Alexander Wels has posted comments on this change. Change subject: userportal,webadmin: xsrf token changes ......................................................................
Patch Set 1: (5 comments) http://gerrit.ovirt.org/#/c/31089/1/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/OvirtXsrfTokenServiceServlet.java File frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/OvirtXsrfTokenServiceServlet.java: Line 36: * Constructor that initializes the XSRF token generator. Line 37: * @throws NoSuchProviderException Line 38: * @throws NoSuchAlgorithmException Line 39: */ Line 40: OvirtXsrfTokenServiceServlet() throws NoSuchProviderException, NoSuchAlgorithmException { > Hm, doesn't Java EE servlet spec require that each servlet has *public* no- Done Line 41: super(); Line 42: random = SecureRandom.getInstance("SHA1PRNG", "SUN"); //$NON-NLS-1$ $NON-NLS-2$ Line 43: //Call nextBytes this once to initialize the random implementation. Line 44: //We ignore the result, we just called it to initialize the implementation. Line 38: * @throws NoSuchAlgorithmException Line 39: */ Line 40: OvirtXsrfTokenServiceServlet() throws NoSuchProviderException, NoSuchAlgorithmException { Line 41: super(); Line 42: random = SecureRandom.getInstance("SHA1PRNG", "SUN"); //$NON-NLS-1$ $NON-NLS-2$ > please do not use sun explicitly. Done Line 43: //Call nextBytes this once to initialize the random implementation. Line 44: //We ignore the result, we just called it to initialize the implementation. Line 45: byte[] b = new byte[TOKEN_SIZE]; Line 46: random.nextBytes(b); Line 40: OvirtXsrfTokenServiceServlet() throws NoSuchProviderException, NoSuchAlgorithmException { Line 41: super(); Line 42: random = SecureRandom.getInstance("SHA1PRNG", "SUN"); //$NON-NLS-1$ $NON-NLS-2$ Line 43: //Call nextBytes this once to initialize the random implementation. Line 44: //We ignore the result, we just called it to initialize the implementation. > why is it needed? I read somewhere it was a good practice to do this. This might have been the case at some point, I researched the official java documents and they mention nothing of this. Line 45: byte[] b = new byte[TOKEN_SIZE]; Line 46: random.nextBytes(b); Line 47: } Line 48: Line 65: random.nextBytes(tokenBytes); Line 66: session.setAttribute(XSRF_TOKEN, tokenBytes); Line 67: } else { Line 68: tokenBytes = (byte[]) session.getAttribute(XSRF_TOKEN); Line 69: } > either get this once or get it always... two patterns: Done Line 70: } Line 71: return StringUtils.toHexString(tokenBytes); Line 72: } http://gerrit.ovirt.org/#/c/31089/1/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/XsrfProtectedRpcServlet.java File frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/XsrfProtectedRpcServlet.java: Line 22: throw new RpcTokenException("XSRF token missing"); //$NON-NLS-1$ Line 23: } Line 24: String expectedToken; Line 25: HttpSession session = getThreadLocalRequest().getSession(); Line 26: synchronized (session) { > why do you need to sync? Because potentially someone could be writing this as I am trying to read it. Line 27: expectedToken = StringUtils.toHexString( Line 28: (byte[]) session.getAttribute(OvirtXsrfTokenServiceServlet.XSRF_TOKEN)); Line 29: } Line 30: XsrfToken xsrfToken = (XsrfToken) token; -- To view, visit http://gerrit.ovirt.org/31089 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ic028b0d1f8a6fd0cf67863af51d02d892d33f5fb Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Einav Cohen <eco...@redhat.com> Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
