I can't seem to track down the answer to this question. In GWT-RPC is any validation done to enforce that only methods in the RemoteService interface can be invoked? For example, if you had a public helper method in the RemoteServiceServlet that wasn't described in the interface could it be invoked by forging an RPC request?
I'm trying to get a handle on what is exactly exposed in a RemoteServiceServlet and what enforces that exposure. I'm assuming a malicious client directly accessing the server and bypassing a provided client. I'd love to see the code that was responsible, too. I poked around com.google.gwt.user.server.rpc but could only find implementsInterface, which I don't think does what I'm asking. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscr...@googlegroups.com. To post to this group, send email to google-web-toolkit@googlegroups.com. Visit this group at http://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/groups/opt_out.
