Tuesday, September 27, 2011

RequestFactoryServlet and security : passing sessionId back and forth

Hi

As so many others before me, I went through the LoginSecurityFAQ and have been reading about passing the SESSIONID from the client to the server in the payload for each and every request. The message is that we cannot trust the HttpSession server side because of potential CSRF attacks.

Question : 

  • Do I have to add an additional parameter SESSIONID to each and every service call that I am launching from GWT to the server ?
  • Or perhaps I can attach the SESSIONID as request attribute, so my service interfaces stay clean of this extra parameter ?
  • I also noticed that in earlier versions of RfServlet there was a init parameter UserInfo but this seems to have disappeared. I never used it but I suspect this is some mechanism to address the above issues ? Is there some replacement mechanism ? 

Old implementation (part of doPost) of RequestFactoryServlet :

        // Check that user is logged in before proceeding
        UserInformation userInfo = UserInformation.getCurrentUserInformation(request.getHeader("pageurl"));
        if (!userInfo.isUserLoggedIn()) {
          response.setHeader("login", userInfo.getLoginUrl());
          response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        } else {
          response.setHeader("userId", String.format("%s", userInfo.getId()));
          response.setStatus(HttpServletResponse.SC_OK);
          RequestProcessor<String> requestProcessor = new JsonRequestProcessor();
          requestProcessor.setOperationRegistry(new ReflectionBasedOperationRegistry(
              new DefaultSecurityProvider()));
          requestProcessor.setExceptionHandler(exceptionHandler);
          response.setContentType(RequestFactory.JSON_CONTENT_TYPE_UTF8);
          writer.print(requestProcessor.decodeAndInvokeRequest(jsonRequestString));
          writer.flush();
        }


Thx 

Koen

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/WDA1sfVapK4J.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)