Re: request signing At the GWT fireside chat at Google I/O, I asked about the possibility of a per-request handler for the new RPCRequestBuilder coming in GWT2. They mentioned it had been considered.
With a user method invoked just before the request is sent, you could easily implement GWT-RPC signature/authentication transparently and protect the integrity of the entire request. MD5, SHA1 and event HmacSHA1 work reasonably when ported to translatable Java source. I've successfully performed authenticated Amazon S3 requests in this way, straight from the browser. On May 30, 2:21 am, hazy1 <[email protected]> wrote: > If you are worried about replay attacks use a random token as part of > each response/request pair. > > On May 29, 11:09 pm, Deep Blue <[email protected]> wrote: > > > Hi, > > > Thanks all for the comments / opinions. > > I agreed with Daniel and Jason that we shouldn't send any extra info. > > to client and protect from server side. > > > However, some of my clients are paranoid about the data is being > > exposed to users as clear text and they are able to forge the request > > to retrieve data from server. > > This is just one step more protection, but should be effective in > > prevent normal users from forging the request just by using plugin in > > firefox. > > > GWT has already obfuscated the javascript source code when compiling, > > this is great. > > I was thinking maybe we can take one step further to encrypt the data > > (only for sensitive information rpc.) > > > We will protect the data / request from server side, but to let > > clients able to rest assure, I am just trying to look out any way we > > can implement the encryption in GWT. > > I know it sounds ridiculous, but sometimes clients are ridiculuous. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
