Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preventing CSRF when using GWT's RequestFactory

Tags:

csrf

gwt

requestfactory

I've just started porting my GWT-RPC code to the new RequestFactory mechanism.

In order to prevent cross-site request forgery (CSRF), my GWT-RPC code grabbed the session id that had been stored in a cookie, and included it in the payload of the request. Is that possible with RequestFactory?

I understand that there are four mandatory Locator methods, including findEntity(id_type id); so I'm thinking: oh dear: where do I put my session id?

like image 701
David Avatar asked Jun 03 '11 13:06

David

People also ask

What are the methods used to prevent CSRF forgery attacks?

The most effective method of protecting against CSRF is by using anti-CSRF tokens. The developer should add such tokens to all forms that allow users to perform any state-changing operations. When an operation is submitted, the web application should then check for the presence of the correct token.

What is the best Defence against CSRF?

Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.

Is SameSite cookie enough for CSRF?

So if you set session cookie with SameSite : Strict, Even in the absence of a dedicated CSRF cookie, links generated to your website from third-party websites will not have session cookies in them. Thus, it is not possible to perform CSRF attacks on them.

How do you prevent CSRF attack in web API?

To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.

1 Answers

Generally, you'll extend DefaultRequestTransport to add the token to the request (such as a custom header, but you could also add it to the request body) and pass it to the init of your RequestFactory. On the server-side, you'll either use a servlet filter or you'll extend RequestFactoryServlet to process the token before even processing the RequestFactory request. You're free to define your own "protocol" here: e.g. returning a 403 or 401 status (or whatever) and then process it in the RequestTransport to communicate the result to your app.

like image 56
Thomas Broyer Avatar answered Oct 15 '22 06:10

Thomas Broyer
Sign in to Comment

Related questions

GWT: Why won't Chrome & IE download file, where Firefox will?
Trouble with GWT and Guava
Detecting refresh event in GWT
GWT UiHandler for g:Anchor is not firing
GWT Compiler Error: Missing Interface Methods on Subclass (PlayN HTML)
Adding/modifying SuggestOracle after construction of SuggestBox in GWT
Parsing JSON objects of unknown type with AutoBean on GWT
Is it possible to find all classes annotated with @MyAnnotation using a GWT GeneratorContext?
GWT RequestBuilder - Cross Site Requests
Chrome doesn't load gwt source maps
Can GWT handle Java Swing?
GWT permutation count
User.Agent for GWT 2.6?
GWT object parameter from javascript to java (JavaScriptObject to JSONObject)
GWT Themes and Component Libraries
GWT Clone a widget using DOM.clone
GWT TextBox - Notification of value changes during editing
Binding to HTML elements in GWT
GWT RequestFactory and multiple requests
GXT (Ext-GWT): Layout problems with ContentPanel

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!