath, getSerializationPolicy, init, loadPolicyFromCodeServer, loadSerializationPolicy, onAfterResponseSerialized, onBeforeRequestDeserialized, processCall, processCall, processPost, shouldCompressResponse
Methods inherited from class com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet
doPost, doUnexpectedFailure, getPermutationStrongName, getThreadLocalRequest, getThreadLocalResponse, readContent
Methods inherited from class javax.servlet.http.HttpServlet
doDelete, doGet, doHead, doOptions, doPut, doTrace, getLastModified, service, service
Methods inherited from class javax.servlet.GenericServlet
destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, init, log, log
-
Constructor Details
-
AbstractXsrfProtectedServiceServlet
public AbstractXsrfProtectedServiceServlet()The default constructor used by service implementations that extend this class. The servlet will delegate AJAX requests to the appropriate method in the subclass. -
AbstractXsrfProtectedServiceServlet
The wrapping constructor used by service implementations that are separate from this class. The servlet will delegate AJAX requests to the appropriate method in the given object.
-
-
Method Details
-
onAfterRequestDeserialized
Description copied from class:AbstractRemoteServiceServlet
Override this method to examine the deserialized version of the request before the call to the servlet method is made. The default implementation does nothing and need not be called by subclasses.- Overrides:
onAfterRequestDeserialized
in classAbstractRemoteServiceServlet
- Parameters:
rpcRequest
-
-
shouldValidateXsrfToken
Override this method to change default XSRF enforcement logic.- Parameters:
method
- Method being invoked- Returns:
true
if XSRF token should be verified,false
otherwise
-
validateXsrfToken
Override this method to perform XSRF token verification.- Parameters:
token
-RpcToken
included with an RPC request.method
- method being invoked via this RPC call.- Throws:
RpcTokenException
- if token verification failed.
-