Hi all!
I was thinking about making my RPC calls to the server (datastore commands) more secure against java script or data stream modifications on client side (when user is already signed in and validated). Problem: - right now all datastore requests are transmitted 1:1 from client to server via RPC calls. - a logged in user could manipulate the RPC call (he could for example exchange his userID by the ID of someone else and access the data of this user) - to avoid that I need to verify that the user ID matches the session ID assigned when he logged in. - Idea: I want to proxy every request through a single method on server side and only if the user is validated against his session the specified server method is called. Not a clue how to implement: - specify an Interface with all datastore methods available. - sending a "method call" (which is defined by the interface) via RPC call to the server - within the proxy method on server side verify the user and execute the "method call" - if applicable return the return value asynchonously Is this a common approach? If not, what is a common approach? And also: How can one avoid thievery of the session ID? I would appreciate any hint. Thanks & greetings. -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/V2AK2IBABxkJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
