This is a runtime system property, that you have to set on your server.
On Friday, February 7, 2025 at 4:15:46 PM UTC+1 [email protected] wrote:
> Thanks a lot Colin.
>
> And where should I specify the flag? I try to specify inside the plugin
> config without success:
>
> <plugin>
> <groupId>net.ltgt.gwt.maven</groupId>
> <artifactId>gwt-maven-plugin</artifactId>
> <version>1.1.0</version>
> <extensions>true</extensions>
> <configuration>
> <moduleName>com.odilotid.odilotk.Opac</moduleName>
> <sourceLevel>${gwt.sourceLevel}</sourceLevel>
> <skip>${compile.gwt.skip}</skip>
> <style>OBF</style>
> <jvmArgs>
> -Dgwt.enhancedClasses.enabled=true
> </jvmArgs>
>
> <workDir>${project.build.directory}/gwt/temp</workDir>
> <deploy>${project.build.directory}/WEB-INF/deploy</deploy>
> <draftCompile>false</draftCompile>
> <webappDirectory>/${webappDirectory}</webappDirectory>
> <logLevel>WARN</logLevel>
> </configuration>
> <executions>
> <execution>
> <id>gwt-compile</id>
> <goals>
> <goal>compile</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
> El viernes, 7 de febrero de 2025 a las 14:09:34 UTC+1, Colin Alworth
> escribió:
>
>> I don't want to sound snarky, but did you read the linked issue and
>> discussion there?
>>
>> In short, tou have a few options:
>> * Enable the flag, and ship a known security bug, allowing attackers to
>> potentially run untrusted code in your server,
>> * Leave the flag disabled and split your DTOs from your entities, so
>> that the security issue can't happen, or
>> * Contribute (through time or funding someone else's time) one of the
>> proposed fixes, so that the feature can be safely reenabled.
>>
>> This has been discussed a few times, and at this time (just over a year
>> since we first shipped that flag) it doesn't appear that anyone has been
>> interested in actually fixing it, suggesting to me that either most
>> projects are content with allowing users to run arbitrary code on their
>> server (...unlikely), or that the use of JPA annotations on DTOs was
>> actually not necessary for their project and removing the annotations was
>> an easy solution.
>>
>> Fixing the bug in GWT itself fixes it once for everyone, but that
>> requires development, review, testing time, and so far no one is interested.
>>
>> On Friday, February 7, 2025 at 5:53:27 AM UTC-6 [email protected] wrote:
>>
>>> Hi all,
>>>
>>> Recently in our company we have migrated from GWT 2.9.0 to GWT 2.12.1.
>>> In this migration, we have an issue with the RPC, because we have DTOs with
>>> JPA annotations.
>>>
>>> I get this message:
>>>
>>> ERROR: Service deserializes enhanced JPA/JDO classes, which is unsafe.
>>> Review build logs to see which classes are affected, or set
>>> gwt.enhancedClasses.enabled to true to allow using this service. See
>>> https://github.com/gwtproject/gwt/issues/9709 for more detail.
>>>
>>> Which is the best way to handle with this? I'm using the next config
>>> plugin to compile GWT:
>>>
>>> <plugin>
>>> <groupId>net.ltgt.gwt.maven</groupId>
>>> <artifactId>gwt-maven-plugin</artifactId>
>>> <version>1.1.0</version>
>>> <extensions>true</extensions>
>>> <configuration>
>>> <moduleName>com.odilotid.odilotk.Opac</moduleName>
>>> <sourceLevel>${gwt.sourceLevel}</sourceLevel>
>>> <skip>${compile.gwt.skip}</skip>
>>> <style>OBF</style>
>>> <workDir>${project.build.directory}/gwt/temp</workDir>
>>> <deploy>${project.build.directory}/WEB-INF/deploy</deploy>
>>> <draftCompile>false</draftCompile>
>>> <webappDirectory>/${webappDirectory}</webappDirectory>
>>> <logLevel>WARN</logLevel>
>>> </configuration>
>>> <executions>
>>> <execution>
>>> <id>gwt-compile</id>
>>> <goals>
>>> <goal>compile</goal>
>>> </goals>
>>> </execution>
>>> </executions>
>>> </plugin>
>>>
>>> Thanks
>>>
>>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/google-web-toolkit/08c77062-da63-4e93-877a-a13a4567bbe6n%40googlegroups.com.
