All geek questions in one place

GWT: XSRF: missing sporadic X-GWT-Permutation header

My application gets random XSRF Attack errors raised by GWT when RemoteServiceServlet.checkPermutationStrongName() cannot find the HTTP X-GWT-Permutation HTTP header in the HttpServletRequest . If an error occurs in the log file, the following line appears:

 WARNING: doUnexpectedFailure was invoked. java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?)

The problem was discovered in Firefox 3.x and 4.0 in both Hosted mode and Web mode.

I launched Live Headers and the HTTP header is really missing.

The application is a vanilla GWT RPC.

Any ideas?

Bounce Headers

 http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Length: 154 Content-Type: text/x-gwt-rpc; charset=utf-8 Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv... Cookie: standalone_usage=true Pragma: no-cache Cache-Control: no-cache 7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/| 6808FDC8A4FA3491026441B59E4DB72A| org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0| HTTP/1.1 400 Bad Request Content-Type: text/plain;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Wed, 23 Mar 2011 20:11:04 GMT Server: Apache-Coyote/1.1 Connection: close

Performance headers

 http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-GWT-Permutation: HostedMode X-GWT-Module-Base: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/ Content-Type: text/x-gwt-rpc; charset=utf-8 Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv... Content-Length: 154 Cookie: standalone_usage=true Pragma: no-cache Cache-Control: no-cache 7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/| 41FA1D8B82DBBBC875605A4A29670D99| org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0| HTTP/1.1 200 OK Content-Disposition: attachment Content-Type: application/json;charset=utf-8 Content-Length: 48 Date: Wed, 23 Mar 2011 20:15:38 GMT Server: Apache-Coyote/1.1
+4
source share
3 answers

I am facing the same problem with my application. It seems that FireFox 3.x does not send an additional request header if it is installed in the XmlHttpRequest object!

Quickly fixing this in the server-side RPC implementation overrides the checkPermutationStrongName () method with an empty implementation.

 @Override protected void checkPermutationStrongName() throws SecurityException { return; }

I think we need to report this as a problem for FireFox in order to get the correct fix.

+5
source

Based on my experience, FF sometimes resets any header starting with "X -".

+1
source

This error appeared in our magazines for the first time on March 30, so it may be related to FF 4.0, I think (FF4 was sent on March 22). A few days before we also switched from GWT 2.0.4 to 2.1.1. It may also be a hint. Our application is actively tested on the production environment for 7 months. Maybe this information will help someone. I was looking for a method to detect an outdated gwt application in the browser cache. When the application is deployed to the server, I check the permutation names generated by the current assembly and save them in a list. Each RPC request is checked for the gwt permutation he sent. With this error, my mechanism is blown up.

0
source

Source: https://habr.com/ru/post/1345203/

More articles:


All Articles