Re: how to secure RequestFactory in GWT 2.2
Hey Google GWT developers, could we get a response to this question please? You've created this elaborate editors framework that lots of people are trying to adopt, but there seems to be no way to secure it on the server side. Without any server-side checks, attackers are free to query, modify and persist entities as they see fit. This is a really serious problem. Maybe there is an obvious solution and I've been too dumb to find it. I've looked through the documentation, examples and even the source and haven't been able to solve this. We'd all be happy to RTFM, if you could give us a pointer. Thanks! -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
I haven't used the request factory so I am sorry, no I can't help you with this. On Wed, Mar 2, 2011 at 3:04 PM, Kathiravan Tamilvanan kat...@gmail.comwrote: Jeff, Do you have any idea how to do session validation with RequestFactory approach. I am using RequestFactory with a ServiceLocator to locate my spring service layer. I would like to validate the session, when a request is made through the RequestFactory, before invoking the Spring service layer. Do you have any recommendation on this? Thanks, Kathir -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en. -- *Jeff Schwartz* http://jefftschwartz.appspot.com/ http://www.linkedin.com/in/jefftschwartz follow me on twitter: @jefftschwartz -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
FWIW, I also tried securing my services layer by using a servlet Filter
(same way that I'm using a PersistenceFilter to manage by
EntityManager{Factory}).
I was hoping to query the user's session for a loggedInUser object, but
was stymied by the fact that the Filter interface only has a ServletRequest,
not an HttpServletRequest, and thus no access to the user's session. If
anyone knows a solution to this, please share. (Hmm, now I'm wondering if
the ServletRequest can simply be cast to an HttpServletRequest...)
--
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
OK, I feel as if I'm solving this problem via Rubber duck debugginghttp://en.wikipedia.org/wiki/Rubber_duck_debugging; sitting down to phrase my question reveals a potential solution: - create MyRequestFactoryServlet that extends RequestFactoryServlet (I didn't realize this was an option; I thought the relevant methods therein were marked final, but that's not the case) - override doGet()/doPost to check the user's session for a userIsLoggedIn object (which you can set via RPC or similar at your login page) - throw an exception (or perhaps redirect) if the user is not logged in - use MyRequestFactoryServlet in your web.xml rather than RequestFactoryServlet I think this will work, but I wonder if there is not a more official solution, given that there used to be a UserInformation class that seemed to address this issue. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
On Thursday, March 3, 2011 4:16:40 PM UTC+1, KaffeineComa wrote: Hey Google GWT developers, could we get a response to this question please? You've created this elaborate editors framework that lots of people are trying to adopt, but there seems to be no way to secure it on the server side. Without any server-side checks, attackers are free to query, modify and persist entities as they see fit. This is a really serious problem. Maybe there is an obvious solution and I've been too dumb to find it. I've looked through the documentation, examples and even the source and haven't been able to solve this. We'd all be happy to RTFM, if you could give us a pointer. It's indeed easy and rather obvious. If you look at the Expenses sample, you'll see how they do it using GAE to authenticate the user, but the overall mechanism is portable to any environment. First, you need a way to intercept requests to the RequestFactoryServlet to check the user is authenticated: this is the role of a servlet Filter (or you can extend RequestFactoryServlet and override the service() or doPost() method) Next, you have to communicate to the client that the user is not authenticated (important in case the session times out, for instance): it's up to you to choose your protocol, but a response.sendError(HttpServletResponse.SC_UNAUTHORIZED); will be enough. Finally, sending the info the client is one thing, but the client has to handle it: this is the role of the RequestTransport that you can pass to RequestFactory's initialize() method. Just inherit DefaultRequestTransport and wrap the RequestCallback from super.createRequestCallback to handle getStatusCode()==401 (or whatever protocol you chose above) and do whatever you want (dispatch an event on your application's EventBus, redirect to the login page, simply do a Window.alert() and let the user refresh the page after they backed up their data using copy/paste to the Windows Notebook, etc.) I'm sure I've already written all of this here (last month?), unfortunately I can't find it. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
Hi Thomas, Thank you. I actually came to the same solution just a few minutes after posting my plea for help. Here's my code, for anyone else who'd like to benefit: http://stackoverflow.com/questions/4557286/how-to-handle-security-constraints-using-gwt-2-1s-requestfactory/5183802#5183802 It wasn't obvious to me because for some reason I thought the doPost()/doGet() in RequestFactoryServlet were marked final, as they are in RemoteServiceServlet. Thanks -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
KaffineComa, I just looked at your Stackoverflow solution. I understand it to some extent but i am new to web development, here is my doubt, According to the http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ , it is good to send the session information on the payload. So i am assuming the RequestContext will have the session information as a parameter. something like EntityProxy getEntityWithId(String id, User); In this case i am not sure how to get the User information from inside the MyRequestFactoryServlet. Am i talking sense? Kathir. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
When you inherit from DefaultRequestTransport as Thomas says, you can overwrite the method protected void configureRequestBuilder(RequestBuilder builder) You can then set custom HTTP headers to transport additional information like the session id or some other auth token. So there is no need to add these extra information to every RequestContext method. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
Kathiravan, I believe that a large part of the discussion in that FAQ has to do with implementing remember me functionality, whereby you persist the session information (or some hash thereof) in a cookie. I'm not using that functionality, and so I'm simply relying on the session management provided by regular old servlets. I'm assuming you're asking how do I get the User object in the session (so RequestFactoryServlet can later find it) in the first place? The answer to that is that I have a login page that uses normal GWT RPC to validate the login (well, I'm using OpenID, which is quite a bit more complicated than that, but the upshot is the same): in the ServiceImpl for my GWT RPC, I do the following: User user = validateLoginCredentials(...) req.getSession().setAttribute(LOGGED_IN_USER, user); Then I can retrieve the User object from the HttpSession in MyRequestFactoryServlet. Does that make sense? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
JN, I am summarizing below what i understood from the discussion 1. User logins to the Application - The session id is created on the server side and sent back to the client. 2. For every request from the client, the client sends the session id as part of the request. ( can't be cookies as per the loginsecurityFAQ ) 3. The overwritten RequestTransport sets the session id in the HTTP Header ( this is happening on the client side. Is this right?) 4. The overwitten RequestFactoryServlet gets this session id from the HTTP header and validates the user state using the session id ( this is happening on the server side ) 5. If the validation fails RequestFactoryServlet sends an Exception, which is again handled by the overwritten RequestTransport (the client handling part as per Thomas suggestion ) Is the above understanding correct. I confused with the Payload and HttpHeader, are they the same? Kathir. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
Ooops..we both were posting at the same time. I dont think I understand the PayLoad concept properly. Is setting information on the Session with setAttribute termed as PayLoad. If thats the case, your explanation makes total sense to me. can you also look at my response to JN's post. I may be asking the same thing again and again. Things are little over my head now :-( Kathiravan. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
Just do an instanceof HttpServletRequest check and then cast it. It should always be a HttpServletRequest because your GWT app talks to a HttpServlet. If the instanceof check fails, well then just deny the request and send back a http error. -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
I am also looking for some recommendation for this. I have read this link http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ and also wanted to implement the security with RequestFactory. But as the article suggests, the session id should be sent on the payload of the request instead of the cookie approach. The following questions come to my mind 1. Do we need to send the session id on each method on the RequestContext? If so how do we validate this on the Server side? 2. Does servlet filter help in validating the session before every request? I am not really sure how to get the RequestContext session id parameter from the servlet filter . Is it even right thinking? -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
On Wed, Mar 2, 2011 at 1:48 PM, Kathiravan Tamilvanan kat...@gmail.comwrote:
I am also looking for some recommendation for this.
I have read this link
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
and
also wanted to implement the security with RequestFactory. But as the
article suggests, the session id should be sent on the payload of the
request instead of the cookie approach.
The following questions come to my mind
1. Do we need to send the session id on each method on the RequestContext?
If so how do we validate this on the Server side?
IMO if a GET exposes sensitive data to the client then I would say it
should. Also, if a request is a POST then I would say it should. For
everything else it would depend on the nature of the application and the
data. For instance, does the application fall under the guidelines of an
industry's governance board like many financial applications and
specifically those related to banking and the credit card industries.
You can validate the session id by comparing it to the Session object's
session id as follows (show in the context of a RemoteServiceServlet):
HttpSession session = getThreadLocalRequest().getSession(true);
String sid = session.getId();
if (!clientSid.equals(sid)) {
throw new MyInvalidSessionException();
}
MyInvalidSessionException is a custom exception class derived from Throwable
and can be caught in the onFailure methods of each RPC call.
2. Does servlet filter help in validating the session before every request?
I am not really sure how to get the RequestContext session id parameter from
the servlet filter . Is it even right thinking?
Yes if you were to use the session id in the request header which isn't a
good idea and no if you are using RPC because the filter will be called
prior to the serialization of your payload forcing you to resort to bit
twiddling with the request headers to get at it.
--
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
--
*Jeff Schwartz*
http://jefftschwartz.appspot.com/
http://www.linkedin.com/in/jefftschwartz
follow me on twitter: @jefftschwartz
--
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
Re: how to secure RequestFactory in GWT 2.2
Jeff, Do you have any idea how to do session validation with RequestFactory approach. I am using RequestFactory with a ServiceLocator to locate my spring service layer. I would like to validate the session, when a request is made through the RequestFactory, before invoking the Spring service layer. Do you have any recommendation on this? Thanks, Kathir -- You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
