GWT (2.4.0) + XSRF

Question

GWT (2.4.0) + XSRF

I am trying to get XSRF to work with webapp to no avail. I am considering a typical entry implementation.

I follow the google code . I changed my web.xml to include:

<servlet>
    <servlet-name>xsrf</servlet-name>
    <servlet-class>com.google.gwt.user.server.rpc.XsrfTokenServiceServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>xsrf</servlet-name>
    <url-pattern>/gwt/xsrf</url-pattern>
</servlet-mapping>

<context-param>
    <param-name>gwt.xsrf.session_cookie_name</param-name>
    <param-value>JSESSIONID</param-value>
</context-param>

and the extension XsrfProtectedServiceServletfile of my login service on the Impl server. As far as I understand, no other changes are required on the server. Is there anything else to be added, for example, the method that returns RpcTokenhere (as in the interface that I implement)?

On the client side, I use annotations.

@XsrfProtect
@RemoteServiceRelativePath("login")
public interface LoginService extends RemoteService {
    String check(String user, String pass) throws IllegalArgumentExceptionhere;
}

This is probably where I am missing something. Google speaks on a hint: Tip: To specify which RpcToken implementation GWT should generate serializers for use @RpcTokenImplementation annotation.Not sure what this means or I need another method to return an RpcToken.

My asynchronous interface looks like this:

public interface LoginServiceAsync {
    //Returns the Session ID
    void check(String user, String pass, AsyncCallback<String> callback);
}

RPC xsrf. , Google:

XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class);
((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");
xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() {

    public void onSuccess(XsrfToken token) {
        LoginServiceAsync rpc = (LoginServiceAsync)GWT.create(LoginService.class);
        ((HasRpcToken) rpc).setRpcToken(token);

        // make XSRF protected RPC call
        rpc.check(user, pass, new AsyncCallback<String>() {
            // ...
        });
    }

    public void onFailure(Throwable caught) {
        try {
             throw caught;
        } catch (RpcTokenException e) {
        // Can be thrown for several reasons:
        //   - duplicate session cookie, which may be a sign of a cookie
        //     overwrite attack
        //   - XSRF token cannot be generated because session cookie isn't
        //     present
        } catch (Throwable e) {
        // unexpected
    }
});

, getNewXsrfToken , , xsrf : GWT.getModuleBaseURL() + "xsrf". , , , .

, , JSP, : XsrfTokenUtil.getToken(request.getSession().getId()). JSP-, , jsp-. Google (.. getNewXsrfToken), , "" Google XSRF.

, ? .

...

+3

asynchronous rpc gwt csrf

iliask 24 . '12 13:07

1

iliask · Accepted Answer · 2012-04-25T09:07:04+0000

, . GWT.getModuleBaseURL() + "xsrf" "gwt/xsrf" , , . , cookie JSESSIONID, Cookies.setCookie( "JSESSIONID", "JSESSIONID", null, null, "/", false); my onModuleLoad(). . .

GWT (2.4.0) + XSRF

More articles: