RequestFactoryServlet and security : passing sessionId back and forth

[koma]

Hi

As so many others before me, I went through the LoginSecurityFAQ and have been reading about passing the SESSIONID from the client to the server in the payload for each and every request. The message is that we cannot trust the HttpSession server side because of potential CSRF attacks.

Question : 

• Do I have to add an additional parameter SESSIONID to each and every service call that I am launching from GWT to the server ?
  
• Or perhaps I can attach the SESSIONID as request attribute, so my service interfaces stay clean of this extra parameter ?
• I also noticed that in earlier versions of RfServlet there was a init parameter UserInfo but this seems to have disappeared. I never used it but I suspect this is some mechanism to address the above issues ? Is there some replacement mechanism ? 

Old implementation (part of doPost) of RequestFactoryServlet :

        // Check that user is logged in before proceeding
        UserInformation userInfo = UserInformation.getCurrentUserInformation(request.getHeader("pageurl"));
        if (!userInfo.isUserLoggedIn()) {
          response.setHeader("login", userInfo.getLoginUrl());
          response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        } else {
          response.setHeader("userId", String.format("%s", userInfo.getId()));
          response.setStatus(HttpServletResponse.SC_OK);
          RequestProcessor<String> requestProcessor = new JsonRequestProcessor();
          requestProcessor.setOperationRegistry(new ReflectionBasedOperationRegistry(
              new DefaultSecurityProvider()));
          requestProcessor.setExceptionHandler(exceptionHandler);
          response.setContentType(RequestFactory.JSON_CONTENT_TYPE_UTF8);
          writer.print(requestProcessor.decodeAndInvokeRequest(jsonRequestString));
          writer.flush();
        }

Thx 

Koen

[Thomas Broyer]

On Tuesday, September 27, 2011 5:28:21 PM UTC+2, koma wrote:

Hi

As so many others before me, I went through the LoginSecurityFAQ and have been reading about passing the SESSIONID from the client to the server in the payload for each and every request. The message is that we cannot trust the HttpSession server side because of potential CSRF attacks.

Question : 

• Do I have to add an additional parameter SESSIONID to each and every service call that I am launching from GWT to the server ?

No 

• Or perhaps I can attach the SESSIONID as request attribute, so my service interfaces stay clean of this extra parameter ?

Yes 

• I also noticed that in earlier versions of RfServlet there was a init parameter UserInfo but this seems to have disappeared. I never used it but I suspect this is some mechanism to address the above issues ? Is there some replacement mechanism ?

Use a custom RequestTransport on the client-side, and a servlet filter on the server-side. Have a look at the Expenses sample from the GWT SDK, which does this for AppEngine authentication.

[koma]

Thx for the pointer. The Expenses/GAE example overwrites createCallback() to deal with Response.SC_UNAUTHORIZED responses.

I guess I will have to overwrite configureRequestBuilder(RequestBuilder builder) and add the SESSIONID in the header of each request. 

        protected void configureRequestBuilder(RequestBuilder builder) {

builder.setHeader(CONSTANT_SESSION_ID, getCurrentUserSessionId());
super.configureRequestBuilder(builder);
}

Koen