Friday, October 20, 2023

Re: GWT: Deserialize objects sent/received via websocket

Dear Colin,

thanks for the quick response. I did observe the authentication approach via BurpSuite that allows me to investigate each HTTP / websocket request / response. From this perspective, I can see that upon submitting my credentials to the webapp, there is only one HTTP POST request from client-side that only includes the username. After this initial POST request, all the communication goes over websocket with binary blobs being exchanged. Hence, it is not easy for me to identify which GWT library class is in use.

Is there any way how to get this information, (i.e. I could provide the URL of the endpoint I am talking to).

Best,
André

Colin Alworth schrieb am Freitag, 20. Oktober 2023 um 14:55:53 UTC+2:
While GWT offers websocket support, the only support is "now you can send messages on a websocket" - no serialization is offered, beyond what the browser itself provides (allowing sending a utf8 string, arraybuffers, blobs, typedarrays, or arrayviews). How are you verifying messages sent/received? If you are observing some 3-4 websocket frame handshake messages on the websocket, that is probably some other GWT library in use - which WebSocket class are you using?

I maintain (and use in production) an rpc-over-websocket implementation, but it does not explicitly support authentication. Instead usually the first message authenticates with the server, or HTTP headers are used to authenticate (potentially using existing cookies) before the websocket is even initiated. So at least we can probably rule out that implementation.

See https://developer.mozilla.org/en-US/docs/Web/API/WebSocket for more information on what the browser's own WebSocket type offers.

On Friday, October 20, 2023 at 7:31:03 AM UTC-5 an.s...@gmail.com wrote:

Hi,

I am very new to GWT and have questions about the basic principles of how GWT via websockets work.

I would like to analyze the authentication function of a given GWT web application. When authenticating with my credentials, I could identify that my credentials are sent via websocket in form of a binary blob. This most certainly is a serialized GWT object. The authentication seems to follow a protocol that involves 3-4 messages exchanged with the server-side.

Hence, I strive to understand how the client-side transforms my textual credentials (username / password) into this binary blob. Subsequently, I would like to understand how I can deserialize messages coming from the server in order to get a better idea of the messages exchanged and hence the protocol.

Thanks,

André

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/7c52c6bd-afae-48e3-8ac9-546ae1dd9c47n%40googlegroups.com.

No comments:

Post a Comment