Discussion:
GWT csrf protection
Rencia Cloete
2017-10-31 11:48:40 UTC
Permalink
Gwt Documentation
http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html as well
as GWT IN action
https://manning-content.s3.amazonaws.com/download/d/07888ea-bada-44cc-9c55-ead15ea7fe85/GWT_sample-07.pdf
recommend extending XsrfProtectedService on client side and
XsrfProtectedServiceServlet on server side....

But both thse methods are still marked as "EXPERIMENTAL and subject to
change. Do not use this in production code. "

What gives? is this a leftover - or are they now safe to use in production?

Thanks for your help in advance!
--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+***@googlegroups.com.
To post to this group, send email to google-web-***@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
Maarten Daalder (ISAAC Software Solutions)
2017-11-05 19:21:04 UTC
Permalink
We are currently using it in production. The code hasn't changed since at
least 2.6.0 (and probably earlier).
The only problems we currently have are that sometimes the client doesn't
fetch a new token on start or that the client has to refresh the browser
after the session expired.
Post by Rencia Cloete
Gwt Documentation
http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html as well
as GWT IN action
https://manning-content.s3.amazonaws.com/download/d/07888ea-bada-44cc-9c55-ead15ea7fe85/GWT_sample-07.pdf
recommend extending XsrfProtectedService on client side and
XsrfProtectedServiceServlet on server side....
But both thse methods are still marked as "EXPERIMENTAL and subject to
change. Do not use this in production code. "
What gives? is this a leftover - or are they now safe to use in production?
Thanks for your help in advance!
--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+***@googlegroups.com.
To post to this group, send email to google-web-***@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
Maarten Daalder (ISAAC Software Solutions)
2018-06-28 13:50:16 UTC
Permalink
My apologies for the bump. This seems to be the most apt place to put this
information.

Since we're upgrading our server from JBoss EAP 6.4.x to EAP 7.1.x we ran
into an issue with the default XSRF protection of GWT.
Undertow changes Session ID on authentication. To prevent Session Fixation.
Our fix has been to generate a long random string, stick it into the
HttpSession and check that the client sends that blob on each request. We
just overrode the XsrfProtectedService validation and the XsrfTokenService
generation methods.

Even without Undertow this is possible with Servlet API 3.1 servers due to
the addition of HttpServletRequest#changeSessionId() method.

With kind regards,
Maarten Daalder
ISAAC

On Sunday, 5 November 2017 20:21:05 UTC+1, Maarten Daalder (ISAAC Software
Post by Maarten Daalder (ISAAC Software Solutions)
We are currently using it in production. The code hasn't changed since at
least 2.6.0 (and probably earlier).
The only problems we currently have are that sometimes the client doesn't
fetch a new token on start or that the client has to refresh the browser
after the session expired.
Post by Rencia Cloete
Gwt Documentation
http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html as
well as GWT IN action
https://manning-content.s3.amazonaws.com/download/d/07888ea-bada-44cc-9c55-ead15ea7fe85/GWT_sample-07.pdf
recommend extending XsrfProtectedService on client side and
XsrfProtectedServiceServlet on server side....
But both thse methods are still marked as "EXPERIMENTAL and subject to
change. Do not use this in production code. "
What gives? is this a leftover - or are they now safe to use in production?
Thanks for your help in advance!
--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+***@googlegroups.com.
To post to this group, send email to google-web-***@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
Loading...