Class XsrfTokenServiceServlet

java.lang.Object
jakarta.servlet.GenericServlet
jakarta.servlet.http.HttpServlet
All Implemented Interfaces:
RemoteService, XsrfTokenService, SerializationPolicyProvider, jakarta.servlet.Servlet, jakarta.servlet.ServletConfig, Serializable

public class XsrfTokenServiceServlet extends RemoteServiceServlet implements XsrfTokenService
EXPERIMENTAL and subject to change. Do not use this in production code.

RPC service to generate XSRF tokens.

Sample use of XsrfTokenService:

  1. Add XsrfTokenServiceServlet to web.xml:
     <servlet>
       <servlet-name>xsrf</servlet-name>
       <servlet-class>
         com.google.gwt.user.server.rpc.XsrfTokenServiceServlet
       </servlet-class>
     </servlet>
     <servlet-mapping>
       <servlet-name>xsrf</servlet-name>
       <url-pattern>/gwt/xsrf</url-pattern>
     </servlet-mapping>
     
  2. Specify session cookie name that is used for authentication. MD5 hash of the session cookie's value will be used as an XSRF token:
     <context-param>
       <param-name>gwt.xsrf.session_cookie_name</param-name>
       <param-value>JSESSIONID</param-value>
     </context-param>
     
  3. To enforce XSRF token validation on each method call either mark RPC interface as XSRF protected using
    invalid reference
    XsrfProtect
    annotation or extend XsrfProtectedService instead of RemoteService. Use
    invalid reference
    NoXsrfProtect
    to mark methods as not requiring XSRF protection:
     public interface MyRpcService extends XsrfProtectedService {
       public void doStuff();
     }
     
  4. Ensure that RPC's servlet implementation extends XsrfProtectedServiceServlet instead of RemoteServiceServlet:
     public class MyRpcServiceServlet extends XsrfProtectedServiceServlet
         implements MyRpcService {
    
       public void doStuff() {
         // ...
       }
     }
     
  5. Obtain XsrfToken and set it on the RPC end point:
     XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class);
    
     ((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");
    
     xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() {
       public void onSuccess(XsrfToken result) {
         MyRpcServiceAsync rpc = (MyRpcServiceAsync)GWT.create(MyRpcService.class);
         ((HasRpcToken) rpc).setRpcToken(result);
         // make XSRF protected RPC call
         rpc.doStuff(new AsyncCallback<Void>() {
           // ...
         });
    
       }
    
       public void onFailure(Throwable caught) {
         try {
           throw caught;
         } catch (RpcTokenException e) {
           // Can be thrown for several reasons:
           //   - duplicate session cookie, which may be a sign of a cookie
           //     overwrite attack
           //   - XSRF token cannot be generated because session cookie isn't
           //     present
         } catch (Throwable e) {
           // unexpected
         }
     });
     

See Also:
  • Field Details

  • Constructor Details

    • XsrfTokenServiceServlet

      public XsrfTokenServiceServlet()
      Default constructor.
    • XsrfTokenServiceServlet

      public XsrfTokenServiceServlet(String sessionCookieName)
      Alternative constructor that accepts session cookie name instead of getting it from ServletConfig or ServletContext.
  • Method Details

    • getNewXsrfToken

      public XsrfToken getNewXsrfToken()
      Generates and returns new XSRF token.
      Specified by:
      getNewXsrfToken in interface XsrfTokenService
    • init

      public void init()
      Servlet initialization.
      Overrides:
      init in class jakarta.servlet.GenericServlet