Re: RequestFactoryServlet and security : passing sessionId back and forth
Thx for the pointer. The Expenses/GAE example overwrites createCallback() to
deal with Response.SC_UNAUTHORIZED responses.
I guess I will have to overwrite *configureRequestBuilder(RequestBuilder
builder)* and add the SESSIONID in the header of each request.
protected void configureRequestBuilder(RequestBuilder builder) {
builder.setHeader(CONSTANT_SESSION_ID, getCurrentUserSessionId());
super.configureRequestBuilder(builder);
}
Koen
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-web-toolkit/-/PmeSgruN0Z4J.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
Re: RequestFactoryServlet and security : passing sessionId back and forth
On Tuesday, September 27, 2011 5:28:21 PM UTC+2, koma wrote: > > Hi > > As so many others before me, I went through the *LoginSecurityFAQ* and > have been reading about *passing the SESSIONID from the client to the > server in the payload for each and every request*. The message is that we > cannot trust the HttpSession server side because of potential CSRF attacks. > > Question : > > >- Do I have to *add an additional parameter SESSIONID to each and every >service call* that I am launching from GWT to the server ? > > No > >- Or perhaps I can attach the *SESSIONID as request attribute*, so my >service interfaces stay clean of this extra parameter ? > > Yes > >- I also noticed that in earlier versions of RfServlet there was a *init >parameter UserInfo* but this seems to have *disappeared*. I never used >it but I suspect this is some mechanism to address the above issues ? Is >there some replacement mechanism ? > > Use a custom RequestTransport on the client-side, and a servlet filter on the server-side. Have a look at the Expenses sample from the GWT SDK, which does this for AppEngine authentication. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/0pw34kOddD4J. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
RequestFactoryServlet and security : passing sessionId back and forth
Hi
As so many others before me, I went through the *LoginSecurityFAQ* and have
been reading about *passing the SESSIONID from the client to the server in
the payload for each and every request*. The message is that we cannot trust
the HttpSession server side because of potential CSRF attacks.
Question :
- Do I have to *add an additional parameter SESSIONID to each and every
service call* that I am launching from GWT to the server ?
- Or perhaps I can attach the *SESSIONID as request attribute*, so my
service interfaces stay clean of this extra parameter ?
- I also noticed that in earlier versions of RfServlet there was a *init
parameter UserInfo* but this seems to have *disappeared*. I never used it
but I suspect this is some mechanism to address the above issues ? Is
there some replacement mechanism ?
Old implementation (part of doPost) of RequestFactoryServlet :
// Check that user is logged in before proceeding
UserInformation userInfo =
UserInformation.getCurrentUserInformation(request.getHeader("pageurl"));
if (!userInfo.isUserLoggedIn()) {
response.setHeader("login", userInfo.getLoginUrl());
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
} else {
response.setHeader("userId", String.format("%s",
userInfo.getId()));
response.setStatus(HttpServletResponse.SC_OK);
RequestProcessor requestProcessor = new
JsonRequestProcessor();
requestProcessor.setOperationRegistry(new
ReflectionBasedOperationRegistry(
new DefaultSecurityProvider()));
requestProcessor.setExceptionHandler(exceptionHandler);
response.setContentType(RequestFactory.JSON_CONTENT_TYPE_UTF8);
writer.print(requestProcessor.decodeAndInvokeRequest(jsonRequestString));
writer.flush();
}
Thx
Koen
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-web-toolkit/-/WDA1sfVapK4J.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
