GWT（2.4.0）+ XSRF [英] GWT (2.4.0) + XSRF

问题描述

我一直试图让XSRF工作的一个Web应用程序无济于事。
我在看一个典型的登录的实现。

I've been trying to get XSRF working on a webapp to no avail. I am looking at a typical login implementation.

我下面谷歌的code 。
我改变了我的web.xml中包括：

I am following Google's code. I changed my web.xml to include:

<servlet>
    <servlet-name>xsrf</servlet-name>
    <servlet-class>com.google.gwt.user.server.rpc.XsrfTokenServiceServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>xsrf</servlet-name>
    <url-pattern>/gwt/xsrf</url-pattern>
</servlet-mapping>

<context-param>
    <param-name>gwt.xsrf.session_cookie_name</param-name>
    <param-value>JSESSIONID</param-value>
</context-param>

和延长 XsrfProtectedServiceServlet 我的登录服务的服务器默认地将Impl文件。这是我的理解是，需要在服务器上没有其他变化。我是否需要增加任何功能，如返回方法的 RpcToken 这里（以及在我实现了接口）

and extended XsrfProtectedServiceServlet on the server Impl file of my login service. It is my understanding that no other change is needed on the server. Do I need to add anything else, such as a method that returns an RpcToken here (as well as in the interface I am implementing)?

在客户端，我使用的标注。

On the client side, I use annotations.

@XsrfProtect
@RemoteServiceRelativePath("login")
public interface LoginService extends RemoteService {
    String check(String user, String pass) throws IllegalArgumentExceptionhere;
}

这可能是我在哪里失去了一些东西。谷歌表示，在刀尖上：提示：要指定RpcToken实现GWT应该产生用于@RpcTokenImplementation注释串行不知道这意味着什么，或者如果我需要在这里的另一种方法返回。一个RpcToken。

This is probably where I am missing something. Google says on the tip: Tip: To specify which RpcToken implementation GWT should generate serializers for use @RpcTokenImplementation annotation. Not sure what that means or if I need another method here to return an RpcToken.

我的异步接口是这样的：

My async interface is like this:

public interface LoginServiceAsync {
    //Returns the Session ID
    void check(String user, String pass, AsyncCallback<String> callback);
}

那么对于我的实际RPC调用，我环绕XSRF令牌请求我的code。我用code等同于谷歌的：

Then for my actual RPC call, I wrap my code around the xsrf token request. I use code identical to google's:

XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class);
((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");
xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() {

    public void onSuccess(XsrfToken token) {
        LoginServiceAsync rpc = (LoginServiceAsync)GWT.create(LoginService.class);
        ((HasRpcToken) rpc).setRpcToken(token);

        // make XSRF protected RPC call
        rpc.check(user, pass, new AsyncCallback<String>() {
            // ...
        });
    }

    public void onFailure(Throwable caught) {
        try {
             throw caught;
        } catch (RpcTokenException e) {
        // Can be thrown for several reasons:
        //   - duplicate session cookie, which may be a sign of a cookie
        //     overwrite attack
        //   - XSRF token cannot be generated because session cookie isn't
        //     present
        } catch (Throwable e) {
        // unexpected
    }
});

的抱怨是我，由于它不知道从调用这里XSRF位置调用getNewXsrfToken失败： GWT.getModuleBaseURL（）+XSRF。我到那里是一个令牌握手缺少这会导致这个错误的感觉，但我不知道。

The complain is I that the call to getNewXsrfToken fails as it doesn't know that xsrf location from the call here: GWT.getModuleBaseURL() + "xsrf". I get the feeling there is a token handshake missing which causes this error, but I am not sure.

最后，我也尝试过实施尼克Siderakis'code 但他的例子使用了一个JSP网页，其中要求服务器：（request.getSession（）的getId（）） XsrfTokenUtil.getToken 。我不希望使用JSP页面和我还没有想出如何在不JSP页面执行此。他的code也从谷歌code例如发散（即他不叫getNewXsrfToken），我不知道它是prefered处理XSRF的谷歌路。

Lastly, I also tried implementing Nick Siderakis' code but his example uses a JSP page which asks the server: XsrfTokenUtil.getToken(request.getSession().getId()). I do not want to use JSP pages and I have not figured out how to perform this without a jsp page. His code also diverges from the Google code example (i.e. he doesn't call getNewXsrfToken) which I do not know if it's the "prefered" google way of dealing with XSRF.

任何想法，我缺少的是什么？谢谢你。

Any ideas as to what I am missing? Thanks.

修改

下面...

推荐答案

好吧，我想通了这个问题。我不得不改变GWT.getModuleBaseURL（）+XSRF到GWT / XSRF在我的code以上，因为它并没有指向正确的地方，因为我怀疑。另外，服务器无法找到JSESSIONID cookie的，所以我也跟着的这并添加Cookies.setCookie（JSESSIONID，JSESSIONID，NULL，NULL，/，假）;我的onModuleLoad（）内。这做到了。干杯。

Ok I figured out the problem. I had to change GWT.getModuleBaseURL() + "xsrf" to "gwt/xsrf" in my code above as it wasn't pointing to the the right place, as I suspected. In addition, the server could not find a JSESSIONID cookie, so I followed this and added Cookies.setCookie("JSESSIONID", "JSESSIONID", null, null, "/", false); inside my onModuleLoad(). That did it. Cheers.

这篇关于GWT（2.4.0）+ XSRF的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！