GWT(2.5.0)+ XSRF保护

时间:2019-01-16 16:03:22

标签: java gwt csrf rpc

我收回了一个用GWT 2.5.0开发的旧项目。 我需要实现CSRF保护,并遵循本教程here

但是,我有点卡住了

我的项目如下:

服务端

公共接口ParameterServiceAsync {

void getProperties( AsyncCallback<com.[...].model.PropertiesDto> callback );

/**
 * Utility class to get the RPC Async interface from client-side code
 */
public static final class Util 
{ 
    private static ParameterServiceAsync instance;

    public static final ParameterServiceAsync getInstance()
    {
        if ( instance == null )
        {
            instance = (ParameterServiceAsync) GWT.create( ParameterService.class );
        }
        return instance;
    }

    private Util()
    {
        // Utility class should not be instanciated
    }
} 

当我想进行RPC调用时(例如):

public void onModuleLoad() {


ParameterServiceAsync.Util.getInstance().getProperties(new AsyncCallback<PropertiesDto>() {
  @Override
  public void onSuccess(PropertiesDto result) {
    PropertiesDto = result;
    [...]
  }

  @Override
  public void onFailure(Throwable caught) {
    [...]
  }
});

Async接口是使用maven目标gwt:generateAsync自动生成的。

但是,如果我想将GWT教程应用于XSRF保护 我应该做这样的事情:

public void onModuleLoad() {

XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)GWT.create(XsrfTokenService.class);
((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");
    xsrf.getNewXsrfToken(new AsyncCallback<XsrfToken>() {

    public void onSuccess(XsrfToken token) {
        ((HasRpcToken) ParameterServiceAsync).Util.getInstance().setRpcToken(token);

        // make XSRF protected RPC call
        ParameterServiceAsync.Util.getInstance().getProperties(new AsyncCallback<PropertiesDto>() {
            @Override
            public void onSuccess(PropertiesDto result) {
                PropertiesDto = result;
                [...]
            }

            @Override
            public void onFailure(Throwable caught) {
                [...]
            }
        });
    }

    public void onFailure(Throwable caught) {
        try {
            throw caught;
        } catch (RpcTokenException e) {
            // Can be thrown for several reasons:
            //   - duplicate session cookie, which may be a sign of a cookie
            //     overwrite attack
            //   - XSRF token cannot be generated because session cookie isn't
            //     present
        } catch (Throwable e) {
            // unexpected
        }
    });
}

这对我不好。

有什么办法可以做这样的事情吗?

ParameterServiceAsync.Util.getSecureXsrfInstance().getProperties(new AsyncCallback<PropertiesDto>() {

0 个答案:

没有答案