Reviewers: jat, rjrjr, bobv, xtof,
Description:
This change adds couple of things:
- abstract class which calls abstract XSRF token validation method based
on
annotations (@XsrfProtect, @NoXsrfProtect).
- GWT RPC XSRF protection based on the above class, which uses cookie to
store XSRF token and requires RPC calls to methods/services annotated
with
@XsrfProtect to have the value of the XSRF cookie included in XsrfToken
set on an RPC endpoint using HasRpcToken interface.
- SSL-only applications can tie XSRF cookie value to a session cookie to
protect against blind active HTTP man-in-the-middle attacks.
Please review this at http://gwt-code-reviews.appspot.com/1251801/show
Affected files:
A user/src/com/google/gwt/user/client/rpc/XsrfToken.java
A user/src/com/google/gwt/user/client/rpc/XsrfTokenService.java
A user/src/com/google/gwt/user/client/rpc/XsrfTokenServiceAsync.java
A
user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java
A user/src/com/google/gwt/user/server/rpc/NoXsrfProtect.java
A user/src/com/google/gwt/user/server/rpc/XsrfProtect.java
A user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java
A user/src/com/google/gwt/user/server/rpc/XsrfTokenServiceServlet.java
A user/src/com/google/gwt/user/server/rpc/XsrfUtils.java
M user/test/com/google/gwt/user/RPCSuite.gwt.xml
M user/test/com/google/gwt/user/RPCSuite.java
A user/test/com/google/gwt/user/client/rpc/XsrfProtectionTest.java
A user/test/com/google/gwt/user/client/rpc/XsrfTestService.java
A user/test/com/google/gwt/user/client/rpc/XsrfTestServiceAsync.java
A
user/test/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServletTest.java
A
user/test/com/google/gwt/user/server/rpc/MockXsrfProtectedServiceServlet.java
A user/test/com/google/gwt/user/server/rpc/MockXsrfTokenServiceImpl.java
A user/test/com/google/gwt/user/server/rpc/XsrfTestServiceImpl.java
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
