On Fri, Nov 28, 2008 at 03:52, Patrick Ratelband <[EMAIL PROTECTED]>wrote:
> > I have been working a while now on properly defending my GWT app > against Cross Site Request Forgery (XRSF) with a minimal change in the > code of the application itself. I've done something similar for an application I am working on, but the RPC format uses pure JSON rather than the GWT RPC system. For the most part it serializes just about anything GWT RPC would serialize, but the object property names appear "plain text" on the wire. The advantage of course is non-GWT clients and servers can actually speak to each other. Standard JSON along with automatic XSRF were my main requirements. The application I am using it in is open source, I don't want to be obfuscating the wire protocol. The RemoteJsonServlet base class automatically handles XSRF key generation and validation, so you extend it and implement your interface. The client side proxies are generated to automatically insert the XSRF token into the HTTP request headers. So its fairly transparent to the application. Its still under development, but I'm using it in Gerrit 2, and thus far its working out quite nicely for my needs. Code is here: http://android.git.kernel.org/?p=tools/gwtjsonrpc.git;a=summary README describing it in a bit more detail: http://android.git.kernel.org/?p=tools/gwtjsonrpc.git;a=blob;f=README;hb=HEAD --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---