From be252c9a11b740f0626b714b3608439c23690926 Mon Sep 17 00:00:00 2001 From: "Carlos A. Munoz" Date: Mon, 7 Jul 2014 15:33:31 +1000 Subject: [PATCH 1/3] Make sure csrf tokens match on client and server. --- .../zanata/webtrans/client/Application.java | 2 + .../client/rpc/SeamDispatchAsync.java | 7 +++- .../webtrans/client/util/JavascriptUtil.java | 39 +++++++++++++++++++ .../zanata/webtrans/server/SeamDispatch.java | 2 + .../zanata/webtrans/public/Application.xhtml | 3 ++ 5 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java b/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java index c6fe02ad25..d740f7caa0 100644 --- a/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java +++ b/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java @@ -59,6 +59,7 @@ public class Application implements EntryPoint { private UncaughtExceptionHandlerImpl exceptionHandler; public void onModuleLoad() { + Log.info("Loading Zanata Web Editor..."); exceptionHandler = new UncaughtExceptionHandlerImpl(injector.getDispatcher(), injector.getUserConfig()); @@ -71,6 +72,7 @@ public void onModuleLoad() { @Override public void onFailure(Throwable caught) { if (caught instanceof AuthenticationError) { + Log.error("Authentication error."); redirectToLogin(); } else if (caught instanceof NoSuchWorkspaceException) { Log.error("Invalid workspace", caught); diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java b/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java index a7b406c8f7..9677d8414f 100644 --- a/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java +++ b/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java @@ -7,6 +7,7 @@ import org.zanata.webtrans.client.Application; import org.zanata.webtrans.client.events.NotificationEvent; import org.zanata.webtrans.client.resources.RpcMessages; +import org.zanata.webtrans.client.util.JavascriptUtil; import org.zanata.webtrans.shared.DispatchService; import org.zanata.webtrans.shared.DispatchServiceAsync; import org.zanata.webtrans.shared.auth.AuthenticationError; @@ -65,7 +66,7 @@ public , R extends Result> void execute(final A action, .getWorkspaceId()); } - String sessionId = Cookies.getCookie("JSESSIONID"); + final String sessionId = JavascriptUtil.getJavascriptValue("zanataSessionId"); realService.execute(new WrappedAction(action, sessionId), new AbstractAsyncCallback() { @@ -81,6 +82,7 @@ public void onFailure(final Throwable caught) { } if (caught instanceof AuthenticationError || caught instanceof InvalidTokenError) { + Log.error("Invalid Token error ("+ sessionId + ")", caught); Application.redirectToLogin(); } else if (caught instanceof AuthorizationError) { Log.info("RCP Authorization Error calling " @@ -131,12 +133,13 @@ public , R extends Result> void rollback( .getWorkspaceId()); } - String sessionId = Cookies.getCookie("JSESSIONID"); + String sessionId = JavascriptUtil.getJavascriptValue("zanataSessionId"); realService.rollback(new WrappedAction(action, sessionId), result, new AsyncCallback() { public void onFailure(final Throwable caught) { if (caught instanceof AuthenticationError) { + Log.error("Authentication error."); Application.redirectToLogin(); } else if (caught instanceof AuthorizationError) { Log.info("RCP Authorization Error calling " diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java b/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java new file mode 100644 index 0000000000..3edb4a7de6 --- /dev/null +++ b/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java @@ -0,0 +1,39 @@ +/* + * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the + * @author tags. See the copyright.txt file in the distribution for a full + * listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it under the + * terms of the GNU Lesser General Public License as published by the Free + * Software Foundation; either version 2.1 of the License, or (at your option) + * any later version. + * + * This software is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more + * details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this software; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF + * site: http://www.fsf.org. + */ +package org.zanata.webtrans.client.util; + +/** + * Utilities for dealing with javascript native code. + * + * @author Carlos Munoz camunoz@redhat.com + */ +public class JavascriptUtil { + /** + * Returns the value of a variable declared in javascript at the window + * level. + * @param varName Variable name. + * @return The value (as a string) assigned to varName. + */ + public static native String getJavascriptValue(String varName) /*-{ + return $wnd[varName]; + }-*/; +} diff --git a/zanata-war/src/main/java/org/zanata/webtrans/server/SeamDispatch.java b/zanata-war/src/main/java/org/zanata/webtrans/server/SeamDispatch.java index 8e71cc7bc7..e79ab33e73 100644 --- a/zanata-war/src/main/java/org/zanata/webtrans/server/SeamDispatch.java +++ b/zanata-war/src/main/java/org/zanata/webtrans/server/SeamDispatch.java @@ -127,6 +127,8 @@ public , R extends Result> R execute(A action) HttpSession session = ServletContexts.instance().getRequest().getSession(); if (session != null && !session.getId().equals(a.getCsrfToken())) { + log.warn("Token mismatch. Client token: {}, Expected token: {}", + a.getCsrfToken(), session.getId()); throw new InvalidTokenError( "The csrf token sent with this request is not valid. It may be from an expired session, or may have been forged"); } diff --git a/zanata-war/src/main/resources/org/zanata/webtrans/public/Application.xhtml b/zanata-war/src/main/resources/org/zanata/webtrans/public/Application.xhtml index ea31102ce1..a7442b6a12 100644 --- a/zanata-war/src/main/resources/org/zanata/webtrans/public/Application.xhtml +++ b/zanata-war/src/main/resources/org/zanata/webtrans/public/Application.xhtml @@ -51,6 +51,9 @@ +
From 63406f6bb18f119685bb555c137e04ae14be847d Mon Sep 17 00:00:00 2001 From: Carlos Munoz Date: Mon, 7 Jul 2014 15:45:48 +1000 Subject: [PATCH 2/3] Fix checkstyle violations. --- .../java/org/zanata/webtrans/client/util/JavascriptUtil.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java b/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java index 3edb4a7de6..2242b291e1 100644 --- a/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java +++ b/zanata-war/src/main/java/org/zanata/webtrans/client/util/JavascriptUtil.java @@ -22,7 +22,7 @@ /** * Utilities for dealing with javascript native code. - * + * * @author Carlos Munoz camunoz@redhat.com */ From 5ce8d6cb2a20b3bc4fda0a093c20110997c6b6e4 Mon Sep 17 00:00:00 2001 From: "Carlos A. Munoz" Date: Mon, 7 Jul 2014 16:36:06 +1000 Subject: [PATCH 3/3] Refactor some exception handling and extract a method. --- .../org/zanata/webtrans/client/Application.java | 2 +- .../webtrans/client/rpc/SeamDispatchAsync.java | 14 ++++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java b/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java index d740f7caa0..16f3bf019a 100644 --- a/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java +++ b/zanata-war/src/main/java/org/zanata/webtrans/client/Application.java @@ -72,7 +72,7 @@ public void onModuleLoad() { @Override public void onFailure(Throwable caught) { if (caught instanceof AuthenticationError) { - Log.error("Authentication error."); + Log.error("Authentication error.", caught); redirectToLogin(); } else if (caught instanceof NoSuchWorkspaceException) { Log.error("Invalid workspace", caught); diff --git a/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java b/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java index 9677d8414f..53d5dba61b 100644 --- a/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java +++ b/zanata-war/src/main/java/org/zanata/webtrans/client/rpc/SeamDispatchAsync.java @@ -66,7 +66,7 @@ public , R extends Result> void execute(final A action, .getWorkspaceId()); } - final String sessionId = JavascriptUtil.getJavascriptValue("zanataSessionId"); + final String sessionId = getSessionId(); realService.execute(new WrappedAction(action, sessionId), new AbstractAsyncCallback() { @@ -80,8 +80,10 @@ public void onFailure(final Throwable caught) { messages.noResponseFromServer())); } } - if (caught instanceof AuthenticationError - || caught instanceof InvalidTokenError) { + if (caught instanceof AuthenticationError) { + Log.error("Authentication error.", caught); + Application.redirectToLogin(); + } else if (caught instanceof InvalidTokenError) { Log.error("Invalid Token error ("+ sessionId + ")", caught); Application.redirectToLogin(); } else if (caught instanceof AuthorizationError) { @@ -101,6 +103,10 @@ public void onSuccess(final Result result) { }); } + private String getSessionId() { + return JavascriptUtil.getJavascriptValue("zanataSessionId"); + } + @Override public void setUserWorkspaceContext( UserWorkspaceContext userWorkspaceContext) { @@ -133,7 +139,7 @@ public , R extends Result> void rollback( .getWorkspaceId()); } - String sessionId = JavascriptUtil.getJavascriptValue("zanataSessionId"); + String sessionId = getSessionId(); realService.rollback(new WrappedAction(action, sessionId), result, new AsyncCallback() {