Security when using GWT RPC

Question

I have an POJO in Google Web Toolkit like this that I can retrieve from the server.

class Person implements Serializable {
  String name;
  Date creationDate;
}

When the client makes changes, I save it back to the server using the GWT RemoteServiceServlet like this:

rpcService.saveObject(myPerson,...)

The problem is that the user shouldn't be able to change the creationDate. Since the RPC method is really just a HTTP POST to the server, it would be possible to modify the creationDate by changing the POST request.

A simple solution would be to create a series of RPC functions like changeName(String newName), etc., but with a class with many fields would require many methods for each field, and would be inefficient to change many fields at once.

I like the simplicity of having a single POJO that I can use on both the server and GWT client, but need a way to do it securely. Any ideas?

EDIT

I'm resubmitting with a bounty to try and see if there are any other ideas. Perhaps my original question focused too much on the specifics of GWT. Really I think this is a generic question for any system that uses JavaBeans to pass data between a secure (servlet container) and insecure (web browser) environment.

EDIT 2

Also, to be clear, I used the field creationDate as an example of the problem. In reality the code I'm working with is more complicated with many different fields.

Answer 1

I recommend you to keep your single RPC method, and use a POJO/bean mapper like Dozer or Gilead.

• With Dozer, you create a class-mapping that is used to copy properties from one object to another. If you don't specify a property in the class-mapping, it won't be copied.
• With Gilead, the @ReadOnly transport annotation should suffice.

The side-benefit is that you don't need to change your data access layer (supposing you have one). Doesn't matter if you use a ORM or not, with a relational database or not.