我收回了一个用GWT 2.5.0开发的旧项目。 我需要实现CSRF保护,并遵循本教程here。
但是,我有点卡住了
我的项目如下:
服务端
公共接口ParameterServiceAsync {
void getProperties( AsyncCallback<com.[...].model.PropertiesDto> callback );
/**
* Utility class to get the RPC Async interface from client-side code
*/
public static final class Util
{
private static ParameterServiceAsync instance;
public static final ParameterServiceAsync getInstance()
{
if ( instance == null )
{
instance = (ParameterServiceAsync) GWT.create( ParameterService.class );
}
return instance;
}
private Util()
{
// Utility class should not be instanciated
}
}
当我想进行RPC调用时(例如):
public void onModuleLoad() {
ParameterServiceAsync.Util.getInstance().getProperties(new AsyncCallback<PropertiesDto>() {
@Override
public void onSuccess(PropertiesDto result) {
PropertiesDto = result;
[...]
}
@Override
public void onFailure(Throwable caught) {
[...]
}
});
Async接口是使用maven目标gwt:generateAsync自动生成的。
但是,如果我想将GWT教程应用于XSRF保护 我应该做这样的事情:
public void onModuleLoad() {
XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class);
((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");
xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() {
public void onSuccess(XsrfToken token) {
((HasRpcToken) ParameterServiceAsync).Util.getInstance().setRpcToken(token);
// make XSRF protected RPC call
ParameterServiceAsync.Util.getInstance().getProperties(new AsyncCallback<PropertiesDto>() {
@Override
public void onSuccess(PropertiesDto result) {
PropertiesDto = result;
[...]
}
@Override
public void onFailure(Throwable caught) {
[...]
}
});
}
public void onFailure(Throwable caught) {
try {
throw caught;
} catch (RpcTokenException e) {
// Can be thrown for several reasons:
// - duplicate session cookie, which may be a sign of a cookie
// overwrite attack
// - XSRF token cannot be generated because session cookie isn't
// present
} catch (Throwable e) {
// unexpected
}
});
}
这对我不好。
有什么办法可以做这样的事情吗?
ParameterServiceAsync.Util.getSecureXsrfInstance().getProperties(new AsyncCallback<PropertiesDto>() {