OvirtXsrfProtectedServiceServlet.java example

Explorer
ovirt-engine-master
package org.ovirt.engine.ui.frontend.server.gwt;

import java.lang.reflect.Method;
import java.util.Collections;
import java.util.List;

import javax.servlet.http.HttpSession;

import org.ovirt.engine.ui.frontend.communication.XsrfRpcRequestBuilder;

import com.google.gwt.user.client.rpc.RpcToken;
import com.google.gwt.user.client.rpc.RpcTokenException;
import com.google.gwt.user.client.rpc.XsrfToken;
import com.google.gwt.user.server.Util;
import com.google.gwt.user.server.rpc.NoXsrfProtect;
import com.google.gwt.user.server.rpc.RPCRequest;
import com.google.gwt.user.server.rpc.XsrfProtect;
import com.google.gwt.user.server.rpc.XsrfProtectedServiceServlet;
import com.google.gwt.util.tools.shared.StringUtils;

public class OvirtXsrfProtectedServiceServlet extends XsrfProtectedServiceServlet {

    private static final long serialVersionUID = 1802731419400198238L;

    @Override
    protected void validateXsrfToken(RpcToken token, Method method) {
        if (token == null) {
            throw new RpcTokenException("XSRF token missing"); //$NON-NLS-1$
        }
        String expectedToken;
        HttpSession session = getThreadLocalRequest().getSession();
        expectedToken = StringUtils.toHexString(
                (byte[]) session.getAttribute(OvirtXsrfTokenServiceServlet.XSRF_TOKEN));
        XsrfToken xsrfToken = (XsrfToken) token;

        if (!expectedToken.equals(xsrfToken.getToken())) {
            throw new RpcTokenException("Invalid XSRF token"); //$NON-NLS-1$
        }
    }

    private XsrfToken extractTokenFromRequest() {
        List<String> header =
                Collections.list(getThreadLocalRequest().getHeaders(XsrfRpcRequestBuilder.XSRF_TOKEN_HEADER));
        XsrfToken result = null;
        if (header != null && header.size() == 1) {
            result = new XsrfToken(header.get(0));
        }
        return result;
    }

    @Override
    protected void onAfterRequestDeserialized(RPCRequest rpcRequest) {
        if (shouldValidateXsrfToken(rpcRequest.getMethod())) {
            validateXsrfToken(extractTokenFromRequest(), rpcRequest.getMethod());
        }
    }

    /**
     * Override this method to change default XSRF enforcement logic.
     *
     * @param method
     *            Method being invoked
     * @return {@code true} if XSRF token should be verified, {@code false} otherwise
     */
    protected boolean shouldValidateXsrfToken(Method method) {
        return Util.isMethodXsrfProtected(method, XsrfProtect.class,
                NoXsrfProtect.class, RpcToken.class);
    }

}