- Timestamp:
- 11/10/08 14:58:17 (2 months ago)
- Location:
- trunk/src/com/itmill/toolkit/terminal/gwt
- Files:
-
- 3 modified
-
client/ApplicationConnection.java (modified) (4 diffs)
-
server/ApplicationServlet.java (modified) (5 diffs)
-
server/CommunicationManager.java (modified) (10 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/com/itmill/toolkit/terminal/gwt/client/ApplicationConnection.java
r5839 r5855 26 26 import com.google.gwt.json.client.JSONValue; 27 27 import com.google.gwt.user.client.Command; 28 import com.google.gwt.user.client.Cookies; 28 29 import com.google.gwt.user.client.DOM; 29 30 import com.google.gwt.user.client.DeferredCommand; … … 61 62 public static final String VAR_BURST_SEPARATOR = "\u001d"; 62 63 64 public static final String UIDL_SECURITY_COOKIE_NAME = "com.itmill.toolkit.seckey"; 65 63 66 private final HashMap resourcesMap = new HashMap(); 64 67 … … 276 279 boolean forceSync) { 277 280 startRequest(); 281 282 // cookie double submission pattern 283 requestData = Cookies.getCookie(UIDL_SECURITY_COOKIE_NAME) 284 + VAR_BURST_SEPARATOR + requestData; 278 285 279 286 console.log("Making UIDL Request with params: " + requestData); … … 638 645 639 646 if (html.length() != 0) { 640 INotification n = new INotification(1000 * 60 * 45); // 647 INotification n = new INotification(1000 * 60 * 45); //45min 641 648 n.addEventListener(new NotificationRedirect(url)); 642 649 n.show(html, INotification.CENTERED_TOP, -
trunk/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java
r5836 r5855 17 17 import java.net.MalformedURLException; 18 18 import java.net.URL; 19 import java.security.GeneralSecurityException; 19 20 import java.util.Collection; 20 21 import java.util.Enumeration; … … 27 28 import javax.servlet.ServletException; 28 29 import javax.servlet.ServletOutputStream; 30 import javax.servlet.http.Cookie; 29 31 import javax.servlet.http.HttpServlet; 30 32 import javax.servlet.http.HttpServletRequest; … … 43 45 import com.itmill.toolkit.terminal.ThemeResource; 44 46 import com.itmill.toolkit.terminal.URIHandler; 47 import com.itmill.toolkit.terminal.gwt.client.ApplicationConnection; 45 48 import com.itmill.toolkit.ui.Window; 46 49 … … 527 530 } 528 531 532 } catch (final GeneralSecurityException e) { 533 // TODO handle differently? 534 // Invalid security key, show session expired message for now 535 try { 536 Application.SystemMessages ci = getSystemMessages(); 537 if (!UIDLrequest) { 538 // 'plain' http req - e.g. browser reload; 539 // just go ahead redirect the browser 540 response.sendRedirect(ci.getSessionExpiredURL()); 541 } else { 542 // send uidl redirect 543 criticalNotification(request, response, ci 544 .getSessionExpiredCaption(), ci 545 .getSessionExpiredMessage(), ci 546 .getSessionExpiredURL()); 547 } 548 request.getSession().invalidate(); 549 } catch (SystemMessageException ee) { 550 throw new ServletException(ee); 551 } 552 529 553 } catch (final Throwable e) { 530 554 // if this was an UIDL request, response UIDL back to client … … 748 772 HttpServletResponse response, Window window, String themeName, 749 773 Application application) throws IOException, MalformedURLException { 774 775 // Security: double cookie submission pattern 776 Cookie secCookie = new Cookie( 777 ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, request 778 .getSession().getId()); 779 response.addCookie(secCookie); 750 780 751 781 // e.g portlets only want a html fragment -
trunk/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java
r5807 r5855 15 15 import java.lang.reflect.InvocationTargetException; 16 16 import java.lang.reflect.Method; 17 import java.security.GeneralSecurityException; 17 18 import java.text.DateFormatSymbols; 18 19 import java.text.SimpleDateFormat; … … 217 218 public void handleUidlRequest(HttpServletRequest request, 218 219 HttpServletResponse response, ApplicationServlet applicationServlet) 219 throws IOException, ServletException { 220 throws IOException, ServletException, 221 InvalidUIDLSecurityKeyException { 220 222 221 223 // repaint requested or session has timed out and new one is created … … 573 575 private boolean handleVariables(HttpServletRequest request, 574 576 HttpServletResponse response, Application application2, 575 Window window) throws IOException {577 Window window) throws IOException, InvalidUIDLSecurityKeyException { 576 578 boolean success = true; 577 579 … … 592 594 final String[] bursts = changes.split(VAR_BURST_SEPARATOR); 593 595 594 for (int bi = 0; bi < bursts.length; bi++) { 596 // check security key (==sessionid, double cookie submission 597 if (!request.getSession().getId().equals(bursts[0])) { 598 throw new InvalidUIDLSecurityKeyException( 599 "Invalid UIDL security key"); 600 } 601 602 for (int bi = 1; bi < bursts.length; bi++) { 595 603 596 604 // extract variables to two dim string array … … 615 623 .equals(nextVariable[VAR_PID])) { 616 624 // we have more than one value changes in row for 617 // one 618 // variable owner, collect em in HashMap 625 // one variable owner, collect em in HashMap 619 626 m = new HashMap(); 620 627 m.put(variable[VAR_NAME], convertVariableValue( … … 646 653 owner.changeVariables(request, m); 647 654 648 // Special-case of closing browser-level 649 // windows: track browser-windows currently open in 650 // client 655 // Special-case of closing browser-level windows: 656 // track browser-windows currently open in client 651 657 if (owner instanceof Window 652 658 && ((Window) owner).getParent() == null) { … … 695 701 // Still we must clear component tree between bursts to ensure 696 702 // that no removed components are updated. The painting after 697 // the 698 // last burst is handled normally by the calling method. 703 // the last burst is handled normally by the calling method. 699 704 if (bi < bursts.length - 1) { 700 705 … … 1015 1020 logoutUrl = application.getURL().toString(); 1016 1021 } 1017 // clients JS app is still running, send a special json file to 1018 // tellclient that application has quit and where to point browser now1022 // clients JS app is still running, send a special json file to tell 1023 // client that application has quit and where to point browser now 1019 1024 // Set the response type 1020 1025 response.setContentType("application/json; charset=UTF-8"); … … 1068 1073 1069 1074 // The following algorithm removes any components that would be painted 1070 // as 1071 // a direct descendant of other components from the dirty components 1072 // list. 1073 // The result is that each component should be painted exactly once and 1074 // any unmodified components will be painted as "cached=true". 1075 // as a direct descendant of other components from the dirty components 1076 // list. The result is that each component should be painted exactly 1077 // once and any unmodified components will be painted as "cached=true". 1075 1078 1076 1079 for (final Iterator i = dirtyPaintabletSet.iterator(); i.hasNext();) { … … 1300 1303 } 1301 1304 1305 private class InvalidUIDLSecurityKeyException extends 1306 GeneralSecurityException { 1307 1308 InvalidUIDLSecurityKeyException(String message) { 1309 super(message); 1310 } 1311 1312 } 1302 1313 }
