[gwt-contrib] RR : Add check for permutation header to RemoteServiceServlet

[bobv]

Reviewers: Ray Ryan,

Message:
Review requested.
Description:
Re-add the check that was removed in r5731, but allow the behavior to be
overridden.

Please review this at http://gwt-code-reviews.appspot.com/179801

Affected files:
  M user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java


Index: user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
diff --git  
a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java  
b/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
index  
86c39b5a328f496ccf2bbd3a638767f283f9b373..9e8036debe497c488cb24c277384cff5df509bfe  
100644
--- a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
+++ b/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java
@@ -181,6 +181,9 @@ public class RemoteServiceServlet extends  
AbstractRemoteServiceServlet
    *           exception (the exception will be the one thrown by the  
service)
    */
   public String processCall(String payload) throws SerializationException {
+    // First, check for possible XSRF situation
+    checkPermutationStrongName();
+
     try {
       RPCRequest rpcRequest = RPC.decodeRequest(payload, this.getClass(),  
this);
       onAfterRequestDeserialized(rpcRequest);
@@ -232,6 +235,24 @@ public class RemoteServiceServlet extends  
AbstractRemoteServiceServlet
   }

   /**
+   * This method is called by {...@link #processCall(String)} and will throw a
+   * SecurityException if {...@link #getPermutationStrongName()} returns
+   * <code>null</code>. This method can be overridden to be a no-op if  
there are
+   * clients that are not expected to provide the
+   * {...@value  
com.google.gwt.user.client.rpc.RpcRequestBuilder#STRONG_NAME_HEADER}
+   * header.
+   *
+   * @throws SecurityException if {...@link #getPermutationStrongName()}  
returns
+   *           <code>null</code>
+   */
+  protected void checkPermutationStrongName() throws SecurityException {
+    if (getPermutationStrongName() == null) {
+      throw new SecurityException(
+          "Blocked request without GWT permutation header (XSRF attack?)");
+    }
+  }
+
+  /**
    * Gets the {...@link SerializationPolicy} for given module base URL and  
strong
    * name if there is one.
    *


--
http://groups.google.com/group/Google-Web-Toolkit-Contributors