/** * Writes the security key (and generates one if needed) to the given JSON * object. * * @param response * the response JSON object to write security key into * @param session * the vaadin session to which the security key belongs */ private static void writeSecurityKeyUIDL(JsonObject response, VaadinSession session) { String seckey = session.getCsrfToken(); response.put(ApplicationConstants.UIDL_SECURITY_TOKEN_ID, seckey); }
/** * Verifies that the given CSRF token (aka double submit cookie) is valid * for the given session. This is used to protect against Cross Site Request * Forgery attacks. * <p> * This protection is enabled by default, but it might need to be disabled * to allow a certain type of testing. For these cases, the check can be * disabled by setting the init parameter * <code>disable-xsrf-protection</code> to <code>true</code>. * * @param session * the vaadin session for which the check should be done * @param requestToken * the CSRF token provided in the request * @return <code>true</code> if the token is valid or if the protection is * disabled; <code>false</code> if protection is enabled and the * token is invalid * @see DeploymentConfiguration#isXsrfProtectionEnabled() */ public static boolean isCsrfTokenValid(VaadinSession session, String requestToken) { if (session.getService().getDeploymentConfiguration() .isXsrfProtectionEnabled()) { String sessionToken = session.getCsrfToken(); if (sessionToken == null || !sessionToken.equals(requestToken)) { return false; } } return true; }
@Override protected void onAttach(AttachEvent attachEvent) { Div uiId = new Div(); uiId.setId("ui-injected"); uiId.setText(String.valueOf(ui.getUIId()) + ui.hashCode()); Div currentUi = new Div(); currentUi.setText(String.valueOf(UI.getCurrent().getUIId()) + UI.getCurrent().hashCode()); currentUi.setId("ui-current"); Div sessionDiv = new Div(); sessionDiv.setText(session.getCsrfToken() + session.hashCode()); sessionDiv.setId("session-injected"); Div sessionCurrent = new Div(); sessionCurrent.setText(VaadinSession.getCurrent().getCsrfToken() + VaadinSession.getCurrent().hashCode()); sessionCurrent.setId("session-current"); add(uiId, currentUi, sessionDiv, sessionCurrent); } }