"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "flow-server/src/main/java/com/vaadin/flow/server/connect/auth/VaadinConnectAccessChecker.java" between
vaadin-flow-4.0.6.tar.gz and vaadin-flow-4.0.7.tar.gz

About: Vaadin flow is a Java framework binding Vaadin web components to Java.

VaadinConnectAccessChecker.java  (vaadin-flow-4.0.6):VaadinConnectAccessChecker.java  (vaadin-flow-4.0.7)
skipping to change at line 19 skipping to change at line 19
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under * License for the specific language governing permissions and limitations under
* the License. * the License.
*/ */
package com.vaadin.flow.server.connect.auth; package com.vaadin.flow.server.connect.auth;
import com.vaadin.flow.server.VaadinService;
import javax.annotation.security.DenyAll; import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll; import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed; import javax.annotation.security.RolesAllowed;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.lang.reflect.AnnotatedElement; import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.lang.reflect.Modifier; import java.lang.reflect.Modifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.vaadin.flow.server.VaadinService;
/** /**
* Component used for checking role-based ACL in Vaadin Endpoints. * Component used for checking role-based ACL in Vaadin Endpoints.
* <p> * <p>
* For each request that is trying to access the method in the corresponding * For each request that is trying to access the method in the corresponding
* Vaadin Connect Endpoint, the permission check is carried on. * Vaadin Connect Endpoint, the permission check is carried on.
* <p> * <p>
* It looks for {@link AnonymousAllowed} {@link PermitAll}, {@link DenyAll} and * It looks for {@link AnonymousAllowed} {@link PermitAll}, {@link DenyAll} and
* {@link RolesAllowed} annotations in endpoint methods and classes containing * {@link RolesAllowed} annotations in endpoint methods and classes containing
* these methods (no super classes' annotations are taken into account). * these methods (no super classes' annotations are taken into account).
* <p> * <p>
skipping to change at line 141 skipping to change at line 144
private boolean cannotAccessMethod(Method method, private boolean cannotAccessMethod(Method method,
HttpServletRequest request) { HttpServletRequest request) {
return requestForbidden(request) return requestForbidden(request)
|| entityForbidden(getSecurityTarget(method), request); || entityForbidden(getSecurityTarget(method), request);
} }
private boolean requestForbidden(HttpServletRequest request) { private boolean requestForbidden(HttpServletRequest request) {
if (!xsrfProtectionEnabled) { if (!xsrfProtectionEnabled) {
return false; return false;
} }
String csrfToken = (String) request.getSession()
HttpSession session = request.getSession(false);
if (session == null) {
return false;
}
String csrfTokenInSession = (String) session
.getAttribute(VaadinService.getCsrfTokenAttributeName()); .getAttribute(VaadinService.getCsrfTokenAttributeName());
return csrfToken != null && !csrfToken.equals(request.getHeader("X-CSRF- if (csrfTokenInSession == null) {
Token")); if (getLogger().isInfoEnabled()) {
getLogger().info(
"Unable to verify CSRF token for endpoint request, got n
ull token in session");
}
return true;
}
if (!csrfTokenInSession.equals(request.getHeader("X-CSRF-Token"))) {
if (getLogger().isInfoEnabled()) {
getLogger().info("Invalid CSRF token in endpoint request");
}
return true;
}
return false;
} }
private boolean entityForbidden(AnnotatedElement entity, private boolean entityForbidden(AnnotatedElement entity,
HttpServletRequest request) { HttpServletRequest request) {
return entity.isAnnotationPresent(DenyAll.class) || (!entity return entity.isAnnotationPresent(DenyAll.class) || (!entity
.isAnnotationPresent(AnonymousAllowed.class) .isAnnotationPresent(AnonymousAllowed.class)
&& !roleAllowed(entity.getAnnotation(RolesAllowed.class), && !roleAllowed(entity.getAnnotation(RolesAllowed.class),
request)); request));
} }
skipping to change at line 184 skipping to change at line 210
} }
/** /**
* Enable or disable XSRF token checking in endpoints. * Enable or disable XSRF token checking in endpoints.
* *
* @param xsrfProtectionEnabled enable or disable protection. * @param xsrfProtectionEnabled enable or disable protection.
*/ */
public void enableCsrf(boolean xsrfProtectionEnabled) { public void enableCsrf(boolean xsrfProtectionEnabled) {
this.xsrfProtectionEnabled = xsrfProtectionEnabled; this.xsrfProtectionEnabled = xsrfProtectionEnabled;
} }
private static Logger getLogger() {
return LoggerFactory.getLogger(VaadinConnectAccessChecker.class);
}
} }
 End of changes. 6 change blocks. 
6 lines changed or deleted 36 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)