Yes, you could definitely do that to merely access your session but that doesn't do anything to help prevent XSRF. Here's a great article all about this which includes what I mentioned earlier about sending the identifier as a header. http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications The article is a little dated since you can now get at the Request or RequestBuilder objects for the GWT-RPC requests and set the headers. This page explains how to get at the Async's underlying Request and RequestBuilder objects http://vinaytech.wordpress.com/2008/09/28/google-web-toolkit-and-client-server-communications/.
On Dec 1, 5:26 pm, jossey <[EMAIL PROTECTED]> wrote: > Hmm.. I ve a stupid question now.. > Can't we use RemoteServiceServlet.getThreadLocalRequest().getSession() > to get the current session? > I found 'using the session' working in GWT 1.5. > > On Dec 1, 9:31 am, jhulford <[EMAIL PROTECTED]> wrote: > > > Another thing you can do in order to always send your session > > identifier as part of your request is use the RequestBuilder and add > > the identifier as a request header. > > > RequestBuilder requestBuilder = new RequestBuilder("POST", "/ > > myServletUrl"); > > RequestBuilder.setHeader("X-Session-Id", mySessionIdFromCookie); > > > On Dec 1, 8:31 am, gregor <[EMAIL PROTECTED]> wrote: > > > > Hi Patrick, > > > > I think you probably want to call the static async instance according > > > to usual RPC protocol, i.e. in this case SecureRemoteServiceAsync, > > > otherwise you might get confused as to what's going on > > > > > --- Code, I hope this formats reasonably in the post. --- > > > > public interface SecureRemoteService extends RemoteService { > > > > > /** > > > > * Utility/Convenience class. > > > > * Use SecureRemoteService.Async.getInstance() to access static > > > > instance of IpsvRmapServiceAsync > > > > */ > > > > public static class SecureRemoteServiceAsync { > > > > private static Async ourInstance = null; > > > > > public static synchronized SecureRemoteServiceAsync > > > > getInstance() { > > > > if (ourInstance == null) { > > > > ourInstance = > > > > (SecureRemoteServiceAsync) GWT.create(SecureRemoteService.class); > > > > } > > > > return ourInstance; > > > > } > > > > > public void setServiceEntryPoint(String entryPoint) { > > > > // This is where the magic happens. > > > > ((ServiceDefTarget) > > > > ourInstance).setServiceEntryPoint > > > > (GWT.getModuleBaseURL() + entryPoint + "?sessionID=" + getSessionID > > > > ()); > > > > } > > > > > private String getSessionID() { > > > > // Do stuff to get sessionID > > > > return "SessionID"; > > > > } > > > > }} > > > > > --- End of code --- > > > > Then you use it like so in code: > > > > SecureRemoteServiceAsync async > > > = SecureRemoteServiceAsync.App.getInstance(); // > > > the URL will now have the SessionID param > > > async.someMethod(param, new secureRemoteServiceCallback()); > > > > Note that this does not work across the board, you have to do this > > > once for each RPC service separately (i.e. once per RPC service > > > interface declared), but if you extend RemoteServiceServlet and > > > override the processCall() method to grab and check sesionID > > > parameter, then use this extended RemoteServiceServlet this for all > > > your RPC services, they will all validate the sessionID. > > > > I guess it's a matter of taste and situation, but I think I prefer the > > > second method (the Command pattern variation) becasue a) if you want > > > to change the way you handle this session thing, you just do it the > > > Payload base class and the extended RemoteServiceServlet.processCall > > > (), you do not have to change all your RPC Async interfaces and b) > > > this Payload pattern is useful for a lot of other reasons in handling > > > objects over the wire. I think it deals with the XSRF issue too (but > > > I'm sure Reinier will nail me to wall again if wrong!) > > > > regards > > > gregor > > > > > From what I can see, this should work if the interface extends the > > > > SecureRemoteService instead of the normal one. However, to properly > > > > create an instance of this class, the programmer now has to do > > > > something different from the normal procedure. Instead of calling the > > > > normal GWT.create(someService.class) and casting it to the Async > > > > version, he has to call on GWT.create(someService.Async.class). This > > > > means he has to modify all of his proxy creation statements as well. > > > > > Is there any way to get around this? > > > > > Thanks, Patrick > > > > > PS: Graag gedaan. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---