Class XsrfTokenServiceServlet
java.lang.Object
jakarta.servlet.GenericServlet
jakarta.servlet.http.HttpServlet
com.google.gwt.user.server.rpc.jakarta.AbstractRemoteServiceServlet
com.google.gwt.user.server.rpc.jakarta.RemoteServiceServlet
com.google.gwt.user.server.rpc.jakarta.XsrfTokenServiceServlet
- All Implemented Interfaces:
RemoteService
,XsrfTokenService
,SerializationPolicyProvider
,jakarta.servlet.Servlet
,jakarta.servlet.ServletConfig
,Serializable
EXPERIMENTAL and subject to change. Do not use this in production code.
RPC service to generate XSRF tokens.
Sample use of XsrfTokenService
:
- Add
XsrfTokenServiceServlet
toweb.xml
:<servlet> <servlet-name>xsrf</servlet-name> <servlet-class> com.google.gwt.user.server.rpc.XsrfTokenServiceServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name>xsrf</servlet-name> <url-pattern>/gwt/xsrf</url-pattern> </servlet-mapping>
- Specify session cookie name that is used for authentication. MD5 hash of
the session cookie's value will be used as an XSRF token:
<context-param> <param-name>gwt.xsrf.session_cookie_name</param-name> <param-value>JSESSIONID</param-value> </context-param>
- To enforce XSRF token validation on each method call either mark RPC
interface as XSRF protected using
invalid reference
XsrfProtect
XsrfProtectedService
instead of RemoteService. Useinvalid reference
NoXsrfProtect
public interface MyRpcService extends XsrfProtectedService { public void doStuff(); }
- Ensure that RPC's servlet implementation extends
XsrfProtectedServiceServlet
instead ofRemoteServiceServlet
:public class MyRpcServiceServlet extends XsrfProtectedServiceServlet implements MyRpcService { public void doStuff() { // ... } }
- Obtain
XsrfToken
and set it on the RPC end point:XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class); ((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf"); xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() { public void onSuccess(XsrfToken result) { MyRpcServiceAsync rpc = (MyRpcServiceAsync)GWT.create(MyRpcService.class); ((HasRpcToken) rpc).setRpcToken(result); // make XSRF protected RPC call rpc.doStuff(new AsyncCallback<Void>() { // ... }); } public void onFailure(Throwable caught) { try { throw caught; } catch (RpcTokenException e) { // Can be thrown for several reasons: // - duplicate session cookie, which may be a sign of a cookie // overwrite attack // - XSRF token cannot be generated because session cookie isn't // present } catch (Throwable e) { // unexpected } });
- See Also:
-
Field Summary
Modifier and TypeFieldDescription(package private) static final String
static final String
Session cookie name initialization parameter.Fields inherited from class com.google.gwt.user.server.rpc.jakarta.AbstractRemoteServiceServlet
perThreadRequest, perThreadResponse
-
Constructor Summary
ConstructorDescriptionDefault constructor.XsrfTokenServiceServlet
(String sessionCookieName) Alternative constructor that accepts session cookie name instead of getting it fromServletConfig
orServletContext
. -
Method Summary
Modifier and TypeMethodDescriptionGenerates and returns new XSRF token.void
init()
Servlet initialization.Methods inherited from class com.google.gwt.user.server.rpc.jakarta.RemoteServiceServlet
checkPermutationStrongName, doGetSerializationPolicy, getCodeServerPolicyUrl, getRequestModuleBasePath, getSerializationPolicy, init, loadPolicyFromCodeServer, loadSerializationPolicy, onAfterResponseSerialized, onBeforeRequestDeserialized, processCall, processCall, processPost, shouldCompressResponse
Methods inherited from class com.google.gwt.user.server.rpc.jakarta.AbstractRemoteServiceServlet
doPost, doUnexpectedFailure, getPermutationStrongName, getThreadLocalRequest, getThreadLocalResponse, onAfterRequestDeserialized, readContent
Methods inherited from class jakarta.servlet.http.HttpServlet
doDelete, doGet, doHead, doOptions, doPut, doTrace, getLastModified, service, service
Methods inherited from class jakarta.servlet.GenericServlet
destroy, getInitParameter, getInitParameterNames, getServletConfig, getServletContext, getServletInfo, getServletName, log, log
-
Field Details
-
COOKIE_NAME_PARAM
Session cookie name initialization parameter.- See Also:
-
COOKIE_NAME_NOT_SET_ERROR_MSG
- See Also:
-
-
Constructor Details
-
XsrfTokenServiceServlet
public XsrfTokenServiceServlet()Default constructor. -
XsrfTokenServiceServlet
Alternative constructor that accepts session cookie name instead of getting it fromServletConfig
orServletContext
.
-
-
Method Details
-
getNewXsrfToken
Generates and returns new XSRF token.- Specified by:
getNewXsrfToken
in interfaceXsrfTokenService
-
init
public void init()Servlet initialization.- Overrides:
init
in classjakarta.servlet.GenericServlet
-