Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Set -Dgwt.enhancedClasses.enabled=true property when compile

46 views
Skip to first unread message

Miguel Macanás

unread,
Feb 7, 2025, 6:53:27 AMFeb 7
to GWT Users
Hi all,

Recently in our company we have migrated from GWT 2.9.0 to GWT 2.12.1. In this migration, we have an issue with the RPC, because we have DTOs with JPA annotations.

I get this message:

ERROR: Service deserializes enhanced JPA/JDO classes, which is unsafe. Review build logs to see which classes are affected, or set gwt.enhancedClasses.enabled to true to allow using this service. See https://github.com/gwtproject/gwt/issues/9709 for more detail.

Which is the best way to handle with this? I'm using the next config plugin to compile GWT:

<plugin>
<groupId>net.ltgt.gwt.maven</groupId>
<artifactId>gwt-maven-plugin</artifactId>
<version>1.1.0</version>
<extensions>true</extensions>
<configuration>
<moduleName>com.odilotid.odilotk.Opac</moduleName>
<sourceLevel>${gwt.sourceLevel}</sourceLevel>
<skip>${compile.gwt.skip}</skip>
<style>OBF</style>
<workDir>${project.build.directory}/gwt/temp</workDir>
<deploy>${project.build.directory}/WEB-INF/deploy</deploy>
<draftCompile>false</draftCompile>
<webappDirectory>/${webappDirectory}</webappDirectory>
<logLevel>WARN</logLevel>
</configuration>
<executions>
<execution>
<id>gwt-compile</id>
<goals>
<goal>compile</goal>
</goals>
</execution>
</executions>
</plugin>

Thanks

Colin Alworth

unread,
Feb 7, 2025, 8:09:34 AMFeb 7
to GWT Users
I don't want to sound snarky, but did you read the linked issue and discussion there?

In short, tou have a few options:
 * Enable the flag, and ship a known security bug, allowing attackers to potentially run untrusted code in your server,
 * Leave the flag disabled and split your DTOs from your entities, so that the security issue can't happen, or
 * Contribute (through time or funding someone else's time) one of the proposed fixes, so that the feature can be safely reenabled.

This has been discussed a few times, and at this time (just over a year since we first shipped that flag) it doesn't appear that anyone has been interested in actually fixing it, suggesting to me that either most projects are content with allowing users to run arbitrary code on their server (...unlikely), or that the use of JPA annotations on DTOs was actually not necessary for their project and removing the annotations was an easy solution.

Fixing the bug in GWT itself fixes it once for everyone, but that requires development, review, testing time, and so far no one is interested.

Miguel Macanás

unread,
Feb 7, 2025, 10:15:46 AMFeb 7
to GWT Users
Thanks a lot Colin.

And where should I specify the flag? I try to specify inside the plugin config without success:

<plugin>
<groupId>net.ltgt.gwt.maven</groupId>
<artifactId>gwt-maven-plugin</artifactId>
<version>1.1.0</version>
<extensions>true</extensions>
<configuration>
<moduleName>com.odilotid.odilotk.Opac</moduleName>
<sourceLevel>${gwt.sourceLevel}</sourceLevel>
<skip>${compile.gwt.skip}</skip>
<style>OBF</style>
<jvmArgs>
-Dgwt.enhancedClasses.enabled=true
</jvmArgs>

<workDir>${project.build.directory}/gwt/temp</workDir>
<deploy>${project.build.directory}/WEB-INF/deploy</deploy>
<draftCompile>false</draftCompile>
<webappDirectory>/${webappDirectory}</webappDirectory>
<logLevel>WARN</logLevel>
</configuration>
<executions>
<execution>
<id>gwt-compile</id>
<goals>
<goal>compile</goal>
</goals>
</execution>
</executions>
</plugin>

Thomas Broyer

unread,
Feb 7, 2025, 10:36:20 AMFeb 7
to GWT Users
This is a runtime system property, that you have to set on your server.
Reply all
Reply to author
Forward
0 new messages