Having readable network messages is very useful for debugging. It's also easy to include more data in a GWT RPC messages than you really need unless you're careful with it.
Regards, Paul On Fri, 21 Jul 2023, 15:43 Ralph Fiergolla, <[email protected]> wrote: > I think I asked the question before: as a long-term GWT-RPC user, what > would be the benefit of moving to some other RPC protocol/mechanism? > > Thomas Broyer <[email protected]> schrieb am Fr. 21. Juli 2023 um 12:34: > >> >> >> On Friday, July 21, 2023 at 11:38:59 AM UTC+2 [email protected] >> wrote: >> >> We have one deployment of a GWT app where there is a Fortiweb firewall >> that blocks every GWT RPC call because it recognizes every call as a Java >> Method Injection attack. This seems to be caused by the presence of the >> pattern "java.lang." in the messages from the client to the server like the >> following: >> >> 7|0|7|https://host/app/app_gui/|BD9331DABCA5012FC56F3600DF03415F|com.app.gui.client.Bridge|getClientConfiguration|java.lang.St >> ring/2004016611|john|ADMINISTRATOR|1|2|3|4|2|5|5|6|7| >> <https://host/app/app_gui/%7CBD9331DABCA5012FC56F3600DF03415F%7Ccom.app.gui.client.Bridge%7CgetClientConfiguration%7Cjava.lang.String/2004016611%7Cjohn%7CADMINISTRATOR%7C1%7C2%7C3%7C4%7C2%7C5%7C5%7C6%7C7%7C> >> >> My idea is to convince the firewall administrator that these are >> false-positives as these calls are part of the GWT RPC mechanism that does >> not allow arbitrary java code execution on the server side. >> >> Is my reasoning correct or am I not worried enough? >> >> >> Your reasoning is correct. But you can also obfuscate type names to >> prevent triggering the WAF: >> https://github.com/gwtproject/gwt/blob/main/user/src/com/google/gwt/user/RemoteServiceObfuscateTypeNames.gwt.xml >> >> (disclaimer: I haven't used RPC for more than 10 years) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "GWT Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/google-web-toolkit/40bf5948-5d59-4d47-8686-7b1db98e80fdn%40googlegroups.com >> <https://groups.google.com/d/msgid/google-web-toolkit/40bf5948-5d59-4d47-8686-7b1db98e80fdn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "GWT Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/google-web-toolkit/CACwwWxPGRqV2pBTq4iPr4mmbE%2Bb38sxzAZuN%3D__z%2BemUACS5%3Dw%40mail.gmail.com > <https://groups.google.com/d/msgid/google-web-toolkit/CACwwWxPGRqV2pBTq4iPr4mmbE%2Bb38sxzAZuN%3D__z%2BemUACS5%3Dw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/CAGHNWNLxJj2xtR6HGZG6R9m20LPpwwFaO%2B1BEGrvouvQK_vbcQ%40mail.gmail.com.
