REST Dispatch and security issues

[Danilo Reinert]

I'm not following REST-Dispatch module progression and I've not seem any questions related to this subject, so maybe someone could help me.

What is the current status of REST-Dispatch module and Security Cookie support?

How can I store a temporary cookie containing ordinary credentials with REST-Dispatch in order to safely execute REST services with this token.

I've looked into CarStore sample, but I could not see even the if the REST services are secured. 

--

D. Reinert

[Christian Goudreau]

You have to use the annotation @HEAD from the JAX-RS specification to add header information in the http request. Setting a cookie can be achieve through GWT. Although we should make that easier unless I forgot something.

And lastly, CSRF protection is achieved through https://github.com/ArcBees/GWTP/wiki/CSRF-Protection

Only problem is that we cannot send an unsecured request to "wake up" the protection on Google App Engine and thus, unless using something else that REST-Dispatch, all request would be denied on Google App Engine.

The RestDispatchAsyncModule.Builder can accept the following configuration properties:

• xcsrfTokenHeaderName: If CSRF protection is enabled, the header name used to transport your security token. Defaults to X-CSRF-Token. In order to be used, you also need to bind@SecurityCookie. See CSRF Protection for more details about CSRF protection.
• serialization: The serialization implementation to use. Defaults to JsonSerialization.
• clientActionHandlerRegistry: See Client Action Handlers
• exceptionHandler: See Exception Handler

--
You received this message because you are subscribed to the Google Groups "GWTP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gwt-platform...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Christian Goudreau | CEO - Président

M: 1.877.635.1585 | S: christian.goudreau

ArcBees | Blog | Facebook | LinkedIn

[Danilo Reinert]

I found it a very enlightening answer, Christian. Thank you.

If I understood correctly, binding the @SecurityCookie constant, will configure the dispatcher to automatically put a header "X-CSRF-Token"  with the specified cookie value in every request, right?

--

D. Reinert

[Christian Goudreau]

Exactly, Christopher can probably give you a better answer since he wrote it :D

[Danilo Reinert]

Nice. I would appreciate a confirmation by Christopher.

Additonally, can I configure other parameters, besides this fixed "X-CSRF-Token", to be similarly put in every request?

--

D. Reinert

[Christian Goudreau]

Unless you manually add them through @HEAD annotation, there's no mechanisms yet. That's a good feature request ;)

[Christopher Viel]

Christian's answer is good. When `@SecurityCookie` is bound, the "X-CSRF-Token" header will be put in every request with this value.

You can add additional header parameters by providing them manually via `@HeaderParam("xyz") String param` in your service interface.

It's not possible for now to disable security on specific requests, but it should be easy to implement (perhaps an `@Unsecure` annotation on the method).

It's not possible to define header parameters globally either, although I like the idea very much and I will probably implement it in the short term :)

Christopher

[Danilo Reinert]

Thanks Christopher for clarifications.

Please, let us know here when you have news about these features.

--

D. Reinert

[Danilo Reinert]

I've created two issues in order to track these as feature requests.

https://github.com/ArcBees/GWTP/issues/417

https://github.com/ArcBees/GWTP/issues/418

--

D. Reinert

[Christian Goudreau]

Thanks!