Thanks a lot Colin.
And where should I specify the flag? I try to specify inside the plugin
config without success:
<plugin>
<groupId>net.ltgt.gwt.maven</groupId>
<artifactId>gwt-maven-plugin</artifactId>
<version>1.1.0</version>
<extensions>true</extensions>
<configuration>
<moduleName>com.odilotid.odilotk.Opac</moduleName>
<sourceLevel>${gwt.sourceLevel}</sourceLevel>
<skip>${compile.gwt.skip}</skip>
<style>OBF</style>
<jvmArgs>
-Dgwt.enhancedClasses.enabled=true
</jvmArgs>
<workDir>${project.build.directory}/gwt/temp</workDir>
<deploy>${project.build.directory}/WEB-INF/deploy</deploy>
<draftCompile>false</draftCompile>
<webappDirectory>/${webappDirectory}</webappDirectory>
<logLevel>WARN</logLevel>
</configuration>
<executions>
<execution>
<id>gwt-compile</id>
<goals>
<goal>compile</goal>
</goals>
</execution>
</executions>
</plugin>
El viernes, 7 de febrero de 2025 a las 14:09:34 UTC+1, Colin Alworth
escribió:
> I don't want to sound snarky, but did you read the linked issue and
> discussion there?
>
> In short, tou have a few options:
> * Enable the flag, and ship a known security bug, allowing attackers to
> potentially run untrusted code in your server,
> * Leave the flag disabled and split your DTOs from your entities, so that
> the security issue can't happen, or
> * Contribute (through time or funding someone else's time) one of the
> proposed fixes, so that the feature can be safely reenabled.
>
> This has been discussed a few times, and at this time (just over a year
> since we first shipped that flag) it doesn't appear that anyone has been
> interested in actually fixing it, suggesting to me that either most
> projects are content with allowing users to run arbitrary code on their
> server (...unlikely), or that the use of JPA annotations on DTOs was
> actually not necessary for their project and removing the annotations was
> an easy solution.
>
> Fixing the bug in GWT itself fixes it once for everyone, but that requires
> development, review, testing time, and so far no one is interested.
>
> On Friday, February 7, 2025 at 5:53:27 AM UTC-6 [email protected] wrote:
>
>> Hi all,
>>
>> Recently in our company we have migrated from GWT 2.9.0 to GWT 2.12.1. In
>> this migration, we have an issue with the RPC, because we have DTOs with
>> JPA annotations.
>>
>> I get this message:
>>
>> ERROR: Service deserializes enhanced JPA/JDO classes, which is unsafe.
>> Review build logs to see which classes are affected, or set
>> gwt.enhancedClasses.enabled to true to allow using this service. See
>> https://github.com/gwtproject/gwt/issues/9709 for more detail.
>>
>> Which is the best way to handle with this? I'm using the next config
>> plugin to compile GWT:
>>
>> <plugin>
>> <groupId>net.ltgt.gwt.maven</groupId>
>> <artifactId>gwt-maven-plugin</artifactId>
>> <version>1.1.0</version>
>> <extensions>true</extensions>
>> <configuration>
>> <moduleName>com.odilotid.odilotk.Opac</moduleName>
>> <sourceLevel>${gwt.sourceLevel}</sourceLevel>
>> <skip>${compile.gwt.skip}</skip>
>> <style>OBF</style>
>> <workDir>${project.build.directory}/gwt/temp</workDir>
>> <deploy>${project.build.directory}/WEB-INF/deploy</deploy>
>> <draftCompile>false</draftCompile>
>> <webappDirectory>/${webappDirectory}</webappDirectory>
>> <logLevel>WARN</logLevel>
>> </configuration>
>> <executions>
>> <execution>
>> <id>gwt-compile</id>
>> <goals>
>> <goal>compile</goal>
>> </goals>
>> </execution>
>> </executions>
>> </plugin>
>>
>> Thanks
>>
>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/google-web-toolkit/72e8a305-373b-421a-8c0a-7af459ac119bn%40googlegroups.com.
