Thursday, June 25, 2015

Re: Gwt with Rest Architecture problem

Hi

Vassillis is right. You can configure CORS filter in a way that it will only allow requests from whitelisted domains instead of all (by using wild card *).

This filter allows such config: http://software.dzhuvinov.com/cors-filter-configuration.html

You can just specify cors.allowOrigin parameter in web.xml to a list of your client side domains. Remember that CORS applies only in browsers. If you make requests from code say Java (using HttpURLConnection) they are not needed. So your concern about security is invalid. If somebody will want to make requests to your rest service he will be able to do that from any place.

One side note. If you test your service make sure to use sth different than 'localhost' in url to rest service (ip and proper host name should work). At least chrome has issues with that when making CORS requests: http://stackoverflow.com/questions/10883211/deadly-cors-when-http-localhost-is-the-origin

Greg

On Tuesday, June 23, 2015 at 2:45:44 PM UTC+2, Vassilis Virvilis wrote:
About CORS:
You don't need to add anything to your REST headers. Tomcat can handle it for you assuming that the url of the gwt application is known to the the tomcat serving the REST backend. See https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

    Vassilis

On Tue, Jun 23, 2015 at 2:55 PM, Jens <jens.ne...@gmail.com> wrote:
Its because of same origin policy enforced by browsers and not because of cross site scripting (which is an attack).

If you don't want to make your REST service JSONP compatible and you don't want to use CORS headers then you must make sure that your GWT app can access the REST service through the same domain/origin that the GWT app is served from. Usually you can do that by configuring a reverse proxy on http://gwt-domain.com that redirects your GWT server requests from http://gwt-domain.com/api/* to http://rest-backend.com/* or similar.

Such a proxy also gives you the freedom to move your backend to other locations without updating the GWT app itself. We use NGINX as such a proxy.

The only other alternative is that the GWT app makes requests to a servlet running on the host that serves the GWT app and that servlet then makes a request to the REST backend. So that servlet then also acts as a proxy. For example you could install such a servlet on http://gwt-domain.com/api/*

-- J.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-we...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.



--
Vassilis Virvilis

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment