Revision: 9759
Author: [email protected]
Date: Wed Feb 23 14:40:04 2011
Log: Small refactoring, move annotations logic out to Util.
http://code.google.com/p/google-web-toolkit/source/detail?r=9759
Modified:
/trunk/user/src/com/google/gwt/user/server/Util.java
/trunk/user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java
=======================================
--- /trunk/user/src/com/google/gwt/user/server/Util.java Sun Feb 6
16:09:46 2011
+++ /trunk/user/src/com/google/gwt/user/server/Util.java Wed Feb 23
14:40:04 2011
@@ -16,6 +16,7 @@
package com.google.gwt.user.server;
import java.lang.annotation.Annotation;
+import java.lang.reflect.Method;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
@@ -100,6 +101,59 @@
}
return cookieToReturn;
}
+
+ /**
+ * Checks if specified method is XSRF protected based on the following
logic:
+ *
+ * <ul>
+ * <li>Method level annotations override class level annotations.
+ * <li>If method is annotated with {@code xsrfAnnotation} this
+ * method returns {@code true}
+ * <li>If method is annotated with {@code noXsrfAnnotation}, this method
+ * returns {@code false}.
+ * <li>If class is annotated with {@code xsrfAnnotation} and method is
not
+ * annotated, this method returns {@code true}.
+ * <li>If class is annotated with {@code noXsrfAnnotation} and method
is not
+ * annotated, this method returns {@code false}.
+ * <li>If no annotations are present and class has a method with return
value
+ * assignable from {@code xsrfTokenInterface}, this method returns
+ * {@code true}.
+ * <li>If no annotations are present this method returns {@code false}.
+ * </ul>
+ *
+ * @see
com.google.gwt.user.server.rpc.AbstractXsrfProtectedServiceServlet
+ */
+ public static boolean isMethodXsrfProtected(Method method,
+ Class<? extends Annotation> xsrfAnnotation,
+ Class<? extends Annotation> noXsrfAnnotation,
+ Class<?> xsrfTokenInterface) {
+ Class<?> declaringClass = method.getDeclaringClass();
+
+ if (method.getAnnotation(noXsrfAnnotation) != null ||
+ (Util.getClassAnnotation(
+ declaringClass, noXsrfAnnotation) != null &&
+ method.getAnnotation(xsrfAnnotation) == null)) {
+ // XSRF protection is disabled
+ return false;
+ }
+
+ if (Util.getClassAnnotation(declaringClass, xsrfAnnotation) != null ||
+ method.getAnnotation(xsrfAnnotation) != null) {
+ return true;
+ }
+
+ // if no explicit annotation is given no XSRF token verification is
done,
+ // unless there's a method returning RpcToken in which case XSRF token
+ // verification is performed for all methods
+ Method[] classMethods = declaringClass.getMethods();
+ for (Method classMethod : classMethods) {
+ if (xsrfTokenInterface.isAssignableFrom(classMethod.getReturnType())
&&
+ !method.equals(classMethod)) {
+ return true;
+ }
+ }
+ return false;
+ }
private Util() {
}
=======================================
---
/trunk/user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java
Sun Feb 6 16:09:46 2011
+++
/trunk/user/src/com/google/gwt/user/server/rpc/AbstractXsrfProtectedServiceServlet.java
Wed Feb 23 14:40:04 2011
@@ -57,32 +57,8 @@
* otherwise
*/
protected boolean shouldValidateXsrfToken(Method method) {
- Class<?> servletClass = method.getDeclaringClass();
-
- if (method.getAnnotation(NoXsrfProtect.class) != null ||
- (Util.getClassAnnotation(
- servletClass, NoXsrfProtect.class) != null &&
- method.getAnnotation(XsrfProtect.class) == null)) {
- // XSRF protection is disabled
- return false;
- }
-
- if (Util.getClassAnnotation(servletClass, XsrfProtect.class) != null ||
- method.getAnnotation(XsrfProtect.class) != null) {
- return true;
- }
-
- // if no explicit annotation is given no XSRF token verification is
done,
- // unless there's a method returning RpcToken in which case XSRF token
- // verification is performed for all methods
- Method[] classMethods = servletClass.getMethods();
- for (Method classMethod : classMethods) {
- if (RpcToken.class.isAssignableFrom(classMethod.getReturnType()) &&
- !method.equals(classMethod)) {
- return true;
- }
- }
- return false;
+ return Util.isMethodXsrfProtected(method, XsrfProtect.class,
+ NoXsrfProtect.class, RpcToken.class);
}
/**
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
