Merge pull request #527 from zanata/gwt-token-mismatch

Make sure csrf tokens match on client and server.
zanata · Jul 23, 2014 · ebcc32a · ebcc32a
2 parents c64b08a + 5ce8d6c
commit ebcc32a
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 4 deletions.
diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java b/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java
@@ -59,6 +59,7 @@ public class Application implements EntryPoint {
     private UncaughtExceptionHandlerImpl exceptionHandler;
 
     public void onModuleLoad() {
+        Log.info("Loading Zanata Web Editor...");
         exceptionHandler =
                 new UncaughtExceptionHandlerImpl(injector.getDispatcher(),
                         injector.getUserConfig());
@@ -71,6 +72,7 @@ public void onModuleLoad() {
                     @Override
                     public void onFailure(Throwable caught) {
                         if (caught instanceof AuthenticationError) {
+                            Log.error("Authentication error.", caught);
                             redirectToLogin();
                         } else if (caught instanceof NoSuchWorkspaceException) {
                             Log.error("Invalid workspace", caught);

diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java b/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java
@@ -7,6 +7,7 @@
 import org.zanata.webtrans.client.Application;
 import org.zanata.webtrans.client.events.NotificationEvent;
 import org.zanata.webtrans.client.resources.RpcMessages;
+import org.zanata.webtrans.client.util.JavascriptUtil;
 import org.zanata.webtrans.shared.DispatchService;
 import org.zanata.webtrans.shared.DispatchServiceAsync;
 import org.zanata.webtrans.shared.auth.AuthenticationError;
@@ -65,7 +66,7 @@ public <A extends Action<R>, R extends Result> void execute(final A action,
                     .getWorkspaceId());
         }
 
-        String sessionId = Cookies.getCookie("JSESSIONID");
+        final String sessionId = getSessionId();
         realService.execute(new WrappedAction<R>(action, sessionId),
                 new AbstractAsyncCallback<Result>() {
 
@@ -79,8 +80,11 @@ public void onFailure(final Throwable caught) {
                                         messages.noResponseFromServer()));
                             }
                         }
-                        if (caught instanceof AuthenticationError
-                                || caught instanceof InvalidTokenError) {
+                        if (caught instanceof AuthenticationError) {
+                            Log.error("Authentication error.", caught);
+                            Application.redirectToLogin();
+                        } else if (caught instanceof InvalidTokenError) {
+                            Log.error("Invalid Token error ("+ sessionId + ")", caught);
                             Application.redirectToLogin();
                         } else if (caught instanceof AuthorizationError) {
                             Log.info("RCP Authorization Error calling "
@@ -99,6 +103,10 @@ public void onSuccess(final Result result) {
                 });
     }
 
+    private String getSessionId() {
+        return JavascriptUtil.getJavascriptValue("zanataSessionId");
+    }
+
     @Override
     public void setUserWorkspaceContext(
             UserWorkspaceContext userWorkspaceContext) {
@@ -131,12 +139,13 @@ public <A extends Action<R>, R extends Result> void rollback(
                     .getWorkspaceId());
         }
 
-        String sessionId = Cookies.getCookie("JSESSIONID");
+        String sessionId = getSessionId();
         realService.rollback(new WrappedAction<R>(action, sessionId), result,
                 new AsyncCallback<Void>() {
 
                     public void onFailure(final Throwable caught) {
                         if (caught instanceof AuthenticationError) {
+                            Log.error("Authentication error.");
                             Application.redirectToLogin();
                         } else if (caught instanceof AuthorizationError) {
                             Log.info("RCP Authorization Error calling "

diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java b/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.webtrans.client.util;
+
+/**
+ * Utilities for dealing with javascript native code.
+ *
+ * @author Carlos Munoz <a
+ *         href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ */
+public class JavascriptUtil {
+    /**
+     * Returns the value of a variable declared in javascript at the window
+     * level.
+     * @param varName Variable name.
+     * @return The value (as a string) assigned to varName.
+     */
+    public static native String getJavascriptValue(String varName) /*-{
+        return $wnd[varName];
+    }-*/;
+}
diff --git a/zanata-war/src/main/java/org/zanata/webtrans/server/SeamDispatch.java b/zanata-war/src/main/java/org/zanata/webtrans/server/SeamDispatch.java
@@ -127,6 +127,8 @@ public <A extends Action<R>, R extends Result> R execute(A action)
         HttpSession session =
                 ServletContexts.instance().getRequest().getSession();
         if (session != null && !session.getId().equals(a.getCsrfToken())) {
+            log.warn("Token mismatch. Client token: {}, Expected token: {}",
+                    a.getCsrfToken(), session.getId());
             throw new InvalidTokenError(
                     "The csrf token sent with this request is not valid. It may be from an expired session, or may have been forged");
         }

diff --git a/zanata-war/src/main/resources/org/zanata/webtrans/public/Application.xhtml b/zanata-war/src/main/resources/org/zanata/webtrans/public/Application.xhtml
@@ -51,6 +51,9 @@
   <!-- to create a completely dynamic UI.        -->
   <!--                                           -->
   <body class="new-zanata-body">
+  <script type="text/javascript">
+    var zanataSessionId = '#{request.session.id}';
+  </script>
   <div class="new-zanata-base">
     <div class="new-zanata">
       <ui:include src="../WEB-INF/template/banner.xhtml"/>