I believe that if you use container managed security for your entire GWT app it will require authentication to access the servlets too. In fact I just tested it and that is correct(FROM ACCESS LOG: '"127.0.0.1" "matt" "06/Mar/2009:18:17:36 +0000" "POST /SEESuite/ rssParser HTTP/1.1" 200 3082' notice this request is authenticated as the user "matt"). We are doing this Unfortunately if you are handling your own security within your module, you will have to somehow handle your own security in the servlets also, which in turn creates a lot of security issues. I believe if you call the application with SSL the RPC calls will also use SSL, but I have not tested this. Also, I know RPC has a lot of built in security and error checking that would make it difficult for the person trying to access the servlets directly without intemate knowledge of the RPC package structure because I know every once in a while I get traces in my logs that say "expected xx bits and recieved xx, aborting rpc call."
On Mar 6, 9:22 am, erincarikan <erincari...@gmail.com> wrote: > Excuse my illiteracy about gwt, I just started working on GWT last > week. Yesterday I implemented my first rpc application and one thing > makes me worried a little bit. I will compile and all the content will > work on client and it will rpc server code without any authentication > if I am not mistaken. So can anyone who figures out the url consume > this service? If so, This is definitely not what I wanted, because I > have to add rpc functionality to a pci compliant system which will > break the requirements. I read the security article but I didn't see > any references to this situation at all, so I thought maybe I am > missing something it's not a problem but still not sure about it. Also > without authentication and object validation system will be open to > object injections. If I am right about my concerns, Can anybody give > me a security model example? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
