kindly go through these link, it may help you. http://en.wikipedia.org/wiki/Same_origin_policy
http://developer.mozilla.org/En/Same_origin_policy_for_JavaScript On Wed, Oct 1, 2008 at 11:47 AM, sim123 <[EMAIL PROTECTED]> wrote: > > If I should not piggyback my sessionID with RPC payload, then what > does this line in GWTLogin Security means and could you please help me > with how can I achieve this? > > "NB: Do NOT attempt to use the Cookie header to transfer the sessionID > from GWT to the server; it is fraught with security issues that will > become clear in the rest of this article. You MUST transfer the > sessionID in the payload of the request" > > Here is the link of this article > > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ > > Thank you so much for your response. I appreciate your help. > > > On Sep 30, 4:32 am, walden <[EMAIL PROTECTED]> wrote: > > Sim123, > > > > I don't think you mentioned whether you are using the regular Hosted > > Mode or the -noserver variant of that. To test ServletFilter > > behavior, you will have to go with -noserver, or else test in a web > > mode environment. That's the first thing. > > > > Second, you are making assumptions about how GWT RPC maps onto an HTTP > > POST. You cannot expect to dig RPC parameters out of the request as > > if they were HTTP parameters. Basically, RPC is opaque. > > > > So here's the rub, and now I get to preach from the top of my little > > crate again. You are hand-rolling security by piggybacking > > authentication session information right in the application layer of > > your RPC stuff. You are paying the price for this doubly: (1) you are > > polluting your applicationi logic with extra security parameters, > > which should be orthogonal to your business logic, and (2) you can't > > dig the session out of the RPC serialized mess, so even though you're > > enduring the pain of (1), it won't work. > > > > If I were you, I'd consider using either HTTP Basic, HTTP Digest, or > > HTTP Basic over SSL for establishing and maintaining a secure session > > with your server. It all depends on how secure your app needs to be. > > If you just need reasonable protection against stolen credentials, the > > second option above should be fine. > > > > Walden > > > > On Sep 29, 4:52 pm, sim123 <[EMAIL PROTECTED]> wrote: > > > > > Thanks for reply, actually I don't know where exactly the problem is, > > > please bare with me. > > > > > First thing is : Compile/Browser option is not working when Filter is > > > enabled, this filter just checks for existing session using > > > request.getSession(false), if session exists request is valid other > > > wise I am throwing an error message saying "session is null". > > > > > In hosted mode everything works fine, no issues at all. > > > > > Another thing which I noticed is strange behavior of > > > request.getParameter method in case of RPC. RPC method are http POST > > > method and now I am passing sessionID with request payload i.e. > > > another parameter in my method > > > > > public String getData(String studentID, string sessionID); > > > > > I am trying to get this sessionID in my filter's dofilter method > > > > > public void doFilter(ServletRequest request, ServletResponse response, > > > FilterChain chain) ServletException { > > > if ( ! isLoginRequest(request) ) { > > > session = ((HttpServletRequest) > request).getSession(); > > > String sessionIDFromReq = > > > ((HttpServletRequest) > > > request).getSession().getParamter("sessionID"); //this ID is null > > > > > if ( session.getID().equals( sessionIDFromReq) > ) { > > > chain.doFilter(request, response); > > > > > } else { > > > > > throw new ServletException("session is > null"); > > > } > > > } > > > > > } > > > > > The only thing I know is for some reason I am not getting sessionID in > > > filter even thought session is created. Please help, I hope I made > > > things little more clear this time. > > > Thanks > > > On Sep 29, 6:14 am, walden <[EMAIL PROTECTED]> wrote: > > > > > > I'm not sure, but I think Tomcat should > treathttp://localhostandhttp://<ip-address> as different origins requiring > separate sessions. > > > > If this is your only problem, then don't use the IP address to access > > > > your site. > > > > > > If it's not the only problem, thenpostsome meaningful diagnostics > > > > from your server log. You should have done that in your firstpost. > > > > > > Walden > > > > > > On Sep 28, 1:08 pm, sim123 <[EMAIL PROTECTED]> wrote: > > > > > > > Someone please look into this issue, I really have no clue what is > > > > > going on. > > > > > > > On Sep 27, 3:38 pm, sim123 <[EMAIL PROTECTED]> wrote: > > > > > > > > I have a simple application built in GWT and java servlet > > > > > > > > 1. User login : user logs in using a asynchronous call to server, > RPC > > > > > > service creates a session and return it to client, on OnSuccess > of > > > > > > this login call I load data on to browser, there are few RPC > calls and > > > > > > one call to downlaod pictures from another tomcat instance. > > > > > > > > 2. I have servlet filter implemented to check if the request is > valid > > > > > > or not, based on session coming from Cookies this filter > validates the > > > > > > request and pass it to appropriate RPC or non RPC Servlet. > > > > > > > > Now everything is working fine in hosted mode browser but when I > do > > > > > > compile/browse I get authentication exception in filter, I don't > know > > > > > > ehy is it so as I am getting the session ID back in onSuccess > method > > > > > > of Login call and after that I am performing all other > operaitons. I > > > > > > created a war file and deployed it on external tomcat, everything > > > > > > works fine if I type "http://localhost:8080/login/Login.html";, > but if > > > > > > I type ip address of my machine instead of localhost I get same > > > > > > authentication exception saying session is null, is there > something > > > > > > realated to redirecting to another tomcat's instance when loading > > > > > > images? If that is the case why it is not happening in hosted > mode and > > > > > > in"localhsot" ? > > > > > > > > I would really appreciate if somebody could please help me with > this > > > > > > issue. > > > > > > > > Thansk for all the help and support- Hide quoted text - > > > > > > > - Show quoted text -- Hide quoted text - > > > > > - Show quoted text - > > > -- Manik Chand Software Engineer Exact Software Pvt. Ltd. 403, 4th Floor, Accord Complex, Station Road, Goregaon(East), Mumbai - 400063 Cell No. : +91 9220984430 www.exact-solutions.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
