RequestFactoryServlet and security : passing sessionId back and forth

Tue, 27 Sep 2011 08:28:39 -0700 

Hi

As so many others before me, I went through the *LoginSecurityFAQ* and have 
been reading about *passing the SESSIONID from the client to the server in 
the payload for each and every request*. The message is that we cannot trust 
the HttpSession server side because of potential CSRF attacks.

Question : 


   - Do I have to *add an additional parameter SESSIONID to each and every 
   service call* that I am launching from GWT to the server ?
   - Or perhaps I can attach the *SESSIONID as request attribute*, so my 
   service interfaces stay clean of this extra parameter ?
   - I also noticed that in earlier versions of RfServlet there was a *init 
   parameter UserInfo* but this seems to have *disappeared*. I never used it 
   but I suspect this is some mechanism to address the above issues ? Is 
   there some replacement mechanism ? 


Old implementation (part of doPost) of RequestFactoryServlet :

        // Check that user is logged in before proceeding
        UserInformation userInfo = 
UserInformation.getCurrentUserInformation(request.getHeader("pageurl"));
        if (!userInfo.isUserLoggedIn()) {
          response.setHeader("login", userInfo.getLoginUrl());
          response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        } else {
          response.setHeader("userId", String.format("%s", 
userInfo.getId()));
          response.setStatus(HttpServletResponse.SC_OK);
          RequestProcessor<String> requestProcessor = new 
JsonRequestProcessor();
          requestProcessor.setOperationRegistry(new 
ReflectionBasedOperationRegistry(
              new DefaultSecurityProvider()));
          requestProcessor.setExceptionHandler(exceptionHandler);
          response.setContentType(RequestFactory.JSON_CONTENT_TYPE_UTF8);
          
writer.print(requestProcessor.decodeAndInvokeRequest(jsonRequestString));
          writer.flush();
        }



Thx 

Koen

-- 
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/google-web-toolkit/-/WDA1sfVapK4J.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/google-web-toolkit?hl=en.

Reply via email to