Merge "Move XSRF_TOKEN cookie from HostPageServlet to filter"
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/UrlModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/UrlModule.java
index cf60f1b..d8935fd 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/UrlModule.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/UrlModule.java
@@ -64,6 +64,7 @@
bind(Key.get(CacheControlFilter.class)).in(SINGLETON);
if (options.enableDefaultUi()) {
+ filter("/").through(XsrfCookieFilter.class);
serve("/").with(HostPageServlet.class);
serve("/Gerrit").with(LegacyGerritServlet.class);
serve("/Gerrit/*").with(legacyGerritScreen());
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/XsrfCookieFilter.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/XsrfCookieFilter.java
new file mode 100644
index 0000000..c14d043
--- /dev/null
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/XsrfCookieFilter.java
@@ -0,0 +1,81 @@
+// Copyright (C) 2015 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd;
+
+import com.google.gerrit.common.data.HostPageData;
+import com.google.gerrit.extensions.registration.DynamicItem;
+import com.google.gerrit.server.CurrentUser;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@Singleton
+public class XsrfCookieFilter implements Filter {
+ private final Provider<CurrentUser> user;
+ private final DynamicItem<WebSession> session;
+
+ @Inject
+ XsrfCookieFilter(
+ Provider<CurrentUser> user,
+ DynamicItem<WebSession> session) {
+ this.user = user;
+ this.session = session;
+ }
+
+ @Override
+ public void doFilter(ServletRequest req, ServletResponse rsp,
+ FilterChain chain) throws IOException, ServletException {
+ WebSession s = user.get().isIdentifiedUser() ? session.get() : null;
+ setXsrfTokenCookie(
+ (HttpServletRequest) req, (HttpServletResponse) rsp, s);
+ chain.doFilter(req, rsp);
+ }
+
+ private static void setXsrfTokenCookie(HttpServletRequest req,
+ HttpServletResponse rsp, WebSession session) {
+ String v = session != null ? session.getXGerritAuth() : "";
+ Cookie c = new Cookie(HostPageData.XSRF_COOKIE_NAME, v);
+ c.setPath("/");
+ c.setSecure(isSecure(req));
+ c.setMaxAge(session != null
+ ? -1 // Set the cookie for this browser session.
+ : 0); // Remove the cookie (expire immediately).
+ rsp.addCookie(c);
+ }
+
+ private static boolean isSecure(HttpServletRequest req) {
+ return req.isSecure() || "https".equals(req.getScheme());
+ }
+
+ @Override
+ public void init(FilterConfig config) {
+ }
+
+ @Override
+ public void destroy() {
+ }
+}
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java
index 39801f6..43c66db 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java
@@ -25,13 +25,11 @@
import com.google.gerrit.common.Version;
import com.google.gerrit.common.data.HostPageData;
import com.google.gerrit.extensions.client.DiffPreferencesInfo;
-import com.google.gerrit.extensions.registration.DynamicItem;
import com.google.gerrit.extensions.registration.DynamicSet;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.systemstatus.MessageOfTheDay;
import com.google.gerrit.extensions.webui.WebUiPlugin;
import com.google.gerrit.httpd.HtmlDomUtil;
-import com.google.gerrit.httpd.WebSession;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.AccountResource;
@@ -67,7 +65,6 @@
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
-import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -83,7 +80,6 @@
private static final int DEFAULT_JS_LOAD_TIMEOUT = 5000;
private final Provider<CurrentUser> currentUser;
- private final DynamicItem<WebSession> session;
private final DynamicSet<WebUiPlugin> plugins;
private final DynamicSet<MessageOfTheDay> messages;
private final HostPageData.Theme signedOutTheme;
@@ -101,7 +97,6 @@
@Inject
HostPageServlet(
Provider<CurrentUser> cu,
- DynamicItem<WebSession> w,
SitePaths sp,
ThemeFactory themeFactory,
ServletContext servletContext,
@@ -113,7 +108,6 @@
GetDiffPreferences diffPref)
throws IOException, ServletException {
currentUser = cu;
- session = w;
plugins = webUiPlugins;
messages = motd;
signedOutTheme = themeFactory.getSignedOutTheme();
@@ -193,7 +187,6 @@
StringWriter w = new StringWriter();
CurrentUser user = currentUser.get();
if (user.isIdentifiedUser()) {
- setXGerritAuthCookie(req, rsp, session.get());
w.write(HPD_ID + ".accountDiffPref=");
json(getDiffPreferences(user.asIdentifiedUser()), w);
w.write(";");
@@ -202,7 +195,6 @@
json(signedInTheme, w);
w.write(";");
} else {
- setXGerritAuthCookie(req, rsp, null);
w.write(HPD_ID + ".theme=");
json(signedOutTheme, w);
w.write(";");
@@ -229,22 +221,6 @@
}
}
- private static void setXGerritAuthCookie(HttpServletRequest req,
- HttpServletResponse rsp, WebSession session) {
- String v = session != null ? session.getXGerritAuth() : "";
- Cookie c = new Cookie(HostPageData.XSRF_COOKIE_NAME, v);
- c.setPath("/");
- c.setSecure(isSecure(req));
- c.setMaxAge(session != null
- ? -1 // Set the cookie for this browser session.
- : 0); // Remove the cookie (expire immediately).
- rsp.addCookie(c);
- }
-
- private static boolean isSecure(HttpServletRequest req) {
- return req.isSecure() || "https".equals(req.getScheme());
- }
-
private DiffPreferencesInfo getDiffPreferences(IdentifiedUser user) {
try {
return getDiff.apply(new AccountResource(user));
diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/StaticModule.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/StaticModule.java
index f8ac26d..da66ba3 100644
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/StaticModule.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/StaticModule.java
@@ -19,6 +19,7 @@
import com.google.common.cache.Cache;
import com.google.common.collect.ImmutableList;
import com.google.gerrit.httpd.GerritOptions;
+import com.google.gerrit.httpd.XsrfCookieFilter;
import com.google.gerrit.httpd.raw.ResourceServlet.Resource;
import com.google.gerrit.launcher.GerritLauncher;
import com.google.gerrit.server.cache.CacheModule;
@@ -163,6 +164,7 @@
}
for (String p : POLYGERRIT_INDEX_PATHS) {
+ filter(p).through(XsrfCookieFilter.class);
serve(p).with(PolyGerritUiIndexServlet.class);
}
serve("/*").with(PolyGerritUiServlet.class);
