I am developing a GWT application running on the Google App Engine and wondering if I need to worry about faking cross-site request requests or does it automatically take care of me?
For every RPC request requiring authentication, I have the following code:
public class BookServiceImpl extends RemoteServiceServlet implements
BookService {
public void deleteInventory(Key<Inventory> inventoryKey) throws NotLoggedInException, InvalidStateException, NotFoundException {
DAO dao = new DAO();
User user = dao.getCurrentUser();
}
}
public final class DAO extends DAOBase {
public User getCurrentUser() throws NotLoggedInException {
currentUser = UserServiceFactory.getUserService().getCurrentUser();
if(currentUser == null) {
throw new NotLoggedInException();
}
return currentUser;
}
I could not find the documentation on how the verification UserServiceauthenticates. Is it enough to rely on the code above or do I need more? I am new to this, but from what I understand to avoid CSRF attacks, some of the strategies are:
- adding an authentication token to the request payload, not just checking the cookie
- HTTP check Header header
, cookie, Google, , SID, Java , . , Referer.
, -? , ? , ...