RPC Obfuscation
351 views
Skip to first unread message
mmoossen
Apr 22, 2010, 9:47:15 AM4/22/10
to Google Web Toolkit
dear all!
i am preparing for going online, so i started to try out the RPC
obfuscation mechanism:
<inherits name="com.google.gwt.user.RemoteServiceObfuscateTypeNames" /
>
and to my surprise (or not, if you stop to read the module name) only
classnames get obfuscated but not method names (from the service
class).
so, is there any way to obfuscate also the method names?
and more over, there are some few service calls that i would like to
completely obfuscate so it is not so easy to read the transferred
data.
is there any way to tell GWT to obfuscate a whole service call
response?
i started with the idea to obfuscate the serialized response in
RemoteServiceServlet#onAfterResponseSerialized, but how do i implement
the client side counterpart of
RemoteServiceServlet#onBeforeRequestDeserialized??
the other option is to have a service call that returns only an
obfuscated string, but then i would have to do all the serialization/
deserialization for the objects to use by myself which is just
reinventing the wheel, but wait, unless i could explicetely call the
serialization/deserialization methods from gwt... mmm.. interesting...
i will try it now...
but, it would be really great to have such an option out of the box!
thanks for reading
Michael
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-we...@googlegroups.com.
To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
i am preparing for going online, so i started to try out the RPC
obfuscation mechanism:
<inherits name="com.google.gwt.user.RemoteServiceObfuscateTypeNames" /
>
and to my surprise (or not, if you stop to read the module name) only
classnames get obfuscated but not method names (from the service
class).
so, is there any way to obfuscate also the method names?
and more over, there are some few service calls that i would like to
completely obfuscate so it is not so easy to read the transferred
data.
is there any way to tell GWT to obfuscate a whole service call
response?
i started with the idea to obfuscate the serialized response in
RemoteServiceServlet#onAfterResponseSerialized, but how do i implement
the client side counterpart of
RemoteServiceServlet#onBeforeRequestDeserialized??
the other option is to have a service call that returns only an
obfuscated string, but then i would have to do all the serialization/
deserialization for the objects to use by myself which is just
reinventing the wheel, but wait, unless i could explicetely call the
serialization/deserialization methods from gwt... mmm.. interesting...
i will try it now...
but, it would be really great to have such an option out of the box!
thanks for reading
Michael
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-we...@googlegroups.com.
To unsubscribe from this group, send email to google-web-tool...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Tercio
Apr 23, 2010, 2:04:31 PM4/23/10
to Google Web Toolkit
Well, I don't have an answer for your question, but why don't you use
SSL?
I can't trust my data going and coming without been encrypted.
This way you don't need to worry about obfuscation.
Hope can help.
Regards.
Tercio
SSL?
I can't trust my data going and coming without been encrypted.
This way you don't need to worry about obfuscation.
Hope can help.
Regards.
Tercio
nacho
Apr 23, 2010, 6:22:43 PM4/23/10
to Google Web Toolkit
I would like to know too if there anyway to ofuscate the methods
mmoossen
Apr 24, 2010, 4:02:35 AM4/24/10
to Google Web Toolkit
> Well, I don't have an answer for your question, but why don't you
> use SSL?
it is not about security, it is just about hiding a bit the
> use SSL?
implementation details.
base64 encoding would be more than enough for me.
> ..., but wait, unless i could explicetely call the
> serialization/deserialization methods from gwt... mmm.. interesting...
> i will try it now...
to no avail, i would need to call the generated Serializer for the RPC
> i will try it now...
service, and i have no idea how could i achieve that :(
and anyhow it would be better to directly manipulate the payload so
method signature can stay as it is.
> but how do i implement
> the client side counterpart of
> RemoteServiceServlet#onBeforeRequestDeserialized??
the sense of manipulating the serialized payload on the server-side if
there is no way to do it revert your manipulation on the client?
could somebody explain me how these methods are intended to be used??
thanks
Michael
Sripathi Krishnan
Apr 24, 2010, 4:19:31 AM4/24/10
to google-we...@googlegroups.com
GWT has in-built obfuscation of type names in RPC calls, though I am not sure how well tested it is.
Put this line in your module.xml to see it working -
<set-configuration-property name="gwt.elideTypeNamesFromRPC" value="false" />
I haven't tried it out, but going through the code, it seems to be doing the right thing. If you are interested in going through code, search for the following key words - gwt.elideTypeNamesFromRPC, GWT_ELIDE_TYPE_NAMES_FROM_RPC and FLAG_ELIDE_TYPE_NAMES.
--Sri
Put this line in your module.xml to see it working -
<set-configuration-property name="gwt.elideTypeNamesFromRPC" value="false" />
I haven't tried it out, but going through the code, it seems to be doing the right thing. If you are interested in going through code, search for the following key words - gwt.elideTypeNamesFromRPC, GWT_ELIDE_TYPE_NAMES_FROM_RPC and FLAG_ELIDE_TYPE_NAMES.
--Sri
Thomas Broyer
Apr 24, 2010, 5:28:31 AM4/24/10
to Google Web Toolkit
On Apr 24, 10:02 am, mmoossen <mmoos...@gmail.com> wrote:
> > Well, I don't have an answer for your question, but why don't you
> > use SSL?
>
> it is not about security, it is just about hiding a bit the
> implementation details.
> base64 encoding would be more than enough for me.
>
> > ..., but wait, unless i could explicetely call the
> > serialization/deserialization methods from gwt... mmm.. interesting...
> > i will try it now...
>
> to no avail, i would need to call the generated Serializer for the RPC
> service, and i have no idea how could i achieve that :(
> and anyhow it would be better to directly manipulate the payload so
> method signature can stay as it is.
>
> > but how do i implement
> > the client side counterpart of
> > RemoteServiceServlet#onBeforeRequestDeserialized??
>
> is there really no client-side counterpart for this? i mean what is
> the sense of manipulating the serialized payload on the server-side if
> there is no way to do it revert your manipulation on the client?
You can provide your own RpcRequestBuilder and use it to wrap the
> implementation details.
> base64 encoding would be more than enough for me.
>
> > ..., but wait, unless i could explicetely call the
> > serialization/deserialization methods from gwt... mmm.. interesting...
> > i will try it now...
>
> to no avail, i would need to call the generated Serializer for the RPC
> service, and i have no idea how could i achieve that :(
> and anyhow it would be better to directly manipulate the payload so
> method signature can stay as it is.
>
> > but how do i implement
> > the client side counterpart of
> > RemoteServiceServlet#onBeforeRequestDeserialized??
>
> is there really no client-side counterpart for this? i mean what is
> the sense of manipulating the serialized payload on the server-side if
> there is no way to do it revert your manipulation on the client?
RequestCallback so you can manipulate the response.getText() before
delegating to the wrapped RPC callback.
mmoossen
Apr 24, 2010, 2:12:42 PM4/24/10
to Google Web Toolkit
good hint Thomas, i did now about that.
i will try it now.
thanks
Michael
i will try it now.
thanks
Michael
Reply all
Reply to author
Forward
0 new messages