Saturday, November 3, 2012

Re: Security considerations for GWT applications

Hi, 

there is actually one more aspect: avoid correctly logged-in users (as others pointed out before: login on the server with a server session is required) can manipulate more data than you want them to. Using tamper data and consorts, you can see what goes back and forth via GWT-RPC. Consequently, your interfaces should be sufficiently slim to avoid users reverse-engineer and manipulate

So you end up with a bunch of things to make information sufficiently confidential (login, etc.), ensure sufficient integrity (slim interfaces) and infrastructure concerns to ensure availability 

Good luck
   Sebastian

On Wednesday, October 24, 2012 11:41:06 AM UTC+2, Flying-w wrote:
I am investigating security considerations around the user login for a GWT application in respect of the following strategy:
  • User enters their id and password in a dialogue;
  • Client transmits the login request with the above details to the server using RPC;
  • Server returns a token unique to the client.  The client stores this in a cookie such that if they press F5 to reload the application, or navigate away and come back, they do not need to login again (within a timeout period);
  • On every request the client sends to the server, the token is included in the payload of the request to authenticate the request;
There are some obvious flaws in this approach:
  • The "Eve" type hacker listening on the network can intercept the plain text userid and password and reuse them directly in their client;
  • If someone gains physical access to the original users computer, can they lift the server token from the cookie and use the token on the their computer to impersonate the original user?
What are the solutions to these security exposures:
  • Use SSL.  Any good guides about doing this with GWT?  Does SSL also defeat the "Mallory" attacker that can also modify network data?
  • Any non-SSL solutions?
Perhaps there's a guide about this out there somewhere, but all I can find so far is information relating to javascript security.

Thanks
Simon.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/wgowLKX_zdoJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
at

No comments:

Post a Comment