com.google.gwt.user.server.Util Maven / Gradle / Ivy
/*
* Copyright 2011 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package com.google.gwt.user.server;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
/**
* A bunch of useful methods.
*/
public class Util {
/**
* Find an instance of the specified annotation, walking up the inheritance
* tree if necessary. Copied from {@link
* com.google.gwt.i18n.rebind.AnnotationUtil}.
*
* The super chain is walked first, so if an ancestor superclass has the
* requested annotation, it will be preferred over a directly implemented
* interface.
*
* @param Annotation type to search for
* @param clazz root class to search, may be null
* @param annotationClass class object of Annotation subclass to search for
* @return the requested annotation or null if none
*/
public static T getClassAnnotation(Class> clazz,
Class annotationClass) {
if (clazz == null) {
return null;
}
T annot = clazz.getAnnotation(annotationClass);
if (annot == null) {
annot = getClassAnnotation(clazz.getSuperclass(), annotationClass);
if (annot != null) {
return annot;
}
for (Class> intf : clazz.getInterfaces()) {
annot = getClassAnnotation(intf, annotationClass);
if (annot != null) {
return annot;
}
}
}
return annot;
}
/**
* Retrieves named cookie from supplied request. If {@code allowDuplicates} is
* set to {@code true}, method will throw {@link IllegalStateException} if
* duplicate cookies are found, which can be a sign of a cookie overwrite
* attack.
*
* @param request HTTP request to retrieve cookie from.
* @param cookieName Cookie name.
* @param allowDuplicates if {@code true} duplicate cookies are allowed,
* otherwise {@link IllegalStateException} is thrown if duplicate
* cookies are detected.
* @return {@link Cookie} if specified cookie is present, {@code null}
* otherwise.
* @throws IllegalArgumentException if duplicate cookies are detected.
*/
public static Cookie getCookie(HttpServletRequest request,
String cookieName, boolean allowDuplicates) {
Cookie cookieToReturn = null;
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookieName.equals(cookie.getName())) {
// ensure that it's the only one cookie, since duplicate cookies
// can be a sign of a cookie overriding attempt.
if (cookieToReturn == null) {
if (allowDuplicates) {
// do not attempt to detect duplicate cookies
return cookie;
} else {
cookieToReturn = cookie;
}
} else {
throw new IllegalArgumentException("Duplicate cookie! " +
"Cookie override attack?");
}
}
}
}
return cookieToReturn;
}
/**
* Checks if specified method is XSRF protected based on the following logic:
*
*
* - Method level annotations override class level annotations.
*
- If method is annotated with {@code xsrfAnnotation} this
* method returns {@code true}
*
- If method is annotated with {@code noXsrfAnnotation}, this method
* returns {@code false}.
*
- If class is annotated with {@code xsrfAnnotation} and method is not
* annotated, this method returns {@code true}.
*
- If class is annotated with {@code noXsrfAnnotation} and method is not
* annotated, this method returns {@code false}.
*
- If no annotations are present and class has a method with return value
* assignable from {@code xsrfTokenInterface}, this method returns
* {@code true}.
*
- If no annotations are present this method returns {@code false}.
*
*
* @see com.google.gwt.user.server.rpc.AbstractXsrfProtectedServiceServlet
*/
public static boolean isMethodXsrfProtected(Method method,
Class extends Annotation> xsrfAnnotation,
Class extends Annotation> noXsrfAnnotation,
Class> xsrfTokenInterface) {
Class> declaringClass = method.getDeclaringClass();
if (method.getAnnotation(noXsrfAnnotation) != null ||
(Util.getClassAnnotation(
declaringClass, noXsrfAnnotation) != null &&
method.getAnnotation(xsrfAnnotation) == null)) {
// XSRF protection is disabled
return false;
}
if (Util.getClassAnnotation(declaringClass, xsrfAnnotation) != null ||
method.getAnnotation(xsrfAnnotation) != null) {
return true;
}
// if no explicit annotation is given no XSRF token verification is done,
// unless there's a method returning RpcToken in which case XSRF token
// verification is performed for all methods
Method[] classMethods = declaringClass.getMethods();
for (Method classMethod : classMethods) {
if (xsrfTokenInterface.isAssignableFrom(classMethod.getReturnType()) &&
!method.equals(classMethod)) {
return true;
}
}
return false;
}
private Util() {
}
}