AbstractXsrfProtectedServiceServlet.java example

Explorer
google-web-toolkit-svnmirror-master
/*
 * Copyright 2011 Google Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */
package com.google.gwt.user.server.rpc;

import com.google.gwt.user.client.rpc.RpcToken;
import com.google.gwt.user.client.rpc.RpcTokenException;
import com.google.gwt.user.server.Util;

import java.lang.reflect.Method;

/**
 * An abstract class for XSRF protected RPC service implementations, which
 * decides if XSRF protection should be enforced on a method invocation based
 * on the following logic:
 * <ul>
 *  <li>RPC interface or method can be annotated with either {@link XsrfProtect}
 *      or {@link NoXsrfProtect} annotation to enable or disable XSRF protection
 *      on all methods of an RPC interface or a single method correspondingly.
 *  <li>RPC interface level annotation can be overridden by a method level
 *      annotation.
 *  <li>If no annotations are present and RPC interface contains method that
 *      returns {@link RpcToken} or its implementation, then XSRF token
 *      validation is performed on all methods of that interface except for the
 *      method returning {@link RpcToken}.
 * </ul>
 *
 * @see XsrfProtectedServiceServlet
 */
public abstract class AbstractXsrfProtectedServiceServlet extends
    RemoteServiceServlet {

  /**
   * The default constructor used by service implementations that
   * extend this class.  The servlet will delegate AJAX requests to
   * the appropriate method in the subclass.
   */
  public AbstractXsrfProtectedServiceServlet() {
    super();
  }

  /**
   * The wrapping constructor used by service implementations that are
   * separate from this class.  The servlet will delegate AJAX
   * requests to the appropriate method in the given object.
   */
  public AbstractXsrfProtectedServiceServlet(Object delegate) {
    super(delegate);
  }

  @Override
  protected void onAfterRequestDeserialized(RPCRequest rpcRequest) {
    if (shouldValidateXsrfToken(rpcRequest.getMethod())) {
      validateXsrfToken(rpcRequest.getRpcToken(), rpcRequest.getMethod());
    }
  }

  /**
   * Override this method to change default XSRF enforcement logic.
   *
   * @param method Method being invoked
   * @return {@code true} if XSRF token should be verified, {@code false}
   *         otherwise
   */
  protected boolean shouldValidateXsrfToken(Method method) {
    return Util.isMethodXsrfProtected(method, XsrfProtect.class,
        NoXsrfProtect.class, RpcToken.class);
  }

  /**
   * Override this method to perform XSRF token verification.
   *
   * @param token {@link RpcToken} included with an RPC request.
   * @param method method being invoked via this RPC call.
   * @throws RpcTokenException if token verification failed.
   */
  protected abstract void validateXsrfToken(RpcToken token, Method method)
      throws RpcTokenException;
}