Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security when using GWT RPC

I have an POJO in Google Web Toolkit like this that I can retrieve from the server.

class Person implements Serializable {
  String name;
  Date creationDate;
}

When the client makes changes, I save it back to the server using the GWT RemoteServiceServlet like this:

rpcService.saveObject(myPerson,...)

The problem is that the user shouldn't be able to change the creationDate. Since the RPC method is really just a HTTP POST to the server, it would be possible to modify the creationDate by changing the POST request.

A simple solution would be to create a series of RPC functions like changeName(String newName), etc., but with a class with many fields would require many methods for each field, and would be inefficient to change many fields at once.

I like the simplicity of having a single POJO that I can use on both the server and GWT client, but need a way to do it securely. Any ideas?

EDIT

I'm resubmitting with a bounty to try and see if there are any other ideas. Perhaps my original question focused too much on the specifics of GWT. Really I think this is a generic question for any system that uses JavaBeans to pass data between a secure (servlet container) and insecure (web browser) environment.

EDIT 2

Also, to be clear, I used the field creationDate as an example of the problem. In reality the code I'm working with is more complicated with many different fields.

like image 973
gerdemb Avatar asked May 21 '10 19:05

gerdemb


1 Answers

I recommend you to keep your single RPC method, and use a POJO/bean mapper like Dozer or Gilead.

  • With Dozer, you create a class-mapping that is used to copy properties from one object to another. If you don't specify a property in the class-mapping, it won't be copied.
  • With Gilead, the @ReadOnly transport annotation should suffice.

The side-benefit is that you don't need to change your data access layer (supposing you have one). Doesn't matter if you use a ORM or not, with a relational database or not.

like image 184
jweyrich Avatar answered Oct 14 '22 15:10

jweyrich