I don't want to sound snarky, but did you read the linked issue and discussion there?
In short, tou have a few options:
* Enable the flag, and ship a known security bug, allowing attackers to potentially run untrusted code in your server,
* Leave the flag disabled and split your DTOs from your entities, so that the security issue can't happen, or
* Contribute (through time or funding someone else's time) one of the proposed fixes, so that the feature can be safely reenabled.
This has been discussed a few times, and at this time (just over a year since we first shipped that flag) it doesn't appear that anyone has been interested in actually fixing it, suggesting to me that either most projects are content with allowing users to run arbitrary code on their server (...unlikely), or that the use of JPA annotations on DTOs was actually not necessary for their project and removing the annotations was an easy solution.
Fixing the bug in GWT itself fixes it once for everyone, but that requires development, review, testing time, and so far no one is interested.
On Friday, February 7, 2025 at 5:53:27 AM UTC-6 mmac...@odilo.us wrote:
Hi all,Recently in our company we have migrated from GWT 2.9.0 to GWT 2.12.1. In this migration, we have an issue with the RPC, because we have DTOs with JPA annotations.I get this message:ERROR: Service deserializes enhanced JPA/JDO classes, which is unsafe. Review build logs to see which classes are affected, or set gwt.enhancedClasses.enabled to true to allow using this service. See https://github.com/gwtproject/gwt/issues/9709 for more detail.Which is the best way to handle with this? I'm using the next config plugin to compile GWT:<plugin>
<groupId>net.ltgt.gwt.maven</groupId>
<artifactId>gwt-maven-plugin</artifactId>
<version>1.1.0</version>
<extensions>true</extensions>
<configuration>
<moduleName>com.odilotid.odilotk.Opac</moduleName>
<sourceLevel>${gwt.sourceLevel}</sourceLevel>
<skip>${compile.gwt.skip}</skip>
<style>OBF</style>
<workDir>${project.build.directory}/gwt/temp</workDir>
<deploy>${project.build.directory}/WEB-INF/deploy</deploy>
<draftCompile>false</draftCompile>
<webappDirectory>/${webappDirectory}</webappDirectory>
<logLevel>WARN</logLevel>
</configuration>
<executions>
<execution>
<id>gwt-compile</id>
<goals>
<goal>compile</goal>
</goals>
</execution>
</executions>
</plugin>Thanks
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-web-toolkit/63274f02-47c5-49df-a506-910a24beaf5en%40googlegroups.com.
No comments:
Post a Comment