Wednesday, September 28, 2011

Re: XSRF protection

RequestFactory does not provide built-in XSRF protection. You can set a custom header in DefaultRequestTransport as previously suggested by Thomas Broyer:


As for the session mechanism in XsrfProtectedServiceServlet, not all apps use HttpSessions. That would be a sensible default, though.

Cheers,
/dmc

On Tue, Sep 27, 2011 at 9:44 PM, Vampire <Bjoern@kautler.net> wrote:
Hi

Does RequestFactory has included XSRF protection?
For RPC Requests I see the XsrfProtectedServiceServlet.
But I don't see a XsrfProtectedRequestFactoryServlet or similar.
While the documentation states that RequestFactory is better and newer
and should be used.
Does this mean it has XSRF protection included, or would one have to
rebuild what XsrfProtectedServiceServlet does for the
RequestFactoryServlet?

And why does the XsrfProtectedServiceServlet need the session cookie
name injected?
Why doesn't it simply use HttpServletRequest.getSession().getId()
which wouldn't need any manual configuration?

Regards

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.




--
David Chandler
Developer Programs Engineer, GWT+GAE
w: http://code.google.com/

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)