Sunday, November 5, 2017

Re: GWT csrf protection

We are currently using it in production. The code hasn't changed since at least 2.6.0 (and probably earlier).
The only problems we currently have are that sometimes the client doesn't fetch a new token on start or that the client has to refresh the browser after the session expired.

On Tuesday, 31 October 2017 13:36:16 UTC+1, Rencia Cloete wrote:
Gwt Documentation as well as GWT IN action recommend extending XsrfProtectedService on client side and XsrfProtectedServiceServlet on server side....

But both thse methods are still marked as "EXPERIMENTAL and subject to change. Do not use this in production code. "

What gives? is this a leftover - or are they now safe to use in production?

Thanks for your help in advance!

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment