Yes, you could definitely do that to merely access your session but
that doesn't do anything to help prevent XSRF. Here's a great article
all about this which includes what I mentioned earlier about sending
the identifier as a header.
http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
The article is a little dated since you can now get at the Request or
RequestBuilder objects for the GWT-RPC requests and set the headers.
This page explains how to get at the Async's underlying Request and
RequestBuilder objects
http://vinaytech.wordpress.com/2008/09/28/google-web-toolkit-and-client-server-communications/.
On Dec 1, 5:26 pm, jossey <[EMAIL PROTECTED]> wrote:
> Hmm.. I ve a stupid question now..
> Can't we use RemoteServiceServlet.getThreadLocalRequest().getSession()
> to get the current session?
> I found 'using the session' working in GWT 1.5.
>
> On Dec 1, 9:31 am, jhulford <[EMAIL PROTECTED]> wrote:
>
> > Another thing you can do in order to always send your session
> > identifier as part of your request is use the RequestBuilder and add
> > the identifier as a request header.
>
> > RequestBuilder requestBuilder = new RequestBuilder("POST", "/
> > myServletUrl");
> > RequestBuilder.setHeader("X-Session-Id", mySessionIdFromCookie);
>
> > On Dec 1, 8:31 am, gregor <[EMAIL PROTECTED]> wrote:
>
> > > Hi Patrick,
>
> > > I think you probably want to call the static async instance according
> > > to usual RPC protocol, i.e. in this case SecureRemoteServiceAsync,
> > > otherwise you might get confused as to what's going on
>
> > > > --- Code, I hope this formats reasonably in the post. ---
> > > > public interface SecureRemoteService extends RemoteService {
>
> > > > /**
> > > > * Utility/Convenience class.
> > > > * Use SecureRemoteService.Async.getInstance() to access static
> > > > instance of IpsvRmapServiceAsync
> > > > */
> > > > public static class SecureRemoteServiceAsync {
> > > > private static Async ourInstance = null;
>
> > > > public static synchronized SecureRemoteServiceAsync
> > > > getInstance() {
> > > > if (ourInstance == null) {
> > > > ourInstance =
> > > > (SecureRemoteServiceAsync) GWT.create(SecureRemoteService.class);
> > > > }
> > > > return ourInstance;
> > > > }
>
> > > > public void setServiceEntryPoint(String entryPoint) {
> > > > // This is where the magic happens.
> > > > ((ServiceDefTarget)
> > > > ourInstance).setServiceEntryPoint
> > > > (GWT.getModuleBaseURL() + entryPoint + "?sessionID=" + getSessionID
> > > > ());
> > > > }
>
> > > > private String getSessionID() {
> > > > // Do stuff to get sessionID
> > > > return "SessionID";
> > > > }
> > > > }}
>
> > > > --- End of code ---
>
> > > Then you use it like so in code:
>
> > > SecureRemoteServiceAsync async
> > > = SecureRemoteServiceAsync.App.getInstance(); //
> > > the URL will now have the SessionID param
> > > async.someMethod(param, new secureRemoteServiceCallback());
>
> > > Note that this does not work across the board, you have to do this
> > > once for each RPC service separately (i.e. once per RPC service
> > > interface declared), but if you extend RemoteServiceServlet and
> > > override the processCall() method to grab and check sesionID
> > > parameter, then use this extended RemoteServiceServlet this for all
> > > your RPC services, they will all validate the sessionID.
>
> > > I guess it's a matter of taste and situation, but I think I prefer the
> > > second method (the Command pattern variation) becasue a) if you want
> > > to change the way you handle this session thing, you just do it the
> > > Payload base class and the extended RemoteServiceServlet.processCall
> > > (), you do not have to change all your RPC Async interfaces and b)
> > > this Payload pattern is useful for a lot of other reasons in handling
> > > objects over the wire. I think it deals with the XSRF issue too (but
> > > I'm sure Reinier will nail me to wall again if wrong!)
>
> > > regards
> > > gregor
>
> > > > From what I can see, this should work if the interface extends the
> > > > SecureRemoteService instead of the normal one. However, to properly
> > > > create an instance of this class, the programmer now has to do
> > > > something different from the normal procedure. Instead of calling the
> > > > normal GWT.create(someService.class) and casting it to the Async
> > > > version, he has to call on GWT.create(someService.Async.class). This
> > > > means he has to modify all of his proxy creation statements as well.
>
> > > > Is there any way to get around this?
>
> > > > Thanks, Patrick
>
> > > > PS: Graag gedaan.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
