GWT csrf protection EXPERIMENTAL methods

252 views
Skip to first unread message

Rencia Cloete

unread,
Oct 31, 2017, 8:35:01 AM10/31/17
to GWT Contributors
Gwt Documentation as well as GWT IN action recommend extending XsrfProtectedService on client side and XsrfProtectedServiceServlet on server side....

But both thse methods are still marked as "EXPERIMENTAL and subject to change. Do not use this in production code."

What gives? is this a leftover - or are they now safe to use in production?

Thanks for your help in advance!

Goktug Gokdogan

unread,
Oct 31, 2017, 5:47:28 PM10/31/17
to google-web-toolkit-contributors
They are not going to change and plenty of people use it for production but there is a bigger issue:
GWT-RPC is deprecated and in maintenance mode for over 2 years now [1].


--
You received this message because you are subscribed to the Google Groups "GWT Contributors" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit-contributors/378e7424-394a-4a04-9f18-1d00536b5fee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jonathan Nieder

unread,
Oct 31, 2017, 5:52:26 PM10/31/17
to google-web-tool...@googlegroups.com
Is there a public announcement equivalent to [1] for external users to read?

вт, 31 окт. 2017 г. в 14:47, 'Goktug Gokdogan' via GWT Contributors <google-web-tool...@googlegroups.com>:
They are not going to change and plenty of people use it for production but there is a bigger issue:
GWT-RPC is deprecated and in maintenance mode for over 2 years now [1].

On Tue, Oct 31, 2017 at 4:51 AM, Rencia Cloete <rencia...@gmail.com> wrote:
Gwt Documentation as well as GWT IN action recommend extending XsrfProtectedService on client side and XsrfProtectedServiceServlet on server side....

But both thse methods are still marked as "EXPERIMENTAL and subject to change. Do not use this in production code."

What gives? is this a leftover - or are they now safe to use in production?

Thanks for your help in advance!

--
You received this message because you are subscribed to the Google Groups "GWT Contributors" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-co...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GWT Contributors" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit-contributors/CAN%3DyUA2Xoq1bKSKtE5j3kanOuzKBwDNuHi%2BY%3Dt4H-Rpg8LxeSw%40mail.gmail.com.

Goktug Gokdogan

unread,
Oct 31, 2017, 6:11:29 PM10/31/17
to google-web-toolkit-contributors
Sorry I lost my context in user groups - didn't notice this was external group.

What I sent was just for Google internal usages; pls ignore my message.

On Tue, Oct 31, 2017 at 2:52 PM, 'Jonathan Nieder' via GWT Contributors <google-web-tool...@googlegroups.com> wrote:
Is there a public announcement equivalent to [1] for external users to read?

вт, 31 окт. 2017 г. в 14:47, 'Goktug Gokdogan' via GWT Contributors <google-web-toolkit-contri...@googlegroups.com>:
They are not going to change and plenty of people use it for production but there is a bigger issue:
GWT-RPC is deprecated and in maintenance mode for over 2 years now [1].

On Tue, Oct 31, 2017 at 4:51 AM, Rencia Cloete <rencia...@gmail.com> wrote:
Gwt Documentation as well as GWT IN action recommend extending XsrfProtectedService on client side and XsrfProtectedServiceServlet on server side....

But both thse methods are still marked as "EXPERIMENTAL and subject to change. Do not use this in production code."

What gives? is this a leftover - or are they now safe to use in production?

Thanks for your help in advance!

--
You received this message because you are subscribed to the Google Groups "GWT Contributors" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GWT Contributors" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GWT Contributors" group.

Colin Alworth

unread,
Oct 31, 2017, 6:18:50 PM10/31/17
to GWT Contributors
To answer the original question, no - no changes are planned in the Xsrf variants of generator-based RPC. We should remove those comments. I am aware of no reason to not use the Xsrf variants in production code.

Looking forward, beyond gwt-user.jar, I have the core of RPC working correctly in Annotation Processors (i.e. so that it is compatible with GWT 3). I do not have the equivalent of RemoteService ready yet, but when I get there I will make sure tools are available akin to XsrfProtectedService. However, while migration should be minimal to this updated version, it will not be zero - at the very least a different servlet will be required, and a constructor call instead of GWT.create.

Rencia Cloete

unread,
Nov 1, 2017, 4:19:48 AM11/1/17
to GWT Contributors
Fabulous! Thanks!

Rencia Cloete

unread,
Nov 6, 2017, 10:08:32 AM11/6/17
to google-web-tool...@googlegroups.com
More questions - help please... We have GWT + Spring 
This 'flavour' of GWT is using a placecontroller, and tablayoutContainer.

GWT.getModuleBaseURL()= https://localhost:9083/ConsumerMobileAdmin/consumerMobileAdmin/

GWT.getHostPageBaseURL()=https://localhost:9083/ConsumerMobileAdmin/


sample url's for diff tabs:

https://localhost:9083/ConsumerMobileAdmin/ConsumerMobileAdmin.jsp#

https://localhost:9083/ConsumerMobileAdmin/ConsumerMobileAdmin.jsp#webusers:all


the RPC classes use @RemoteServiceRelativePath ... which is wired together in the  consumerMobileAdmin-servlet.xml using 

<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">

<property name="mappings">

....


Both of these:

     ((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getModuleBaseURL() + "xsrf");

    //((ServiceDefTarget)xsrf).setServiceEntryPoint(GWT.getHostPageBaseURL() + "xsrf");


give me a console error "Failed to load resource: the server responded with a status of 405 (Method not allowed)
The Tomcat log states:

Invalid CSRF token found for https://localhost:9083/ConsumerMobileAdmin/xsrf (CsrfFilter)

or

Invalid CSRF token found for https://localhost:9083/ConsumerMobileAdmin/consumerMobileAdmin/xsrf (CsrfFilter)

depending on which of the serviceDefTarget I tried....


Help! 


How do I set the serviceDefTarget of the XsrfTokenServiceAsync??



Virus-free. www.avg.com

--
You received this message because you are subscribed to a topic in the Google Groups "GWT Contributors" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit-contributors/eMf39ktTQ8A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-toolkit-contributors+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit-contributors/f133bbf1-126f-4de1-874b-1e7f5d995207%40googlegroups.com.

Manfred Tremmel

unread,
Nov 6, 2017, 3:36:30 PM11/6/17
to google-web-tool...@googlegroups.com
Am Montag, 6. November 2017, 17:08:27 CET schrieb Rencia Cloete:
> More questions - help please... We have GWT + Spring

Don't you think this is better placed in the gwt-user list?
For myself, I've dropped the idea to combine RPC and Spring when implementing
https://www.tecparts.com in 2014. Using REST with a Spring REST-Controller and
RestyGWT or GWTP-REST-dispatcher is much easier and server side there are no
GWT-dependencies needed. The current stack I use, I've described in the wiki
at https://github.com/ManfredTremmel/gwt-bean-validators-example/wiki

Manfred

Rencia Cloete

unread,
Nov 7, 2017, 8:45:57 AM11/7/17
to google-web-tool...@googlegroups.com
Hi Manfred, no no, the RPC & Spring in GWT works perfectly on our site ... its when I try to add the XSRF that I run into trouble .... purely with how to set the serviceDefTarget for it....
Found the answer:
Followed: http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html

((ServiceDefTarget)xsrf).setServiceEntryPoint("gwt/xsrf");
web.xml:
  <servlet>                                                    
    <servlet-name>xsrf</servlet-name>                         
    <servlet-class>com.google.gwt.user.server.rpc.XsrfTokenServiceServlet</servlet-class>                                           
  </servlet>       
  <servlet-mapping>                                         
    <servlet-name>xsrf</servlet-name>                         
    <url-pattern>/gwt/xsrf</url-pattern>       
  </servlet-mapping>          
Finally! Turn off the Spring csrf filter in securityContext.xml: <s:csrf disabled="true"/>
Otherise Spring & Gwt are both tryint to do the same ting and Spring CsrfFilter wants the /gwt/xsrf to also have a token!
Now it works fine and the OWASP ZAP doesn't deliver an XSRF weakness!!



--
You received this message because you are subscribed to a topic in the Google Groups "GWT Contributors" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit-contributors/eMf39ktTQ8A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-toolkit-contributors+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages