CSRF Prevention Using GWT RequestFactory

Question

CSRF Prevention Using GWT RequestFactory

I just started porting my GWT-RPC code to the new RequestFactory .

To prevent subprocess forgery (CSRF), my GWT-RPC code grabbed the session identifier that was stored in the cookie and included it in the request payload. Is this possible with RequestFactory ?

I understand that there are four required Locator methods, including findEntity(id_type id) ; so I think: oh honey, where can I put my session id?

+6

gwt csrf requestfactory

David Jun 03 '11 at 13:03

source share

1 answer

Thomas Broyer · Accepted Answer · 2011-06-03T13:27:07+0000

Typically, you extend DefaultRequestTransport to add a token to the request (for example, a custom header, but you can also add it to the request body) and pass it to the init your RequestFactory . On the server side, you either use the servlet filter or extend the RequestFactoryServlet to process token before processing RequestFactory request. You can define your own "protocol" here: for example. returning the status of 403 or 401 (or something else), and then process it in RequestTransport to report the result to your application.

CSRF Prevention Using GWT RequestFactory

More articles: