hilla icon indicating copy to clipboard operation
hilla copied to clipboard

Published 20 hours ago verified publisher icon vaadin

Tight coupling between VaadinConnectController and VaadinConnectAccessChecker

Open fluorumlabs opened this issue 5 years ago • 0 comments

VaadinConnectAccessChecker instance is created in VaadinConnectControllerConfiguration, BUT its non-final field xsrfProtectionEnabled is set by the VaadinConnectController in its constructor. That makes VaadinConnectAccessChecker a stateful singleton:

  1. Before VaadinConnectController was initialized it has one state
  2. After VaadinConnectController was initialized it may have different state

In addition to that, the state can be mutated any time via

    /**
     * Enable or disable XSRF token checking in endpoints.
     *
     * @param xsrfProtectionEnabled enable or disable protection.
     */
    public void enableCsrf(boolean xsrfProtectionEnabled) {
        this.xsrfProtectionEnabled = xsrfProtectionEnabled;
    }

fluorumlabs avatar Sep 17 '20 10:09 fluorumlabs